Closed Bug 1780667 Opened 3 years ago Closed 2 years ago

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Stored active item is unbound from document), at /builds/worker/checkouts/gecko/accessible/base/FocusManager.cpp:33

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
116 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox104 --- wontfix
firefox105 --- wontfix
firefox106 --- wontfix
firefox107 --- wontfix
firefox108 --- wontfix
firefox109 --- wontfix
firefox110 --- wontfix
firefox114 --- wontfix
firefox115 --- fixed
firefox116 --- verified

People

(Reporter: tsmith, Assigned: Jamie)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
226 bytes, text/html
Details
Bug 1780667: Don't fire a11y focus on the DOM element when its aria-activedescendant is cleared/invalidated if the element doesn't have DOM focus.
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20220714-2a77c9b52e25 (--enable-debug --enable-fuzzing) with GNOME_ACCESSIBILITY=1

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ GNOME_ACCESSIBILITY=1 python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Stored active item is unbound from document), at /builds/worker/checkouts/gecko/accessible/base/FocusManager.cpp:33

#0 0x7fbb1537488a in mozilla::a11y::FocusManager::FocusedAccessible() const src/accessible/base/FocusManager.cpp:33:7
#1 0x7fbb15385f65 in mozilla::a11y::SelectionManager::ProcessTextSelChangeEvent(mozilla::a11y::AccEvent*) src/accessible/base/SelectionManager.cpp:137:35
#2 0x7fbb15370854 in mozilla::a11y::EventQueue::ProcessEventQueue() src/accessible/base/EventQueue.cpp:378:23
#3 0x7fbb1537b243 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) src/accessible/base/NotificationController.cpp:931:3
#4 0x7fbb13bf0fb2 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) src/layout/base/nsRefreshDriver.cpp:2496:12
#5 0x7fbb13bfa3d0 in TickDriver src/layout/base/nsRefreshDriver.cpp:375:13
#6 0x7fbb13bfa3d0 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:353:7
#7 0x7fbb13bfa2d3 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:369:5
#8 0x7fbb13bf9fa0 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:896:5
#9 0x7fbb13bf960a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:810:5
#10 0x7fbb13bf8ff5 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:731:5
#11 0x7fbb13bf8c2a in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() src/layout/base/nsRefreshDriver.cpp:594:14
#12 0x7fbb13bf883c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:551:9
#13 0x7fbb130e88cb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/dom/ipc/VsyncMainChild.cpp:68:15
#14 0x7fbb1336bd86 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#15 0x7fbb0f762374 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6337:32
#16 0x7fbb0f6f50d1 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:1749:25
#17 0x7fbb0f6f1c25 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) src/ipc/glue/MessageChannel.cpp:1674:9
#18 0x7fbb0f6f27c6 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1474:3
#19 0x7fbb0f6f3b51 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1572:14
#20 0x7fbb0eb3a98e in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:538:16
#21 0x7fbb0eb130b9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:851:26
#22 0x7fbb0eb11c43 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:683:15
#23 0x7fbb0eb11eb3 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:461:36
#24 0x7fbb0eb3e1e6 in operator() src/xpcom/threads/TaskController.cpp:187:37
#25 0x7fbb0eb3e1e6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#26 0x7fbb0eb27aff in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1205:16
#27 0x7fbb0eb2e10d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:465:10
#28 0x7fbb0f6fab56 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
#29 0x7fbb0f620fa7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#30 0x7fbb0f620eb2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#31 0x7fbb0f620eb2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#32 0x7fbb138c9ce8 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:150:27
#33 0x7fbb159fa89b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:875:20
#34 0x7fbb0f6fba4a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#35 0x7fbb0f620fa7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#36 0x7fbb0f620eb2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#37 0x7fbb0f620eb2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#38 0x7fbb159f9ebc in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:734:34
#39 0x55a4117a8000 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#40 0x55a4117a8000 in main src/browser/app/nsBrowserApp.cpp:338:18
#41 0x7fbb2527d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#42 0x55a41177ddac in _start (/home/worker/builds/m-c-20220714094116-fuzzing-debug/firefox-bin+0x15dac) (BuildId: 5a28ef8711fe94b9af29fe0c381a35cb252a99f5)
Flags: in-testsuite?

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220721214008-675d5c0e4d1d.
The bug appears to have been introduced in the following build range:

Start: 2d78b20de9258ad40be07f0a9eee96cb273367e7 (20220714002955)
End: ace73fbe267bd9ddc400b88fd15440cbcde86d21 (20220714010629)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2d78b20de9258ad40be07f0a9eee96cb273367e7&tochange=ace73fbe267bd9ddc400b88fd15440cbcde86d21

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

(In reply to Bugmon [:jkratzer for issues] from comment #1)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220721214008-675d5c0e4d1d.
The bug appears to have been introduced in the following build range:

Start: 2d78b20de9258ad40be07f0a9eee96cb273367e7 (20220714002955)
End: ace73fbe267bd9ddc400b88fd15440cbcde86d21 (20220714010629)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2d78b20de9258ad40be07f0a9eee96cb273367e7&tochange=ace73fbe267bd9ddc400b88fd15440cbcde86d21

Hi Jamie, there are several accessibility changes in this regression window. Could you please take a look? Thank you.

Flags: needinfo?(jteh)

Likely a regression introduced by bug 1770878, though I don't think that patch is the cause of the bug so much as a trigger for an existing bug.

Flags: needinfo?(jteh)
Regressions: 1770878

:jamie do you know if there assertion failure is user facing? Im thinking this is a wont fix for 104 but not sure what the severity of this issue is.

Flags: needinfo?(jteh)

In a release build, this will just fail gracefully.

Severity: -- → S4
status-firefox104: affectedwontfix
Flags: needinfo?(jteh)

Bugmon Analysis
Unable to reproduce bug 1780667 using build mozilla-central 20220714094116-2a77c9b52e25. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

The attached test case does still reproduce the issue and it is hit by fuzzers often (not quite a fuzzblocker).

A Pernosco session is available here: https://pernos.co/debug/99p6jigDGPM5h1YEU7Q9DA/index.html

status-firefox105: --- → affected
status-firefox106: --- → affected
Keywords: bugmon
status-firefox110: --- → affected

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Hey Jamie this is currently the most reported a11y issue reported by the DOM fuzzers and it has been around for a while. Could you please increase the priority to get it out of the way of the fuzzers?

status-firefox114: --- → wontfix
status-firefox115: --- → affected
status-firefox116: --- → affected
Flags: needinfo?(jteh)
Assignee: nobody → jteh
Severity: S4 → S3
Flags: needinfo?(jteh)

aria-activedescendant should only take effect when the element has DOM focus.
Previously, clearing aria-activedescendant or setting it to an invalid id on an element without DOM focus would incorrectly fire a11y focus on that element.
Also, this caused an assertion to be fired due to a defunct active item if this happened alongside a text selection change.

Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f2b4a1f9f940 Don't fire a11y focus on the DOM element when its aria-activedescendant is cleared/invalidated if the element doesn't have DOM focus. r=eeejay

https://hg.mozilla.org/mozilla-central/rev/f2b4a1f9f940

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox116: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch

The patch landed in nightly and beta is affected.
:Jamie, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.Also, don't forget to request an uplift for the patches in the regression caused by this fix.
  • If no, please set status-firefox115 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(jteh)

Verified bug as fixed on rev mozilla-central 20230613092556-8dd3ce4ea8f1.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox116: fixedverified
Keywords: bugmon

Simple test case:
data:text/html,<div id="a">a</div><button id="b" onclick="a.setAttribute('aria-activedescendant', 'x');">set
When the button is pressed, a11y focus should remain on the button. Before the patch, a11y focus moves to the div.

Flags: needinfo?(jteh)

Comment on attachment 9338553 [details]
Bug 1780667: Don't fire a11y focus on the DOM element when its aria-activedescendant is cleared/invalidated if the element doesn't have DOM focus.

Beta/Release Uplift Approval Request

  • User impact if declined: Incorrect focus reported to accessibility tools in some cases.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Adds an additional, straightforward check when handling aria-activedescendant.
  • String changes made/needed:
  • Is Android affected?: Yes
Attachment #9338553 - Flags: approval-mozilla-beta?
Regressed by: 1770878
No longer regressions: 1770878

Comment on attachment 9338553 [details]
Bug 1780667: Don't fire a11y focus on the DOM element when its aria-activedescendant is cleared/invalidated if the element doesn't have DOM focus.

Approved for 115.0b6.

Attachment #9338553 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Set release status flags based on info from the regressing bug 1770878

status-firefox-esr102: --- → unaffected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: