Closed Bug 1696309 Opened 4 years ago Closed 1 month ago

Assertion failure: parent == aContainer (Child moving to new parent, but previous sibling in wrong parent), at /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2038

Categories

(Core :: Disability Access APIs, defect, P3)

defect

Tracking

()

RESOLVED FIXED
132 Branch
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 --- wontfix
firefox-esr128 --- fix-optional
firefox87 --- wontfix
firefox88 --- wontfix
firefox109 --- wontfix
firefox110 --- wontfix
firefox111 --- wontfix
firefox122 --- wontfix
firefox130 --- wontfix
firefox131 --- wontfix
firefox132 --- fixed

People

(Reporter: tsmith, Assigned: eeejay)

References

(Blocks 2 open bugs, )

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(4 files, 2 obsolete files)

Attached file testcase.html (obsolete) —

Assertion failure: parent == aContainer (Child moving to new parent, but previous sibling in wrong parent), at /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2038

#0 0x7fb17a225dfe in mozilla::a11y::DocAccessible::ProcessContentInserted(mozilla::a11y::Accessible*, nsTArray<nsCOMPtr<nsIContent> > const*) /gecko/accessible/generic/DocAccessible.cpp:2036:11
#1 0x7fb17a1ae978 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /gecko/accessible/base/NotificationController.cpp:748:16
#2 0x7fb1772aeb49 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:2138:12
#3 0x7fb1772bd479 in TickDriver /gecko/layout/base/nsRefreshDriver.cpp:357:13
#4 0x7fb1772bd479 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /gecko/layout/base/nsRefreshDriver.cpp:336:7
#5 0x7fb1772bd0f1 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:351:5
#6 0x7fb1772bc304 in RunRefreshDrivers /gecko/layout/base/nsRefreshDriver.cpp:799:5
#7 0x7fb1772bc304 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:722:16
#8 0x7fb1772bb745 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /gecko/layout/base/nsRefreshDriver.cpp:624:7
#9 0x7fb1772baf00 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /gecko/layout/base/nsRefreshDriver.cpp:545:9
#10 0x7fb1763f2777 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /gecko/dom/ipc/VsyncChild.cpp:68:15
#11 0x7fb17090d15c in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#12 0x7fb1704fdcc4 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6286:32
#13 0x7fb16ff5330e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2153:25
#14 0x7fb16ff4f174 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2077:9
#15 0x7fb16ff50f78 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1925:3
#16 0x7fb16ff51b98 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1956:13
#17 0x7fb16ec264f9 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:459:16
#18 0x7fb16ec22ef7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:739:26
#19 0x7fb16ec20e37 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:598:15
#20 0x7fb16ec2128d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:382:36
#21 0x7fb16ec2e071 in operator() /gecko/xpcom/threads/TaskController.cpp:123:37
#22 0x7fb16ec2e071 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#23 0x7fb16ec4e5cd in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1200:14
#24 0x7fb16ec598fc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#25 0x7fb16ff5bf2f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
#26 0x7fb16fe52861 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
#27 0x7fb16fe52861 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
#28 0x7fb16fe52861 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
#29 0x7fb176da0277 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#30 0x7fb17aae606f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
#31 0x7fb16fe52861 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
#32 0x7fb16fe52861 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
#33 0x7fb16fe52861 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
#34 0x7fb17aae560c in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
#35 0x55c2191b22fd in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#36 0x55c2191b2737 in main /gecko/browser/app/nsBrowserApp.cpp:306:18
#37 0x7fb18f4a50b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
#38 0x55c219105c99 in _start (/home/worker/builds/m-c-20210114083245-fuzzing-asan-opt/firefox+0x5ac99)

Note for bugmon: GNOME_ACCESSIBILITY=1

Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/dQ-i9AvxHiX5vfiyzUgWkw/index.html

Keywords: bugmon

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210304040740-eee3ec3004e4.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 1e4b37c9e558728666cf1d006d95677acc7f8153 (20200305041649)
End: eee3ec3004e406865feb5f424ebbc3e97693876d (20210304040740)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Whiteboard: [bugmon:bisected,confirmed]
Severity: -- → S3
Priority: -- → P3

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210403214826-ab7decc30208) but not with tip (mozilla-central 20220401190316-8fb3ff8e376a.)
Unable to bisect testcase (End build crashes!):

Start: ab7decc3020866de71069e01557f9d3c5fe7da59 (20210403214826)
End: 8fb3ff8e376a786ab95bab5ec3c2ae9eee548cdc (20220401190316)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=False, fuzzing=False, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Attached file testcase.html
Attachment #9206821 - Attachment is obsolete: true
Attached file prefs.js
Crash Signature: [@ mozilla::a11y::DocAccessible::ProcessContentInserted ]
See Also: → 1723936

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 AArch64 and ARM crashes on nightly

:morgan, could you consider increasing the severity of this top-crash bug?

For more information, please visit BugBot documentation.

Flags: needinfo?(mreschenberg)
Keywords: topcrash
Severity: S3 → S2
Flags: needinfo?(mreschenberg)
Attached file Reduced testcase (obsolete) —

Reduced the testcase and removed the endless reloading.

Attached file Reduced testcase
Attachment #9421955 - Attachment is obsolete: true
Assignee: nobody → eitan

This causes problems when the aria-owns is invalid, for example in a
cyclical link. The reason this was put in in the first place is not
documented or apparent, but maybe a way to reduce churn.

This also fixes an existing test and makes the lineage of a cyclical
aria-owns elements match what chrome does.
(t3_1, t3_2, heading, t3_3).

This is what I believe is happening in the attached test case:

  1. Page is loaded
  2. DoInitialUpdate caches subtree. Text leaf descendant of font#my-font ('my glyph text') is created
    a. font#my-font is added to invalidation list because it is a target of aria-owns of its direct child.
    b. data#my-data are added to invalidation list because it is a target of aria-describedby of the last element in the page
  3. ProcessInvalidationList processes invalidation list
    a. It skips font#my-font because it is a target of an aria-owns
    b. It calls processes data#my-data because it is not a target of aria-owns...
  4. ProcessContentInserted is called on data#my-data, it is created
  5. CreateSubtree is called on data#my-data which calls CacheChildrenInSubtree.
  6. TreeWalker in CacheChildrenInSubtree skips font#my-font because it is a relocation target (RelocateARIAOwnedIfNeeded returns true). The text leaf descendant of font#my-font remains in the old (root) container. It encounters the already root-parented div#removedElement, and re-parents it in the new data#my-data container.

The tree at this point is in a corrupted state, where a container was created but only one of its children were relocated into it.

We do ProcessContentInserted as a second stage of a prune after div#removedElement is removed and its container is restyled. We then stumble when the TreeWalker's idea of what the previous sibling should be does not match the actual previous sibling.

Pushed by eisaacson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/71a5ed7faf61 Don't skip aria-owned children early in TreeWalker. r=Jamie
Status: NEW → RESOLVED
Closed: 1 month ago
Resolution: --- → FIXED
Target Milestone: --- → 132 Branch

The patch landed in nightly and beta is affected.
:eeejay, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox131 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(eitan)
Flags: needinfo?(eitan)
Blocks: 1835360
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: