1800749 - Assertion failure: value > 0, at /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3579

Status: VERIFIED FIXED

(Core :: Disability Access APIs, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20221115-8495494c57f8 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: value > 0, at /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3579

#0 0x7f16a9e8a9f2 in mozilla::a11y::LocalAccessible::BundleFieldsForCache(unsigned long, mozilla::a11y::CacheUpdateType) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3579:7
#1 0x7f16a9ebbfe4 in mozilla::a11y::DocAccessibleChildBase::InsertIntoIpcTree(mozilla::a11y::LocalAccessible*, mozilla::a11y::LocalAccessible*, unsigned int, bool) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleChildBase.cpp:106:16
#2 0x7f16a9e8b727 in mozilla::a11y::DocAccessible::DoInitialUpdate() /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:1652:17
#3 0x7f16a9e407ec in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:671:16
#4 0x7f16a864de02 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2525:12
#5 0x7f16a86579cd in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:375:13
#6 0x7f16a86579cd in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:7
#7 0x7f16a86578d3 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:369:5
#8 0x7f16a86577b0 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:913:5
#9 0x7f16a8656b1a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:827:5
#10 0x7f16a86562d6 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:748:5
#11 0x7f16a8655de9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:594:14
#12 0x7f16a86559fd in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:551:9
#13 0x7f16a7b2b26b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:68:15
#14 0x7f16a7daef98 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#15 0x7f16a3f97b2a in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6306:32
#16 0x7f16a3f3030a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1756:25
#17 0x7f16a3f2cf67 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1681:9
#18 0x7f16a3f2dab5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1481:3
#19 0x7f16a3f2edef in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1579:14
#20 0x7f16a332fe75 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#21 0x7f16a332b45c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#22 0x7f16a332a02a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#23 0x7f16a332a385 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#24 0x7f16a3333776 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#25 0x7f16a3333776 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#26 0x7f16a3349108 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#27 0x7f16a334f87d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#28 0x7f16a3f35be3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#29 0x7f16a3e5bda8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#30 0x7f16a3e5bcb1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#31 0x7f16a3e5bcb1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#32 0x7f16a8303538 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#33 0x7f16aa51bfeb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:884:20
#34 0x7f16a3f36aa9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#35 0x7f16a3e5bda8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#36 0x7f16a3e5bcb1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#37 0x7f16a3e5bcb1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#38 0x7f16aa51b57c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
#39 0x5558273e3be0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#40 0x5558273e3be0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#41 0x7f16b67e0082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#42 0x5558273ba248 in _start (/home/worker/builds/m-c-20221115095444-fuzzing-debug/firefox-bin+0x5b248) (BuildId: dffe064ce03c5f235e4a9afc252b16cccb76259f)

Comment 1

[Tyson Smith [:tsmith]]

Attachment: prefs.js

A prefs.js file for bugmon

Comment 2

[James Teh [:Jamie]]

Because this th is position: absolute, it isn't considered to be a table cell according to layout and so it shouldn't use HTMLTableHeaderCellAccessible. Unfortunately, it does due to a bug in HTMLMarkupMap. Interestingly, this bug seems to have been fixed for td, but not th.

This is probably what caused all the trouble in bug 1771931. I fixed that crash, but I could never work out why it happened.

This is no longer a real problem for users, but we should fix it at some point.

Comment 3

[Nathan LaPré]

I tried reproducing this on Windows 11 (build 22621.819) with no luck. Possible that I did something wrong, but I couldn't get it to crash despite trying a number of times. Maybe easier to repro on other platforms.

edit: I reproduced this eventually, see Comment 8 below.

Comment 4

[James Teh [:Jamie]]

This one is an assertion, not a crash. Were you running a debug build?

Anyway, I do understand why this might happen, as per comment 2. The key is in the difference between the way we handle td and th in HTMLMarkupMap. For td, we only use the HTMLTable* class if the frame type says that's okay. Otherwise, we use an ARIAGrid* class. For th, we always use HTMLTable*.

Comment 5

[Nathan LaPré]

Sorry, I meant to say assertion. Yes, a debug build with fuzzing enabled produced no assertion. That understanding makes sense to me.

edit: I reproduced this eventually, see Comment 8 below.

Comment 6

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/mr8qd2J0eU5O8DjUgdWutg/index.html

Comment 7

[James Teh [:Jamie]]

Honestly, I'm really surprised this didn't show up in a debug build. It really should show up as soon as we try to push the cache, and the fact that it doesn't makes me question my understanding of this bug a little.

Comment 8

[Nathan LaPré]

Okay, I've run it again today and managed to reproduce the assertion! I had to follow some more specific steps. There's a confounding Windows build issue that makes this trickier, since solved, in Bug 1800462, that affects this specific revision. In my previous attempts, I had just used a slightly later revision, hoping it'd work out the same. I also was placing prefs.js in the nightly profile folder, hoping that would work, whereas now I'm using --prefs to specify the prefs file. My exact steps were:

hg up 8495494c57f8
hg backout -r 6b9175bbaba8995fc54eb3da9837cc83b14741fc # back out the revision that causes local build failures
./mach clobber
./mach configure --enable-debug --enable-fuzzing
./mach build
pip install fuzzfetch grizzly-framework
rm -rf firefox/ # not sure if this is relevant, but my firefox folder already existed, so I removed it first then ran fuzzfetch
python -m fuzzfetch -d --fuzzing -n firefox
python -m grizzly.replay --prefs /c/prefs.js ./firefox/firefox.exe testcase.html

The final command gives me:

Result: Assertion failure: value > 0, at /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3579

(also, side note, I don't seem to have pernosco access yet. I tried accessing it via my personal github - https://github.com/nmlapre - but don't have authorization to view the stack trace)

Comment 9

[Nathan LaPré]

Attachment: Bug 1800749: Prevent position:absolute th elements from using HTMLTableHeaderCellAccessible, r=Jamie

Layout doesn't consider these types of th elements to be table cells since there
is no underlying table layout. This patch asks layout whether it considers the
frame's accessible type to be a table cell accessible. If it does, continue to
use the HTMLTableHeaderCellAccessible, but - otherwise - use a generic grid cell
accessible. This revision also adds a test to verify the behavior of th in this
situation. This essentially repeats the logic already in existence for td.

Comment 10

[Pulsebot]

Pushed by nlapre@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c4505e111546
Prevent position:absolute th elements from using HTMLTableHeaderCellAccessible, r=Jamie

Comment 11

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20221118154632-3b5a8f67189b.
The bug appears to have been introduced in the following build range:

Start: 2d625e5d6ff86fda6d83464bb315478f94afc577 (20221114233128)
End: 1adc82d1eb960a8a6aac68b9abceaac3fd491abb (20221115021943)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2d625e5d6ff86fda6d83464bb315478f94afc577&tochange=1adc82d1eb960a8a6aac68b9abceaac3fd491abb

Comment 12

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/c4505e111546

Comment 13

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20221119085828-f7eac47f5daa.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.