Open Bug 1784388 Opened 3 years ago Updated 1 year ago

Assertion failure: false (Binding to parent that isn't a valid OuterDoc!), at /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleParent.cpp:804

Tracking

()

Status:

NEW

Tracking Flags:

Tracking

Status

firefox105

---

affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html 3 years ago Tyson Smith [:tsmith] 364 bytes, text/html		Details

Tyson Smith [:tsmith]

Reporter

Description

•

3 years ago

Attached file testcase.html — Details

Found while fuzzing m-c 20220810-d9acc6dde178 (--enable-debug --enable-fuzzing) with GNOME_ACCESSIBILITY=1

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ GNOME_ACCESSIBILITY=1 python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: false (Binding to parent that isn't a valid OuterDoc!), at /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleParent.cpp:804

#0 0x7f28d648a667 in mozilla::a11y::DocAccessibleParent::AddChildDoc(mozilla::a11y::DocAccessibleParent*, unsigned long, bool) /gecko/accessible/ipc/DocAccessibleParent.cpp:803:5
#1 0x7f28d128373f in mozilla::dom::BrowserParent::RecvPDocAccessibleConstructor(mozilla::a11y::PDocAccessibleParent*, mozilla::a11y::PDocAccessibleParent*, unsigned long const&, mozilla::dom::MaybeDiscarded<mozilla::dom::BrowsingContext> const&, unsigned int const&, unsigned int const&) /gecko/dom/ipc/BrowserParent.cpp:1262:48
#2 0x7f28d143a0c9 in mozilla::dom::PBrowserParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserParent.cpp:3097:81
#3 0x7f28d15304eb in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6616:32
#4 0x7f28cb001079 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:1749:25
#5 0x7f28caffe0e7 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /gecko/ipc/glue/MessageChannel.cpp:1674:9
#6 0x7f28caffed34 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1474:3
#7 0x7f28caffffc2 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1572:14
#8 0x7f28c98a3392 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:538:16
#9 0x7f28c9863cdd in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:851:26
#10 0x7f28c9860e48 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:683:15
#11 0x7f28c9861570 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:461:36
#12 0x7f28c98ac2c1 in operator() /gecko/xpcom/threads/TaskController.cpp:187:37
#13 0x7f28c98ac2c1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#14 0x7f28c9884f17 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1205:16
#15 0x7f28c988f394 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#16 0x7f28cb00883f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
#17 0x7f28cae88ba1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
#18 0x7f28cae88ba1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
#19 0x7f28cae88ba1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
#20 0x7f28d205a1b7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:150:27
#21 0x7f28d6e1ca17 in nsAppStartup::Run() /gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
#22 0x7f28d7045fae in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5700:22
#23 0x7f28d7047d2e in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5894:8
#24 0x7f28d7048aab in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5962:21
#25 0x55a6fd48d931 in do_main(int, char**, char**) /gecko/browser/app/nsBrowserApp.cpp:227:22
#26 0x55a6fd48cc6e in main /gecko/browser/app/nsBrowserApp.cpp:414:16
#27 0x7f28f1344082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#28 0x55a6fd3ccc29 in _start (/home/worker/builds/m-c-20220723091444-fuzzing-asan-opt/firefox+0x78c29) (BuildId: 2b80b8d5ad4e1f088b38de1ca9cf06bf00b1c6d2)

Flags: in-testsuite?

Tyson Smith [:tsmith]

Reporter

Comment 1

•

3 years ago

A Pernosco session is available here: https://pernos.co/debug/geNO0-4iyPNPcMPRvtbxOA/index.html

Bugmon [:jkratzer for issues]

Comment 2

•

3 years ago

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220811094015-7169b8faa7e1.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 0b790ca75ed8e3cf949cfb2dbb2ca58fb45ba230 (20210813092746)
End: d9acc6dde17866c41d38085ec086b96c22521160 (20220810212956)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]

BugBot [:suhaib / :marco/ :calixte]

Comment 3

•

3 years ago

The severity field is not set for this bug.
:Jamie, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jteh)

James Teh [:Jamie]

Updated

•

3 years ago

Severity: -- → S4

Flags: needinfo?(jteh)

Bugmon [:jkratzer for issues]

Comment 4

•

2 years ago

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Jason Kratzer [:jkratzer]

Comment 5

•

2 years ago

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Keywords: bugmon

Bugmon [:jkratzer for issues]

Comment 6

•

1 year ago

Testcase crashes using the initial build (mozilla-central 20230805091901-e8c6dc4a318c) but not with tip (mozilla-central 20240802153712-c38029641964.)

Unable to bisect testcase (failed to find build near d9acc6dde178).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Assertion failure: false (Binding to parent that isn't a valid OuterDoc!), at /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleParent.cpp:804

Categories

(Core :: Disability Access APIs, defect)

Tracking

()

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Comment 3

Updated

Comment 4

Comment 5

Comment 6

Attachment

General

Description

File Name

Content Type