Open Bug 1593783 Opened 5 months ago Updated 5 months ago

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Text leaf parent is not hypertext!), at /builds/worker/workspace/build/src/accessible/base/TextUpdater.cpp:43

Categories

(Core :: Disability Access APIs, defect, P3)

defect

Tracking

()

Tracking Status
firefox72 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 5647ec4ba6f2. Testcase must be served via a local webserver in order to reproduce.

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Text leaf parent is not hypertext!), at /builds/worker/workspace/build/src/accessible/base/TextUpdater.cpp:43

rax = 0x0000562d8c05f340   rdx = 0x0000000000000000
rcx = 0x00007f2953282162   rbx = 0x0000000000000000
rsi = 0x00007f295e9458b0   rdi = 0x00007f295e944680
rbp = 0x00007ffc822e6a50   rsp = 0x00007ffc822e69a0
r8 = 0x00007f295e9458b0    r9 = 0x00007f295faae780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007f2929df9fe8   r13 = 0x00007f2929f61f20
r14 = 0x00007ffc822e6a88   r15 = 0x0000000000000001
rip = 0x00007f294ff5d3ec
OS|Linux|0.0.0 Linux 5.0.0-31-generic #33~18.04.1-Ubuntu SMP Tue Oct 1 10:20:39 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::a11y::TextUpdater::DoUpdate(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, unsigned int)|hg:hg.mozilla.org/mozilla-central:accessible/base/TextUpdater.cpp:5647ec4ba6f2566912e71637d2c1e063d899c103|43|0x29
0|1|libxul.so|mozilla::a11y::TextUpdater::Run(mozilla::a11y::DocAccessible*, mozilla::a11y::TextLeafAccessible*, nsTSubstring<char16_t> const&)|hg:hg.mozilla.org/mozilla-central:accessible/base/TextUpdater.cpp:5647ec4ba6f2566912e71637d2c1e063d899c103|32|0x5
0|2|libxul.so|mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:accessible/base/NotificationController.cpp:5647ec4ba6f2566912e71637d2c1e063d899c103|711|0x5
0|3|libxul.so|nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:5647ec4ba6f2566912e71637d2c1e063d899c103|1939|0xd
0|4|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:5647ec4ba6f2566912e71637d2c1e063d899c103|350|0xb
0|5|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:5647ec4ba6f2566912e71637d2c1e063d899c103|366|0xf
0|6|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:5647ec4ba6f2566912e71637d2c1e063d899c103|727|0xf
0|7|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run()|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:5647ec4ba6f2566912e71637d2c1e063d899c103|525|0x15
0|8|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:5647ec4ba6f2566912e71637d2c1e063d899c103|1225|0x15
0|9|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:5647ec4ba6f2566912e71637d2c1e063d899c103|486|0x11
0|10|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:5647ec4ba6f2566912e71637d2c1e063d899c103|88|0xa
0|11|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:5647ec4ba6f2566912e71637d2c1e063d899c103|315|0x17
0|12|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:5647ec4ba6f2566912e71637d2c1e063d899c103|290|0x8
0|13|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:5647ec4ba6f2566912e71637d2c1e063d899c103|137|0xd
0|14|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:5647ec4ba6f2566912e71637d2c1e063d899c103|276|0xe
0|15|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:5647ec4ba6f2566912e71637d2c1e063d899c103|4586|0x11
0|16|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:5647ec4ba6f2566912e71637d2c1e063d899c103|4721|0x8
0|17|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:5647ec4ba6f2566912e71637d2c1e063d899c103|4802|0x5
0|18|firefox-bin|do_main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:5647ec4ba6f2566912e71637d2c1e063d899c103|218|0x26
0|19|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:5647ec4ba6f2566912e71637d2c1e063d899c103|300|0xf
0|20|libc-2.27.so||||0x21b97
0|21|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:5647ec4ba6f2566912e71637d2c1e063d899c103|203|0x5
Flags: in-testsuite?

Testcase bisects back further than a year.

The MathML annotation element needs to be HyperTextAccessible and it isn't currently. This is a bit trickier than just adding it to MarkupMap, though, as it looks like this element isn't part of HTML, so it only applies in a MathML namespace.

Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.