Assertion failure: parent == aContainer (Child moving to new parent, but previous sibling in wrong parent), at /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2038
Categories
(Core :: Disability Access APIs, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr102 | --- | wontfix |
firefox-esr115 | --- | wontfix |
firefox-esr128 | --- | fix-optional |
firefox87 | --- | wontfix |
firefox88 | --- | wontfix |
firefox109 | --- | wontfix |
firefox110 | --- | wontfix |
firefox111 | --- | wontfix |
firefox122 | --- | wontfix |
firefox130 | --- | wontfix |
firefox131 | --- | wontfix |
firefox132 | --- | fixed |
People
(Reporter: tsmith, Assigned: eeejay)
References
(Blocks 2 open bugs, )
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(4 files, 2 obsolete files)
Assertion failure: parent == aContainer (Child moving to new parent, but previous sibling in wrong parent), at /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2038
#0 0x7fb17a225dfe in mozilla::a11y::DocAccessible::ProcessContentInserted(mozilla::a11y::Accessible*, nsTArray<nsCOMPtr<nsIContent> > const*) /gecko/accessible/generic/DocAccessible.cpp:2036:11
#1 0x7fb17a1ae978 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /gecko/accessible/base/NotificationController.cpp:748:16
#2 0x7fb1772aeb49 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:2138:12
#3 0x7fb1772bd479 in TickDriver /gecko/layout/base/nsRefreshDriver.cpp:357:13
#4 0x7fb1772bd479 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /gecko/layout/base/nsRefreshDriver.cpp:336:7
#5 0x7fb1772bd0f1 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:351:5
#6 0x7fb1772bc304 in RunRefreshDrivers /gecko/layout/base/nsRefreshDriver.cpp:799:5
#7 0x7fb1772bc304 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:722:16
#8 0x7fb1772bb745 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /gecko/layout/base/nsRefreshDriver.cpp:624:7
#9 0x7fb1772baf00 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /gecko/layout/base/nsRefreshDriver.cpp:545:9
#10 0x7fb1763f2777 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /gecko/dom/ipc/VsyncChild.cpp:68:15
#11 0x7fb17090d15c in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#12 0x7fb1704fdcc4 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6286:32
#13 0x7fb16ff5330e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2153:25
#14 0x7fb16ff4f174 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2077:9
#15 0x7fb16ff50f78 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1925:3
#16 0x7fb16ff51b98 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1956:13
#17 0x7fb16ec264f9 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:459:16
#18 0x7fb16ec22ef7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:739:26
#19 0x7fb16ec20e37 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:598:15
#20 0x7fb16ec2128d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:382:36
#21 0x7fb16ec2e071 in operator() /gecko/xpcom/threads/TaskController.cpp:123:37
#22 0x7fb16ec2e071 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#23 0x7fb16ec4e5cd in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1200:14
#24 0x7fb16ec598fc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#25 0x7fb16ff5bf2f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
#26 0x7fb16fe52861 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
#27 0x7fb16fe52861 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
#28 0x7fb16fe52861 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
#29 0x7fb176da0277 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#30 0x7fb17aae606f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
#31 0x7fb16fe52861 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
#32 0x7fb16fe52861 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
#33 0x7fb16fe52861 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
#34 0x7fb17aae560c in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
#35 0x55c2191b22fd in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#36 0x55c2191b2737 in main /gecko/browser/app/nsBrowserApp.cpp:306:18
#37 0x7fb18f4a50b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
#38 0x55c219105c99 in _start (/home/worker/builds/m-c-20210114083245-fuzzing-asan-opt/firefox+0x5ac99)
Note for bugmon: GNOME_ACCESSIBILITY=1
Reporter | ||
Comment 1•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/dQ-i9AvxHiX5vfiyzUgWkw/index.html
Comment 2•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210304040740-eee3ec3004e4.
Failed to bisect testcase (Testcase reproduces on start build!):
Start: 1e4b37c9e558728666cf1d006d95677acc7f8153 (20200305041649)
End: eee3ec3004e406865feb5f424ebbc3e97693876d (20210304040740)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)
Assignee | ||
Updated•4 years ago
|
Comment 3•3 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210403214826-ab7decc30208) but not with tip (mozilla-central 20220401190316-8fb3ff8e376a.)
Unable to bisect testcase (End build crashes!):
Start: ab7decc3020866de71069e01557f9d3c5fe7da59 (20210403214826)
End: 8fb3ff8e376a786ab95bab5ec3c2ae9eee548cdc (20220401190316)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=False, fuzzing=False, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Reporter | ||
Comment 4•2 years ago
|
||
Reporter | ||
Comment 5•2 years ago
|
||
Reporter | ||
Updated•2 years ago
|
Reporter | ||
Updated•10 months ago
|
Comment 6•1 month ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 AArch64 and ARM crashes on nightly
:morgan, could you consider increasing the severity of this top-crash bug?
For more information, please visit BugBot documentation.
Updated•1 month ago
|
Comment 7•1 month ago
|
||
Reduced the testcase and removed the endless reloading.
Comment 8•1 month ago
|
||
Assignee | ||
Updated•1 month ago
|
Assignee | ||
Comment 9•1 month ago
|
||
This causes problems when the aria-owns is invalid, for example in a
cyclical link. The reason this was put in in the first place is not
documented or apparent, but maybe a way to reduce churn.
This also fixes an existing test and makes the lineage of a cyclical
aria-owns elements match what chrome does.
(t3_1, t3_2, heading, t3_3).
Assignee | ||
Comment 10•1 month ago
|
||
This is what I believe is happening in the attached test case:
- Page is loaded
DoInitialUpdate
caches subtree. Text leaf descendant offont#my-font
('my glyph text') is created
a.font#my-font
is added to invalidation list because it is a target ofaria-owns
of its direct child.
b.data#my-data
are added to invalidation list because it is a target ofaria-describedby
of the last element in the pageProcessInvalidationList
processes invalidation list
a. It skipsfont#my-font
because it is a target of anaria-owns
b. It calls processesdata#my-data
because it is not a target ofaria-owns
...ProcessContentInserted
is called ondata#my-data
, it is created- CreateSubtree is called on
data#my-data
which callsCacheChildrenInSubtree
. TreeWalker
inCacheChildrenInSubtree
skipsfont#my-font
because it is a relocation target (RelocateARIAOwnedIfNeeded
returns true). The text leaf descendant offont#my-font
remains in the old (root) container. It encounters the already root-parenteddiv#removedElement
, and re-parents it in the newdata#my-data
container.
The tree at this point is in a corrupted state, where a container was created but only one of its children were relocated into it.
We do ProcessContentInserted
as a second stage of a prune after div#removedElement
is removed and its container is restyled. We then stumble when the TreeWalker
's idea of what the previous sibling should be does not match the actual previous sibling.
Comment 11•1 month ago
|
||
Comment 12•1 month ago
|
||
bugherder |
Updated•1 month ago
|
Comment 13•1 month ago
|
||
The patch landed in nightly and beta is affected.
:eeejay, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox131
towontfix
.
For more information, please visit BugBot documentation.
Reporter | ||
Updated•1 month ago
|
Assignee | ||
Updated•1 month ago
|
Description
•