Closed
Bug 1655983
Opened 4 years ago
Closed 4 years ago
Assertion failure: !GetAccService() || !GetAccService()->HasAccessible(this) (An accessible for this element still exists!), at /builds/worker/checkouts/gecko/dom/base/Element.cpp:1738
Categories
(Core :: Disability Access APIs, defect)
Core
Disability Access APIs
Tracking
()
VERIFIED
FIXED
82 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox-esr78 | --- | unaffected |
| firefox80 | --- | wontfix |
| firefox81 | --- | wontfix |
| firefox82 | --- | verified |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker] [a11y verification and automation])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 3059084abf6e (built with --enable-debug). Testcase requires the GNOME_ACCESSIBILITY=1 environment variable to be set in order to reproduce.
Assertion failure: !GetAccService() || !GetAccService()->HasAccessible(this) (An accessible for this element still exists!), at /builds/worker/checkouts/gecko/dom/base/Element.cpp:1738
==5069==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f819577854c bp 0x7ffe029f7dd0 sp 0x7ffe029f7d60 T5069)
==5069==The signal is caused by a WRITE memory access.
==5069==Hint: address points to the zero page.
#0 0x7f819577854b in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:42:19
#1 0x7f819577854b in mozilla::dom::Element::UnbindFromTree(bool) /builds/worker/checkouts/gecko/dom/base/Element.cpp:1737:3
#2 0x7f8197167593 in nsGenericHTMLElement::UnbindFromTree(bool) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:474:20
#3 0x7f819577828d in mozilla::dom::Element::UnbindFromTree(bool) /builds/worker/checkouts/gecko/dom/base/Element.cpp:1819:12
#4 0x7f8197167593 in nsGenericHTMLElement::UnbindFromTree(bool) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:474:20
#5 0x7f819577828d in mozilla::dom::Element::UnbindFromTree(bool) /builds/worker/checkouts/gecko/dom/base/Element.cpp:1819:12
#6 0x7f8197167593 in nsGenericHTMLElement::UnbindFromTree(bool) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:474:20
#7 0x7f819577828d in mozilla::dom::Element::UnbindFromTree(bool) /builds/worker/checkouts/gecko/dom/base/Element.cpp:1819:12
#8 0x7f8197167593 in nsGenericHTMLElement::UnbindFromTree(bool) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:474:20
#9 0x7f819580f6dd in Unbind /builds/worker/checkouts/gecko/dom/base/ShadowRoot.cpp:143:12
#10 0x7f819580f6dd in mozilla::dom::ShadowRoot::Unattach() /builds/worker/checkouts/gecko/dom/base/ShadowRoot.cpp:155:3
#11 0x7f819574ab8d in mozilla::dom::Element::UnattachShadow() /builds/worker/checkouts/gecko/dom/base/Element.cpp:1209:15
#12 0x7f8195774ec8 in mozilla::dom::Element::NotifyUAWidgetTeardown(mozilla::dom::Element::UnattachShadowRoot) /builds/worker/checkouts/gecko/dom/base/Element.cpp:1171:5
#13 0x7f81970b1eb2 in mozilla::dom::HTMLInputElement::HandleTypeChange(unsigned char, bool) /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:4496:9
#14 0x7f81970b030c in mozilla::dom::HTMLInputElement::AfterSetAttr(int, nsAtom*, nsAttrValue const*, nsAttrValue const*, nsIPrincipal*, bool) /builds/worker/checkouts/gecko/dom/html/HTMLInputElement.cpp:1207:9
#15 0x7f8195779d78 in mozilla::dom::Element::SetAttrAndNotify(int, nsAtom*, nsAtom*, nsAttrValue const*, nsAttrValue&, nsIPrincipal*, unsigned char, bool, bool, bool, mozilla::dom::Document*, mozAutoDocUpdate const&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:2354:10
#16 0x7f8195775ca2 in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/checkouts/gecko/dom/base/Element.cpp:2211:10
#17 0x7f8196a8bbbf in SetAttr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:881:12
#18 0x7f8196a8bbbf in SetAttr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:877:12
#19 0x7f8196a8bbbf in SetAttr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:1587:14
#20 0x7f8196a8bbbf in SetHTMLAttr /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.h:741:5
#21 0x7f8196a8bbbf in SetType /builds/worker/workspace/obj-build/dist/include/mozilla/dom/HTMLInputElement.h:621:5
#22 0x7f8196a8bbbf in mozilla::dom::HTMLInputElement_Binding::set_type(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/HTMLInputElementBinding.cpp:2879:24
#23 0x7f8196bc6d6c in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3168:8
#24 0x7f8199a3e671 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:485:13
#25 0x7f8199a3dee9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:577:12
#26 0x7f8199a3f9af in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10
#27 0x7f8199a40af7 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:8
#28 0x7f8199dbdf4f in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2820:8
#29 0x7f8199dbd26b in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2849:14
#30 0x7f8199a31147 in SetPropertyOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:271:10
#31 0x7f8199a31147 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3071:12
#32 0x7f8199a29be6 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:457:10
#33 0x7f8199a3de46 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13
#34 0x7f8199a3f9af in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10
#35 0x7f8199a3fb8f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:8
#36 0x7f8199b4fe67 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2837:10
#37 0x7f81968c0703 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:55:8
#38 0x7f8196f75486 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#39 0x7f8196f751ad in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1082:43
#40 0x7f8196f75e43 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1279:17
#41 0x7f8196f6b704 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:354:5
#42 0x7f8196f6b704 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:355:17
#43 0x7f8196f6aca1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:557:16
#44 0x7f8196f6d869 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1054:11
#45 0x7f8196f6fdb6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#46 0x7f81958c5123 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1300:17
#47 0x7f81955de0da in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4048:28
#48 0x7f81955ddf63 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4018:10
#49 0x7f819573f733 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7226:3
#50 0x7f81957adc76 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
#51 0x7f81957adc76 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
#52 0x7f81957adc76 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
#53 0x7f81937ff152 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
#54 0x7f81938051a4 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:242:16
#55 0x7f8193802f6d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:512:26
#56 0x7f8193801d54 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:371:15
#57 0x7f8193801f46 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:168:36
#58 0x7f8193809b66 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:83:37
#59 0x7f8193809b66 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#60 0x7f819381d909 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
#61 0x7f819382342a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#62 0x7f819412f58f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#63 0x7f81940a0843 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#64 0x7f81940a075d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#65 0x7f81940a075d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#66 0x7f81980e8f48 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#67 0x7f81998fba93 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#68 0x7f8194130357 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
#69 0x7f81940a0843 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#70 0x7f81940a075d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#71 0x7f81940a075d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#72 0x7f81998fb587 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#73 0x56030197bfb8 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#74 0x56030197bfb8 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
#75 0x7f81aeddab96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
UndefinedBehaviorSanitizer can not provide additional info.
Flags: in-testsuite?
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 1•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200804091327-7cb90fa4f485.
The bug appears to have been introduced in the following build range:
> Start: b3a3c131a27916b7b4751ba935f1560b1aba8b0f (20200724213808)
> End: 0a3bb5c4669879bbba273296d2e7cbea5e26fb75 (20200724162046)
> Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=b3a3c131a27916b7b4751ba935f1560b1aba8b0f&tochange=0a3bb5c4669879bbba273296d2e7cbea5e26fb75|
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][fuzzblocker]
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
Assignee | |
Updated•4 years ago
|
Flags: needinfo?(emilio)
|
||
Comment 2•4 years ago
|
||
From duplicate bug 1663724:
This assertion happens when trying to run browser chrome tests with accessibility services enabled by default. The failure happens in the following tests:
browser/base/content/test/plugins/browser_CTP_crashreporting.js (https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=313977353&repo=try&lineNumber=3931)
browser/base/content/test/plugins/browser_CTP_drag_drop.js (https://treeherder.mozilla.org/logviewer.html#?job_id=313977353&repo=try&lineNumber=4225)
browser/base/content/test/plugins/browser_blocking.js (https://treeherder.mozilla.org/logviewer.html#?job_id=313977353&repo=try&lineNumber=4790)
browser/base/content/test/plugins/browser_bug743421.js (https://treeherder.mozilla.org/logviewer.html#?job_id=313977353&repo=try&lineNumber=5222)
browser/base/content/test/plugins/browser_bug787619.js (https://treeherder.mozilla.org/logviewer.html#?job_id=313977353&repo=try&lineNumber=5423)
browser/base/content/test/plugins/browser_plugin_reloading.js (https://treeherder.mozilla.org/logviewer.html#?job_id=313977353&repo=try&lineNumber=5994)
browser/base/content/test/plugins/browser_pluginnotification.js (https://treeherder.mozilla.org/logviewer.html#?job_id=313977353&repo=try&lineNumber=6130)
browser/base/content/test/plugins/browser_private_clicktoplay.js (https://treeherder.mozilla.org/logviewer.html#?job_id=313977353&repo=try&lineNumber=6650)
Whiteboard: [bugmon:bisected,confirmed][fuzzblocker] → [bugmon:bisected,confirmed][fuzzblocker] [a11y verification and automation]
|
||
Updated•4 years ago
|
Keywords: regression
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 4•4 years ago
|
||
So this is basically caused by bug 686400, and it is a bit tricky... So basically when the subtree of a shadow host is going to change we call DestroyFramesFor which uses the REBUILD_FOR_RECONSTRUCTION flag, and thus we delay removing the accessible.
That's fine for the shadow host itself but not for the shadow host's children...
See Also: → 686400
|
|
Assignee | |
Comment 5•4 years ago
|
||
See the comment for different things that we could do here, this being
the simplest one IMO.
|
||
Updated•4 years ago
|
Assignee: nobody → emilio
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•4 years ago
|
Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8205c8850b96 Notify the accessibility service directly when detaching a shadow root. r=eeejay
Pushed by emilio@crisal.io: https://hg.mozilla.org/integration/autoland/rev/0225f613d99d Fix pre-existing include guard now that we also use it in non-DEBUG builds.
|
||
Comment 8•4 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/8205c8850b96
https://hg.mozilla.org/mozilla-central/rev/0225f613d99d
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch
|
|
Reporter | |
Updated•4 years ago
|
|
|
Reporter | |
Comment 9•4 years ago
|
||
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200910040355-7eead7eaf33a. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Updated•4 years ago
|
status-firefox80:
--- → wontfix
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•