1419808 - Assertion failure: ipcDoc, at /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:861

Status: RESOLVED WORKSFORME

(Core :: Disability Access APIs, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: trigger.html

Testcase found while fuzzing mozilla-inbound rev 6b4cebf12e3f.

Attached testcase was not reproducible for me but was reduced on one of our EC2 spot instances.

OS|Linux|0.0.0 Linux 4.4.0-1039-aws #48-Ubuntu SMP Wed Oct 11 15:15:01 UTC 2017 x86_64
CPU|amd64|family 6 model 63 stepping 2|8
GPU|||
Crash|SIGSEGV|0x0|0

0|0|libxul.so|mozilla::a11y::Accessible::HandleAccEvent|hg:hg.mozilla.org/integration/mozilla-inbound:mfbt/AlreadyAddRefed.h:6b4cebf12e3f|106|0x26
0|1|libxul.so|mozilla::a11y::AccessibleWrap::HandleAccEvent|hg:hg.mozilla.org/integration/mozilla-inbound:accessible/atk/AccessibleWrap.cpp:6b4cebf12e3f|1187|0x5
0|2|libxul.so|nsEventShell::FireEvent|hg:hg.mozilla.org/integration/mozilla-inbound:accessible/base/nsEventShell.cpp:6b4cebf12e3f|45|0xf
0|3|libxul.so|mozilla::a11y::SelectionManager::ProcessTextSelChangeEvent|hg:hg.mozilla.org/integration/mozilla-inbound:accessible/base/SelectionManager.cpp:6b4cebf12e3f|160|0x8
0|4|libxul.so|mozilla::a11y::EventQueue::ProcessEventQueue|hg:hg.mozilla.org/integration/mozilla-inbound:accessible/base/EventQueue.cpp:6b4cebf12e3f|311|0x10
0|5|libxul.so|mozilla::a11y::NotificationController::WillRefresh|hg:hg.mozilla.org/integration/mozilla-inbound:accessible/base/NotificationController.cpp:6b4cebf12e3f|862|0x9
0|6|libxul.so|nsRefreshDriver::Tick|hg:hg.mozilla.org/integration/mozilla-inbound:layout/base/nsRefreshDriver.cpp:6b4cebf12e3f|1843|0xd
0|7|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers|hg:hg.mozilla.org/integration/mozilla-inbound:layout/base/nsRefreshDriver.cpp:6b4cebf12e3f|306|0xf
0|8|libxul.so|mozilla::RefreshDriverTimer::Tick|hg:hg.mozilla.org/integration/mozilla-inbound:layout/base/nsRefreshDriver.cpp:6b4cebf12e3f|328|0x12
0|9|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver|hg:hg.mozilla.org/integration/mozilla-inbound:layout/base/nsRefreshDriver.cpp:6b4cebf12e3f|769|0x5
0|10|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync|hg:hg.mozilla.org/integration/mozilla-inbound:layout/base/nsRefreshDriver.cpp:6b4cebf12e3f|583|0xc
0|11|libxul.so|mozilla::layout::VsyncChild::RecvNotify|hg:hg.mozilla.org/integration/mozilla-inbound:layout/ipc/VsyncChild.cpp:6b4cebf12e3f|68|0x9
0|12|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived|s3:gecko-generated-sources:9a6479c28b0f57ad4e6d1aec1c5258678abc48225caeaa2a25f8a6893b83595687422ba915c00ef9e645c78dda14478aa8e2f891ae54d4764ccdba97f65bc47d/ipc/ipdl/PVsyncChild.cpp:|155|0xf
0|13|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage|hg:hg.mozilla.org/integration/mozilla-inbound:ipc/glue/MessageChannel.cpp:6b4cebf12e3f|2119|0x6
0|14|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage|hg:hg.mozilla.org/integration/mozilla-inbound:ipc/glue/MessageChannel.cpp:6b4cebf12e3f|2049|0xb
0|15|libxul.so|mozilla::ipc::MessageChannel::RunMessage|hg:hg.mozilla.org/integration/mozilla-inbound:ipc/glue/MessageChannel.cpp:6b4cebf12e3f|1895|0xb
0|16|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run|hg:hg.mozilla.org/integration/mozilla-inbound:ipc/glue/MessageChannel.cpp:6b4cebf12e3f|1928|0xc
0|17|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/integration/mozilla-inbound:xpcom/threads/nsThread.cpp:6b4cebf12e3f|1037|0x15
0|18|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/integration/mozilla-inbound:xpcom/threads/nsThreadUtils.cpp:6b4cebf12e3f|513|0x11
0|19|libxul.so|mozilla::ipc::MessagePump::Run|hg:hg.mozilla.org/integration/mozilla-inbound:ipc/glue/MessagePump.cpp:6b4cebf12e3f|97|0xa
0|20|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/integration/mozilla-inbound:ipc/chromium/src/base/message_loop.cc:6b4cebf12e3f|326|0x17
0|21|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/integration/mozilla-inbound:ipc/chromium/src/base/message_loop.cc:6b4cebf12e3f|319|0x8
0|22|libxul.so|nsBaseAppShell::Run|hg:hg.mozilla.org/integration/mozilla-inbound:widget/nsBaseAppShell.cpp:6b4cebf12e3f|159|0xd
0|23|libxul.so|XRE_RunAppShell|hg:hg.mozilla.org/integration/mozilla-inbound:toolkit/xre/nsEmbedFunctions.cpp:6b4cebf12e3f|877|0x11
0|24|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run|hg:hg.mozilla.org/integration/mozilla-inbound:ipc/glue/MessagePump.cpp:6b4cebf12e3f|269|0x5
0|25|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/integration/mozilla-inbound:ipc/chromium/src/base/message_loop.cc:6b4cebf12e3f|326|0x17
0|26|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/integration/mozilla-inbound:ipc/chromium/src/base/message_loop.cc:6b4cebf12e3f|319|0x8
0|27|libxul.so|XRE_InitChildProcess|hg:hg.mozilla.org/integration/mozilla-inbound:toolkit/xre/nsEmbedFunctions.cpp:6b4cebf12e3f|703|0x8
0|28|firefox|content_process_main|hg:hg.mozilla.org/integration/mozilla-inbound:ipc/contentproc/plugin-container.cpp:6b4cebf12e3f|63|0x14
0|29|firefox|main|hg:hg.mozilla.org/integration/mozilla-inbound:browser/app/nsBrowserApp.cpp:6b4cebf12e3f|280|0x11
0|30|libc-2.23.so||||0x20830
0|31|firefox|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/integration/mozilla-inbound:mfbt/Assertions.h:6b4cebf12e3f|165|0x5

Comment 1

[alexander :surkov (:asurkov)]

cc'ing Eitan.

There's a document accessible but there's no related ipc document, which is weird [1]. Curious, what happens here.

[1] https://dxr.mozilla.org/mozilla-central/source/accessible/generic/Accessible.cpp#861

Comment 2

[Intermittent Failures Robot]

1 failures in 4045 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• autoland: 1

Platform breakdown:

• macosx1014-64: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures.html#/bugdetails?bug=1419808&startday=2020-02-17&endday=2020-02-23&tree=all

Comment 3

[Tyson Smith [:tsmith]]

I am not able to reproduce this with the attached test case and the fuzzers are no longer hitting this.