Found while fuzzing m-c 20211213-0afa754df085 (--enable-debug --enable-fuzzing)

Assertion failure: isSome(), at /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:818

#0 0x7f7c17937875 in operator* /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:818:3
#1 0x7f7c17937875 in mozilla::RangeBoundaryBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >::DetermineOffsetFromReference() const /builds/worker/workspace/obj-build/dist/include/mozilla/RangeBoundary.h:207:5
#2 0x7f7c1ad03600 in Offset /builds/worker/workspace/obj-build/dist/include/mozilla/RangeBoundary.h:174:13
#3 0x7f7c1ad03600 in FocusOffset /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Selection.h:291:15
#4 0x7f7c1ad03600 in nsCaret::GetFrameAndOffset(mozilla::dom::Selection const*, nsINode*, int, int*, nsIFrame**) src/layout/base/nsCaret.cpp:381:31
#5 0x7f7c1ad02e63 in nsCaret::SchedulePaint(mozilla::dom::Selection*) src/layout/base/nsCaret.cpp:425:21
#6 0x7f7c1aa5edf4 in mozilla::EditorBase::FinalizeSelection() src/editor/libeditor/EditorBase.cpp:5240:12
#7 0x7f7c17d5210a in nsFocusManager::ContentRemoved(mozilla::dom::Document*, nsIContent*) src/dom/base/nsFocusManager.cpp:920:25
#8 0x7f7c1951f7ae in mozilla::EventStateManager::ContentRemoved(mozilla::dom::Document*, nsIContent*) src/dom/events/EventStateManager.cpp:5803:15
#9 0x7f7c1ac99a04 in mozilla::PresShell::ContentRemoved(nsIContent*, nsIContent*) src/layout/base/PresShell.cpp:4494:38
#10 0x7f7c17c2b397 in operator() src/dom/base/MutationObservers.cpp:196:3
#11 0x7f7c17c2b397 in Notify<IsRemoval::Yes, ShouldAssert::Yes, (lambda at src/dom/base/MutationObservers.cpp:196:3), (lambda at src/dom/base/MutationObservers.cpp:196:3)> src/dom/base/MutationObservers.cpp:91:5
#12 0x7f7c17c2b397 in mozilla::dom::MutationObservers::NotifyContentRemoved(nsINode*, nsIContent*, nsIContent*) src/dom/base/MutationObservers.cpp:197:3
#13 0x7f7c17db48cb in nsINode::RemoveChildNode(nsIContent*, bool) src/dom/base/nsINode.cpp:2155:5
#14 0x7f7c17b94470 in mozilla::dom::FragmentOrElement::SetInnerHTMLInternal(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) src/dom/base/FragmentOrElement.cpp:1941:13
#15 0x7f7c18d9013a in mozilla::dom::Element_Binding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/ElementBinding.cpp:4004:24
#16 0x7f7c1909f236 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3254:8
#17 0x7f7c1cad5dff in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:388:13
#18 0x7f7c1cad54fd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:475:12
#19 0x7f7c1cad6fde in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:535:10
#20 0x7f7c1cad820c in Call src/js/src/vm/Interpreter.cpp:552:8
#21 0x7f7c1cad820c in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) src/js/src/vm/Interpreter.cpp:693:10
#22 0x7f7c1ce4390b in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) src/js/src/vm/NativeObject.cpp:2482:8
#23 0x7f7c1ce428f6 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/vm/NativeObject.cpp:2516:14
#24 0x7f7c1cacac28 in SetProperty src/js/src/vm/ObjectOperations-inl.h:299:10
#25 0x7f7c1cacac28 in SetObjectElementOperation src/js/src/vm/Interpreter.cpp:1746:10
#26 0x7f7c1cacac28 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:2998:12
#27 0x7f7c1cac3703 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:357:13
#28 0x7f7c1cad53f8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:507:13
#29 0x7f7c1cad6fde in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:535:10
#30 0x7f7c1cad71e1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:552:8
#31 0x7f7c1cc933f1 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10
#32 0x7f7c18db2b6c in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#33 0x7f7c19588619 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#34 0x7f7c19587890 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:201:12
#35 0x7f7c195688bb in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1309:22
#36 0x7f7c19569579 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1500:17
#37 0x7f7c1955e654 in HandleEvent src/dom/events/EventListenerManager.h:395:5
#38 0x7f7c1955e654 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:348:17
#39 0x7f7c1955db77 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:550:16
#40 0x7f7c195603d8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1085:11
#41 0x7f7c17d95c63 in FocusBlurEvent::Run() src/dom/base/nsFocusManager.cpp:2720:12
#42 0x7f7c1790e6ae in nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>) src/dom/base/nsContentUtils.cpp:5752:13
#43 0x7f7c1790e8f2 in nsContentUtils::AddScriptRunner(nsIRunnable*) src/dom/base/nsContentUtils.cpp:5758:3
#44 0x7f7c17d560a3 in nsFocusManager::FireFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, nsISupports*, bool, bool, mozilla::dom::EventTarget*) src/dom/base/nsFocusManager.cpp:2859:3
#45 0x7f7c17d54e11 in nsFocusManager::SendFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, mozilla::dom::Document*, nsISupports*, bool, bool, mozilla::dom::EventTarget*) src/dom/base/nsFocusManager.cpp:2833:3
#46 0x7f7c17d4deb1 in nsFocusManager::Focus(nsPIDOMWindowOuter*, mozilla::dom::Element*, unsigned int, bool, bool, bool, bool, unsigned long, mozilla::Maybe<nsFocusManager::BlurredElementInfo> const&) src/dom/base/nsFocusManager.cpp:2662:9
#47 0x7f7c17d46422 in nsFocusManager::SetFocusInner(mozilla::dom::Element*, int, bool, bool, unsigned long) src/dom/base/nsFocusManager.cpp:1750:5
#48 0x7f7c17d4806a in nsFocusManager::SetFocus(mozilla::dom::Element*, unsigned int) src/dom/base/nsFocusManager.cpp:490:3
#49 0x7f7c17b7e5fa in mozilla::dom::Element::Focus(mozilla::dom::FocusOptions const&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/base/Element.cpp:467:16
#50 0x7f7c18f18417 in mozilla::dom::HTMLElement_Binding::focus(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/HTMLElementBinding.cpp:9566:24
#51 0x7f7c190a15c8 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3306:13
#52 0x7f7c1cad5dff in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:388:13
#53 0x7f7c1cad54fd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:475:12
#54 0x7f7c1cad6fde in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:535:10
#55 0x7f7c1cacc806 in CallFromStack src/js/src/vm/Interpreter.cpp:539:10
#56 0x7f7c1cacc806 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3243:16
#57 0x7f7c1cac3703 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:357:13
#58 0x7f7c1cad53f8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:507:13
#59 0x7f7c1cad6fde in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:535:10
#60 0x7f7c1cad71e1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:552:8
#61 0x7f7c1cc933f1 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10
#62 0x7f7c18db2b6c in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:283:37
#63 0x7f7c19588619 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#64 0x7f7c19587890 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:201:12
#65 0x7f7c195688bb in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1309:22
#66 0x7f7c19569579 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1500:17
#67 0x7f7c1955e654 in HandleEvent src/dom/events/EventListenerManager.h:395:5
#68 0x7f7c1955e654 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:348:17
#69 0x7f7c1955db77 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:550:16
#70 0x7f7c195603d8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1085:11
#71 0x7f7c1ad0b8f3 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1085:7
#72 0x7f7c1c2e69e4 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6338:20
#73 0x7f7c1c2e64d3 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:5727:7
#74 0x7f7c1c2e736f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#75 0x7f7c171805bc in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1376:3
#76 0x7f7c1717fb4a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:974:14
#77 0x7f7c1717ded0 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) src/uriloader/base/nsDocLoader.cpp:793:9
#78 0x7f7c1717f08d in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:676:5
#79 0x7f7c1c307c8d in nsDocShell::OnStopRequest(nsIRequest*, nsresult) src/docshell/base/nsDocShell.cpp:13601:23
#80 0x7f7c15f020aa in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) src/netwerk/base/nsLoadGroup.cpp:614:22
#81 0x7f7c15f03693 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:518:10
#82 0x7f7c17b48be5 in mozilla::dom::Document::DoUnblockOnload() src/dom/base/Document.cpp:11556:18
#83 0x7f7c17b13733 in mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:11486:9
#84 0x7f7c17b2f6ff in mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:7999:3
#85 0x7f7c17be099b in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
#86 0x7f7c17be099b in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
#87 0x7f7c17be099b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
#88 0x7f7c15d09dd2 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:144:20
#89 0x7f7c15d3991e in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:468:16
#90 0x7f7c15d13476 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:771:26
#91 0x7f7c15d12138 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:607:15
#92 0x7f7c15d123b3 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:391:36
#93 0x7f7c15d3cf16 in operator() src/xpcom/threads/TaskController.cpp:124:37
#94 0x7f7c15d3cf16 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#95 0x7f7c15d27e13 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1183:16
#96 0x7f7c15d2f0da in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
#97 0x7f7c167cf156 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
#98 0x7f7c166eec27 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
#99 0x7f7c166eeb32 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#100 0x7f7c166eeb32 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#101 0x7f7c1a95ac08 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#102 0x7f7c1c959673 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:864:20
#103 0x7f7c167d004a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#104 0x7f7c166eec27 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:331:10
#105 0x7f7c166eeb32 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#106 0x7f7c166eeb32 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#107 0x7f7c1c958cab in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:701:34
#108 0x55d2e3f78ec9 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#109 0x55d2e3f78ec9 in main src/browser/app/nsBrowserApp.cpp:327:18
#110 0x7f7c2a8f20b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#111 0x55d2e3f5465c in _start (/home/worker/builds/m-c-20211213093143-fuzzing-debug/firefox-bin+0x1565c)

A Pernosco session is available here: https://pernos.co/debug/p7NJaoBUKZkZNMPom2493Q/index.html

Bugmon Analysis
Unable to reproduce bug 1745862 using build mozilla-central 20211213093143-0afa754df085. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Does this assertion has something to do with your patch in bug 1741148 https://phabricator.services.mozilla.com/D131336 ?

I can reproduce this crash in debug builds because it directly access the Maybe without checking isSome(). It's called when it's being removed from parent node so that ComputeIndexOf may return Nothing. I'll take a look.

It assumes that mRef is always in mParent, but this may be called when
mRef is being removed from mParent. In the case, mRef still thinks
mParent is its parent, but it's already been removed from the child node chain
of mParent. Therefore, mParent->ComputeIndexOf(mRef) may return Nothing.

This patch makes it keeps mOffset as Nothing in the case, and if the caller
wants invalid offset, this makes it use the fallback path. I.e., this patch
changes the behavior of RangeBoundary::Offset(kValidOffset).

The severity field is not set for this bug.
:annyG, could you have a look please?

For more information, please visit auto_nag documentation.

(In reply to Hsin-Yi Tsai [:hsinyi] from comment #3)

Does this assertion has something to do with your patch in bug 1741148 https://phabricator.services.mozilla.com/D131336 ?

Masayuki: thanks for the analysis and the fix. For the sake of completeness, is this a regression or not?

(In reply to Mirko Brodesser (:mbrodesser) from comment #7)

(In reply to Hsin-Yi Tsai [:hsinyi] from comment #3)

Does this assertion has something to do with your patch in bug 1741148 https://phabricator.services.mozilla.com/D131336 ?

Masayuki: thanks for the analysis and the fix. For the sake of completeness, is this a regression or not?

The assertion was added by bug 1741148, but it just detects a traditional this bug.

It calls nsINode::GetNextNode() to scan first descendant list item in the
list without specifying the root node to scan within. Therefore, it may return
following list item element of the given list element if the list element does
not have children.

Comment on attachment 9257625 [details]
Bug 1745862 - Make HTMLEditUtils::GetFirstListItemElement scan only within the given list element r=m_kato!

Revision D135110 was moved to bug 1748018. Setting attachment 9257625 [details] to obsolete.

IsSetAndValid method of RangeBoundaryBase and EditorDOMPointBase should
return false if points a removed node. However, while a node is being
removed, the node still keeps referring the parent, but it has already removed
from the child node chain of the parent. In this moment, returning true may
not be expected by the callers because the point becomes invalid soon with
the parent being cleared.

Depends on D134678

nsINode::ComputeIndexOf may be expensive especially when the node is not
in the parent node. Therefore, DetermineOffsetFromReference should check
whether mRef has already been removed from the child node chain of mParent.
Then, it explains the reason why ComputeIndexOf may return Nothing clearer.

Depends on D135190

https://hg.mozilla.org/mozilla-central/rev/3415f2b08398
https://hg.mozilla.org/mozilla-central/rev/eb3f5bc5be10
https://hg.mozilla.org/mozilla-central/rev/4b92fc78762d

:masayuki, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Sorry, wrong needinfo because of a bug in the bot.