Open Bug 1609953 Opened 4 years ago Updated 2 years ago

Assertion failure: !StylistNeedsUpdate() called from HTMLListBulletAccessible::Name, at /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:1098

Categories

(Core :: Disability Access APIs, defect, P3)

Product:
Core
Component:
Disability Access APIs
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

testcase.html
616 bytes, text/html
Details
slightly simpler testcase
479 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 7e0886a94d70. Accessibility must be enabled (GNOME_ACCESSIBILITY=1) in order to reproduce this issue.

Assertion failure: !StylistNeedsUpdate(), at /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:1098

rax = 0x00005641e8cf5320   rdx = 0x0000000000000000
rcx = 0x00007f7ca7f78a74   rbx = 0x00007f7c83085650
rsi = 0x00007f7cb39c68b0   rdi = 0x00007f7cb39c5680
rbp = 0x00007ffdbc7c8280   rsp = 0x00007ffdbc7c8280
r8 = 0x00007f7cb39c68b0    r9 = 0x00007f7cb4b20780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007f7c83085650   r13 = 0x00007f7ca6ea5ed0
r14 = 0x00007ffdbc7c8540   r15 = 0x00007ffdbc7c8768
rip = 0x00007f7ca43435f4
OS|Linux|0.0.0 Linux 5.0.0-37-generic #40~18.04.1-Ubuntu SMP Thu Nov 14 12:06:39 UTC 2019 x86_64
CPU|amd64|family 6 model 158 stepping 10|12
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|mozilla::ServoStyleSet::CounterStyleRuleForName(nsAtom*)|hg:hg.mozilla.org/mozilla-central:layout/style/ServoStyleSet.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|1098|0x16
0|1|libxul.so|mozilla::CounterStyleManager::ResolveCounterStyle(nsAtom*)|hg:hg.mozilla.org/mozilla-central:layout/style/CounterStyleManager.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|1790|0xf
0|2|libxul.so|nsBulletFrame::GetSpokenText(nsTSubstring<char16_t>&)|hg:hg.mozilla.org/mozilla-central:layout/generic/nsBulletFrame.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|1265|0x8
0|3|libxul.so|nsContainerFrame::GetSpokenMarkerText(nsTSubstring<char16_t>&) const|hg:hg.mozilla.org/mozilla-central:layout/generic/nsContainerFrame.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|1757|0xb
0|4|libxul.so|mozilla::a11y::HTMLListBulletAccessible::Name(nsTString<char16_t>&) const|hg:hg.mozilla.org/mozilla-central:accessible/html/HTMLListAccessible.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|136|0xc
0|5|libxul.so|mozilla::a11y::HTMLListBulletAccessible::AppendTextTo(nsTSubstring<char16_t>&, unsigned int, unsigned int)|hg:hg.mozilla.org/mozilla-central:accessible/html/HTMLListAccessible.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|152|0x3
0|6|libxul.so|mozilla::a11y::nsAccUtils::TextLength(mozilla::a11y::Accessible*)|hg:hg.mozilla.org/mozilla-central:accessible/base/nsAccUtils.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|380|0x23
0|7|libxul.so|mozilla::a11y::HyperTextAccessible::GetChildOffset(unsigned int, bool) const|hg:hg.mozilla.org/mozilla-central:accessible/generic/HyperTextAccessible.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|1930|0x8
0|8|libxul.so|mozilla::a11y::NotificationController::QueueMutationEvent(mozilla::a11y::AccTreeMutationEvent*)|hg:hg.mozilla.org/mozilla-central:accessible/base/NotificationController.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|207|0x16
0|9|libxul.so|mozilla::a11y::TreeMutation::BeforeRemoval(mozilla::a11y::Accessible*, bool)|hg:hg.mozilla.org/mozilla-central:accessible/base/EventTree.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|86|0x18
0|10|libxul.so|mozilla::a11y::DocAccessible::ContentRemoved(mozilla::a11y::Accessible*)|hg:hg.mozilla.org/mozilla-central:accessible/generic/DocAccessible.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|2062|0xe
0|11|libxul.so|mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*)|hg:hg.mozilla.org/mozilla-central:accessible/generic/DocAccessible.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|2091|0xb
0|12|libxul.so|nsAccessibilityService::ContentRemoved(mozilla::PresShell*, nsIContent*)|hg:hg.mozilla.org/mozilla-central:accessible/base/nsAccessibilityService.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|536|0xb
0|13|libxul.so|nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|7534|0xe
0|14|libxul.so|mozilla::PresShell::ContentRemoved(nsIContent*, nsIContent*)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|4321|0x1c
0|15|libxul.so|mozilla::dom::MutationObservers::NotifyContentRemoved(nsINode*, nsIContent*, nsIContent*)|hg:hg.mozilla.org/mozilla-central:dom/base/MutationObservers.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|215|0x80
0|16|libxul.so|nsINode::RemoveChildNode(nsIContent*, bool)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|1870|0xe
0|17|libxul.so|nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|2204|0x48
0|18|libxul.so|mozilla::dom::Node_Binding::appendChild|s3:gecko-generated-sources:38fe7edc7c47a84205aafac807de41b0514cca57cc693b9173ccc6b09fc7a1d9b3fb7353f9aad734e3e258dad2cfe8cd626b2d7b90a7cccec4bd64272ca4302e/dom/bindings/NodeBinding.cpp:|975|0x1a
0|19|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|3151|0x21
0|20|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|452|0x19
0|21|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|544|0x12
0|22|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|608|0x10
0|23|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|612|0x18
0|24|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|388|0xfe
0|25|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|580|0xf
0|26|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|608|0x10
0|27|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|625|0x8
0|28|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|2787|0x1f
0|29|libxul.so|mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:9ca8646d8042e9b4b76d2e1b358b984be17743b71b832c0897d61bb500e0fecbe38fa54273dc522878c87fcb2c9bfd274a8190c7bc56fbbb58cb3ca68462e527/dom/bindings/EventListenerBinding.cpp:|52|0x5
0|30|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|s3:gecko-generated-sources:f3d9c01258576daaac3afc4fb3b283652e7f1168abb5287eff6775451ebd0ab6a0e4c8d88d3a67f7147042501bc091c6dfed25b4b8ccf4e4f420897b8d0ba906/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x1c
0|31|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|1271|0x1c
0|32|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|326|0x6b
0|33|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|558|0x12
0|34|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|1056|0x1a
0|35|libxul.so|nsDocumentViewer::LoadComplete(nsresult)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|1142|0x1a
0|36|libxul.so|nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|6117|0x18
0|37|libxul.so|nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|5900|0x1c
0|38|libxul.so|nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|1347|0x56
0|39|libxul.so|nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|906|0x2a
0|40|libxul.so|nsDocLoader::DocLoaderIsEmpty(bool)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|726|0x15
0|41|libxul.so|nsDocLoader::NotifyDoneWithOnload(nsDocLoader*)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|800|0x1f
0|42|libxul.so|nsDocLoader::DocLoaderIsEmpty(bool)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|728|0xf
0|43|libxul.so|nsDocLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|614|0x16
0|44|libxul.so|mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|604|0x1a
0|45|libxul.so|mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|511|0xe
0|46|libxul.so|mozilla::dom::Document::DoUnblockOnload()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|10677|0x4c
0|47|libxul.so|mozilla::dom::Document::UnblockOnload(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|10611|0x2a
0|48|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|7310|0xd
0|49|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|1216|0x5
0|50|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|1220|0xe
0|51|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|486|0x11
0|52|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|87|0xa
0|53|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|315|0x19
0|54|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|290|0x8
0|55|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|137|0xd
0|56|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|272|0x10
0|57|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|4605|0x16
0|58|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|4742|0x8
0|59|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|4823|0x5
0|60|firefox-bin|do_main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|217|0x26
0|61|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|339|0xf
0|62|libc-2.27.so||||0x21b97
0|63|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|82|0x12
0|64|firefox-bin|_GLOBAL__sub_I_TimeStamp.cpp|hg:hg.mozilla.org/mozilla-central:mozglue/misc/TimeStamp.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|150|0x4b
0|65|||||0x7ffdbc7ccf40
0|66|ld-2.27.so||||0x10733
0|67|libdl-2.27.so||||0x202d80
0|68|libpthread-2.27.so||||0x219bb0
0|69|firefox-bin|_GLOBAL__sub_I_TimeStamp.cpp|hg:hg.mozilla.org/mozilla-central:mozglue/misc/TimeStamp.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|150|0x4b
0|70|||||0x7ffdbc7ccf40
0|71|firefox-bin|_start|||0x29
Flags: in-testsuite?

This seems like a recent a11y regression... Any hunches, Eitan?

Component: CSS Parsing and Computation → Disability Access APIs
Flags: needinfo?(eitan)
Summary: Assertion failure: !StylistNeedsUpdate(), at /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:1098 → Assertion failure: !StylistNeedsUpdate() called from HTMLListBulletAccessible::Name, at /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:1098

Slightly simpler case attached.

Emilio, I don't see how any recent changes affected this. I can maybe do some bisecting if necessary.

From what I can tell, the <style> element is removed, this dirties the stylesheet, then another child of the <li> is removed too. Accessibility needs to do some text offset calculations for event purposes, but when it tries to get the bullet type from layout, it hits this assertion.

Since we can't divine the style sheet state from accessibility, I'm not sure how to code around this.

Flags: needinfo?(eitan) → needinfo?(emilio)

So what's going on is that the list-style-type is needed to get the spoken text, but accessible destruction isn't guaranteed to happen with clean layout information...

Can a11y somehow store those offsets when created or such? Can the spoken text not depend on the style data?

Flags: needinfo?(emilio)

The priority flag is not set for this bug.
:Jamie, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jteh)

(In reply to Emilio Cobos Álvarez (:emilio) from comment #3)

Can a11y somehow store those offsets when created or such?

The text could change whenever the list-style-type changes or whenever an item is added/removed from the list. So, we'd need to update the cache whenever either of those things happen. I'm guessing these things are not guaranteed to reconstruct the frame for the list item, so we'd need other hooks into layout.

Can the spoken text not depend on the style data?

I don't see how this could be done. list-style-type affects what text gets rendered and a11y needs to expose that text to the user.

Flags: needinfo?(jteh)
Priority: -- → P3

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: