1420529 - Assertion failure: ipcDoc, at /src/accessible/generic/Accessible.cpp:861

Status: RESOLVED FIXED

(Core :: Disability Access APIs, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Assertion failure: ipcDoc, at /src/accessible/generic/Accessible.cpp:861

#0 mozilla::a11y::Accessible::HandleAccEvent(mozilla::a11y::AccEvent*) /src/accessible/generic/Accessible.cpp:884:40
#1 mozilla::a11y::AccessibleWrap::HandleAccEvent(mozilla::a11y::AccEvent*) /src/accessible/atk/AccessibleWrap.cpp:1187:29
#2 nsEventShell::FireEvent(mozilla::a11y::AccEvent*) /src/accessible/base/nsEventShell.cpp:45:15
#3 mozilla::a11y::DocAccessible::NotifyOfLoading(bool) /src/accessible/generic/DocAccessible.cpp:1478:5
#4 mozilla::a11y::DocManager::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /src/accessible/base/DocManager.cpp:310:11
#5 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /src/uriloader/base/nsDocLoader.cpp:1321:3
#6 nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, nsresult) /src/uriloader/base/nsDocLoader.cpp:1284:14
#7 nsDocLoader::doStartDocumentLoad() /src/uriloader/base/nsDocLoader.cpp:777:3
#8 nsDocLoader::OnStartRequest(nsIRequest*, nsISupports*) /src/uriloader/base/nsDocLoader.cpp:457:9
#9 non-virtual thunk to nsDocLoader::OnStartRequest(nsIRequest*, nsISupports*) /src/uriloader/base/nsDocLoader.cpp:394:14
#10 mozilla::net::nsLoadGroup::AddRequest(nsIRequest*, nsISupports*) /src/netwerk/base/nsLoadGroup.cpp:510:28
#11 nsBaseChannel::AsyncOpen(nsIStreamListener*, nsISupports*) /src/netwerk/base/nsBaseChannel.cpp:736:17
#12 nsBaseChannel::AsyncOpen2(nsIStreamListener*) /src/netwerk/base/nsBaseChannel.cpp:752:10
#13 nsURILoader::OpenURI(nsIChannel*, unsigned int, nsIInterfaceRequestor*) /src/uriloader/base/nsURILoader.cpp:840:19
#14 nsDocShell::DoChannelLoad(nsIChannel*, nsIURILoader*, bool) /src/docshell/base/nsDocShell.cpp:11750:20
#15 nsDocShell::DoURILoad(nsIURI*, nsIURI*, mozilla::Maybe<nsCOMPtr<nsIURI> > const&, bool, bool, bool, nsIURI*, bool, unsigned int, nsIPrincipal*, nsIPrincipal*, char const*, nsTSubstring<char16_t> const&, nsIInputStream*, long, nsIInputStream*, bool, nsIDocShell**, nsIRequest**, bool, bool, bool, nsTSubstring<char16_t> const&, nsIURI*, unsigned int) /src/docshell/base/nsDocShell.cpp:11555:8
#16 nsDocShell::InternalLoad(nsIURI*, nsIURI*, mozilla::Maybe<nsCOMPtr<nsIURI> > const&, bool, nsIURI*, unsigned int, nsIPrincipal*, nsIPrincipal*, unsigned int, nsTSubstring<char16_t> const&, char const*, nsTSubstring<char16_t> const&, nsIInputStream*, long, nsIInputStream*, unsigned int, nsISHEntry*, bool, nsTSubstring<char16_t> const&, nsIDocShell*, nsIURI*, bool, nsIDocShell**, nsIRequest**) /src/docshell/base/nsDocShell.cpp:10887:8
#17 nsDocShell::LoadHistoryEntry(nsISHEntry*, unsigned int) /src/docshell/base/nsDocShell.cpp:12913:8
#18 nsDocShell::Reload(unsigned int) /src/docshell/base/nsDocShell.cpp:5553:10
#19 mozilla::dom::Location::Reload(bool) /src/dom/base/Location.cpp:874:25
#20 mozilla::dom::Location::Reload(bool, nsIPrincipal&, mozilla::ErrorResult&) /src/obj-firefox/dist/include/mozilla/dom/Location.h:56:14
#21 mozilla::dom::LocationBinding::reload(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Location*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/LocationBinding.cpp:873:9
#22 mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3040:13
#23 js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /src/js/src/jscntxtinlines.h:291:15
#24 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:473:16
#25 InternalCall(JSContext*, js::AnyInvokeArgs const&) /src/js/src/vm/Interpreter.cpp:522:12
#26 Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3098:18
#27 js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:423:12
#28 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:495:15
#29 InternalCall(JSContext*, js::AnyInvokeArgs const&) /src/js/src/vm/Interpreter.cpp:522:12
#30 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:541:10
#31 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:3034:12
#32 mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
#33 void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) /src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#34 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1114:9
#35 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /src/dom/events/EventListenerManager.cpp:1292:20
#36 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:313:17
#37 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:462:16
#38 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:826:9
#39 nsDocumentViewer::LoadComplete(nsresult) /src/layout/base/nsDocumentViewer.cpp:1064:7
#40 nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /src/docshell/base/nsDocShell.cpp:7783:21
#41 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /src/docshell/base/nsDocShell.cpp:7581:7
#42 non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /src/docshell/base/nsDocShell.cpp:7478:13
#43 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /src/uriloader/base/nsDocLoader.cpp:1321:3
#44 nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /src/uriloader/base/nsDocLoader.cpp:862:14
#45 nsDocLoader::DocLoaderIsEmpty(bool) /src/uriloader/base/nsDocLoader.cpp:751:9
#46 nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /src/uriloader/base/nsDocLoader.cpp:633:5
#47 non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /src/uriloader/base/nsDocLoader.cpp:489:14
#48 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /src/netwerk/base/nsLoadGroup.cpp:629:28
#49 nsDocument::DoUnblockOnload() /src/dom/base/nsDocument.cpp:9395:18
#50 nsDocument::UnblockOnload(bool) /src/dom/base/nsDocument.cpp:9317:9
#51 nsDocument::DispatchContentLoadedEvents() /src/dom/base/nsDocument.cpp:5684:3
#52 mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /src/obj-firefox/dist/include/nsThreadUtils.h:1192:13
#53 mozilla::SchedulerGroup::Runnable::Run() /src/xpcom/threads/SchedulerGroup.cpp:396:25
#54 nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1037:14
#55 NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:513:10
#56 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:97:21
#57 MessageLoop::RunInternal() /src/ipc/chromium/src/base/message_loop.cc:326:10
#58 MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299:3
#59 nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:159:27
#60 XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:877:22
#61 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:269:9
#62 MessageLoop::RunInternal() /src/ipc/chromium/src/base/message_loop.cc:326:10
#63 MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:299:3
#64 XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:703:34
#65 content_process_main(mozilla::Bootstrap*, int, char**) /src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
#66 main /src/browser/app/nsBrowserApp.cpp:280:18
#67 __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#68 _start (firefox+0x41e424)

Comment 2

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Comment 3

[Tyson Smith [:tsmith]]

Attachment: launcher.html

Test case requires dom.disable_open_during_load=false

Comment 4

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/H9WBcXCMME-l-g541m-mCg/index.html

Comment 5

[Tyson Smith [:tsmith]]

This is another issue that the fuzzers are frequently tripping over. Marking as fuzzblocker. Jamie can you please find someone to have a look if possible? Thank you.

[1] https://firefox-source-docs.mozilla.org/tools/fuzzing/index.html#fuzz-blockers

Comment 6

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Simple, reliable testcase.

Comment 7

[James Teh [:Jamie]]

I guess we're trying to fire a reload event before DoInitialUpdate has been called (and thus the DocAccessibleChild hasn't been created yet)? That's... intriguing. But we probably just shouldn't do it...?

Comment 8

[James Teh [:Jamie]]

So the test case in comment 6 is actually for a scrolling event, but the stack in comment 0 is for a reload event. Both will trigger this assertion, but they take different code paths to get there.

The underlying issue is that we're trying to fire events on a DocAccessible whose tree isn't built yet; i.e. DoInitialUpdate hasn't been called yet. For remote documents, because the DocAccessibleChild hasn't been created yet, these events can never be delivered. To be consistent, it probably doesn't make sense to deliver them for local documents either.

The reload event is an interesting case because the following scenario might be possible:

1. User loads a document.
2. Before the a11y tree is built, the user reloads the document.

In that case, an a11y client will never know about the reload because we couldn't fire the event. I think that's an edge case which probably isn't worth worrying about, but I thought it worth noting here.

Comment 9

[James Teh [:Jamie]]

Attachment: Bug 1420529: Don't fire immediate events on a DocAccessible whose tree isn't constructed yet.

For remote documents, the DocAccessibleChild isn't created until the tree is constructed.
This means we can't send events to the parent process and thus to the client.
We shouldn't fire these events in the first place, since this makes events inconsistent for local and remote documents.

Comment 10

[Pulsebot]

Pushed by jteh@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f81a3c01f1de
Don't fire immediate events on a DocAccessible whose tree isn't constructed yet. r=eeejay

Comment 11

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/f81a3c01f1de

Comment 12

[Ryan VanderMeulen [:RyanVM]]

Doesn't seem like this needs uplift, but feel free to scream if you disagree.