1712182 - Assertion failure: false (Binding to nonexistent proxy!), at /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleParent.cpp:596

Status: RESOLVED FIXED

(Core :: Disability Access APIs, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20210518-4cc4cb51f18d (--enable-debug --enable-fuzzing)

Assertion failure: false (Binding to nonexistent proxy!), at /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleParent.cpp:596

#0 0x7ff573104e10 in mozilla::a11y::DocAccessibleParent::AddChildDoc(mozilla::a11y::DocAccessibleParent*, unsigned long, bool) /gecko/accessible/ipc/DocAccessibleParent.cpp:596:5
#1 0x7ff56eed3927 in mozilla::dom::BrowserParent::RecvPDocAccessibleConstructor(mozilla::a11y::PDocAccessibleParent*, mozilla::a11y::PDocAccessibleParent*, unsigned long const&, unsigned int const&, unsigned int const&) /gecko/dom/ipc/BrowserParent.cpp:1197:48
#2 0x7ff569bf3249 in mozilla::dom::PBrowserParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserParent.cpp:2818:57
#3 0x7ff5692ab997 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6597:32
#4 0x7ff568fcb29a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2152:25
#5 0x7ff568fc79c8 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2076:9
#6 0x7ff568fc9325 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1924:3
#7 0x7ff568fc9e8b in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1955:13
#8 0x7ff567e348b2 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:482:16
#9 0x7ff567e01340 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:766:26
#10 0x7ff567dfee47 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:621:15
#11 0x7ff567dff29d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:405:36
#12 0x7ff567e3e8f1 in operator() /gecko/xpcom/threads/TaskController.cpp:138:37
#13 0x7ff567e3e8f1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:534:5
#14 0x7ff567e1bc28 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1159:16
#15 0x7ff567e269dc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#16 0x7ff568fd2a1f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
#17 0x7ff568edac51 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
#18 0x7ff568edac51 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
#19 0x7ff568edac51 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
#20 0x7ff56f73ad57 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#21 0x7ff573785917 in nsAppStartup::Run() /gecko/toolkit/components/startup/nsAppStartup.cpp:273:30
#22 0x7ff57398a477 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5239:22
#23 0x7ff57398c4ce in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5437:8
#24 0x7ff57398d223 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5496:21
#25 0x5571c4b5102a in do_main /gecko/browser/app/nsBrowserApp.cpp:224:22
#26 0x5571c4b5102a in main /gecko/browser/app/nsBrowserApp.cpp:351:16
#27 0x7ff5895d20b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#28 0x5571c4aa1919 in _start (/home/worker/builds/m-c-20210520095745-fuzzing-asan-opt/firefox+0x5b919)

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/s4wvzkUt_J55IIRIsYUVxg/index.html

Comment 2

[James Teh [:Jamie] (away returning 12 Jan)]

I added this diagnostic assertion in bug 1679753. I'm confused as to why it's showing up with this test case, though, since it doesn't load any iframes. Also, I don't get a crash when I run this in nightly, but I'd expect a crash given that this is a diagnostic assertion.

Comment 3

[Tyson Smith [:tsmith]]

Attachment: testcase.html

That was my fault.

Comment 5

[James Teh [:Jamie] (away returning 12 Jan)]

Ug. This is a bug with aria-owns cycles causing nodes to go missing. Normally, that would result in a broken a11y tree, which is bad but doesn't crash. In this case, though, we ask the parent process to bind a document to an iframe it doesn't know about (because the aria-owns bug caused it to disappear from the tree).

Comment 6

[James Teh [:Jamie] (away returning 12 Jan)]

Attachment: Bug 1712182: Test aria-owning an ancestor which isn't created yet with an iframe in the subtree.

The actual fix for this is in bug 1387308.
However, triggering this bug with an iframe in a remote document caused a crash in the parent process because the parent process was never sent the OuterDoc.
Given the added complexity here, I thought it worth having a separate test.

Comment 7

[Pulsebot]

Pushed by jteh@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/346838dffac2
Test aria-owning an ancestor which isn't created yet with an iframe in the subtree. r=eeejay

Comment 8

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/346838dffac2