1655552 - Assertion failure: false (MOZ_ASSERT_UNREACHABLE: File input doesn't contain a button), at /builds/worker/checkouts/gecko/accessible/html/HTMLFormControlAccessible.cpp:474

Status: NEW

(Core :: Disability Access APIs, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.zip

Testcase found while fuzzing mozilla-central rev 798bdad605b9 (built with --enable-debug). Testcase must be served over HTTP and the GNOME_ACCESSIBILITY=1 environment variable must be set in order to reproduce the issue.

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: File input doesn't contain a button), at /builds/worker/checkouts/gecko/accessible/html/HTMLFormControlAccessible.cpp:474

==30503==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd68443e838 bp 0x7ffeb79c6630 sp 0x7ffeb79c6620 T30503)
==30503==The signal is caused by a WRITE memory access.
==30503==Hint: address points to the zero page.
    #0 0x7fd68443e837 in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:42:19
    #1 0x7fd68443e837 in mozilla::a11y::HTMLFileInputAccessible::CurrentItem() const /builds/worker/checkouts/gecko/accessible/html/HTMLFormControlAccessible.cpp:474:5
    #2 0x7fd6843e707b in mozilla::a11y::FocusManager::ProcessFocusEvent(mozilla::a11y::AccEvent*) /builds/worker/checkouts/gecko/accessible/base/FocusManager.cpp:290:38
    #3 0x7fd6843e6957 in mozilla::a11y::EventQueue::ProcessEventQueue() /builds/worker/checkouts/gecko/accessible/base/EventQueue.cpp:291:21
    #4 0x7fd6843efef0 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:878:3
    #5 0x7fd6832b333a in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1982:12
    #6 0x7fd6832bb67e in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
    #7 0x7fd6832bb67e in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:350:7
    #8 0x7fd6832bb4f0 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
    #9 0x7fd6832c0c6b in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:819:5
    #10 0x7fd6832c0c6b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:737:16
    #11 0x7fd6832c052f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:639:7
    #12 0x7fd6832b966d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:538:20
    #13 0x7fd67e75a194 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:242:16
    #14 0x7fd67e757f5d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:512:26
    #15 0x7fd67e756d44 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:371:15
    #16 0x7fd67e756f36 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:168:36
    #17 0x7fd67e75eb56 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:83:37
    #18 0x7fd67e75eb56 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #19 0x7fd67e7728f9 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
    #20 0x7fd67e77841a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #21 0x7fd67f08447f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #22 0x7fd67eff5733 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #23 0x7fd67eff564d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #24 0x7fd67eff564d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #25 0x7fd68303a358 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #26 0x7fd68484b1f3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #27 0x7fd67f085247 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #28 0x7fd67eff5733 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #29 0x7fd67eff564d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #30 0x7fd67eff564d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #31 0x7fd68484ace7 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #32 0x557e05dc8fb8 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #33 0x557e05dc8fb8 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
    #34 0x7fd699d5cb96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310

UndefinedBehaviorSanitizer can not provide additional info.

Comment 1

[James Teh [:Jamie]]

Further distilled test case:

data:text/html,<input id="file" type="file" autofocus><script>setTimeout(() => file.style = 'counter-set: counter_1 9; visibility: collapse;', 100);</script>

When this occurs, the file input loses its button accessible child. However, the HTMLFileInputAccessible (grouping) is still in the tree, even though it's now invisible. The file input still has DOM focus (which is kinda weird), so its accessible gets focus... but it can't find the button child, hence the assertion.

If you remove counter-set, the HTMLFileInputAccessible gets removed from the tree.

I don't understand why counter-set causes the HTMLFileInputAccessible to remain in the a11y tree. That feels like a bug.

That said, the simple fix here would be to change the assertion so it allows for the case where the HTMLFileInputAccessible is marked invisible.

Comment 2

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200804091327-7cb90fa4f485.
Failed to bisect testcase (Start build crashes!):
> Start: e8b7c48d4e7ed1b63aeedff379b51e566ea499d9 (20191107015224)
> End: 56082fc4acfacba40993e47ef8302993c59e264e (20200727033000)
> BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Comment 3

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Unable to reproduce bug 1655552 using build mozilla-central 20201205093858-7ce95b6cde26. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.