Closed Bug 1800755 Opened 2 years ago Closed 1 year ago

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: No remote found!), at /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleParent.cpp:678

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
109 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox107 --- unaffected
firefox108 --- unaffected
firefox109 --- verified

People

(Reporter: tsmith, Assigned: Jamie)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(3 files)

testcase.html
281 bytes, text/html
Details
prefs.js
9.32 KB, application/x-javascript
Details
Bug 1800755: Don't send selection changes for defunct Accessibles.
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20221115-8495494c57f8 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: No remote found!), at /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleParent.cpp:678

#0 0x7fdfa1fe0a4e in mozilla::a11y::DocAccessibleParent::RecvSelectedAccessiblesChanged(nsTArray<unsigned long>&&, nsTArray<unsigned long>&&) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleParent.cpp:678:7
#1 0x7fdfa204c5d5 in mozilla::a11y::PDocAccessibleParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PDocAccessibleParent.cpp:9558:52
#2 0x7fdf9fe2665b in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6656:32
#3 0x7fdf9c04e30a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1756:25
#4 0x7fdf9c04af67 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1681:9
#5 0x7fdf9c04bab5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1481:3
#6 0x7fdf9c04cdef in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1579:14
#7 0x7fdf9b44de75 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#8 0x7fdf9b44945c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#9 0x7fdf9b44802a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#10 0x7fdf9b448385 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#11 0x7fdf9b451776 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#12 0x7fdf9b451776 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#13 0x7fdf9b467108 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#14 0x7fdf9b46d87d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#15 0x7fdf9c053be3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#16 0x7fdf9bf79da8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#17 0x7fdf9bf79cb1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#18 0x7fdf9bf79cb1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#19 0x7fdfa0421538 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#20 0x7fdfa24edcb4 in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
#21 0x7fdfa2635873 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5736:22
#22 0x7fdfa2636bb2 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5929:8
#23 0x7fdfa263738a in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5985:21
#24 0x55b7f3d16aec in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:226:22
#25 0x55b7f3d16aec in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:430:16
#26 0x7fdfb0159082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#27 0x55b7f3ced248 in _start (/home/worker/builds/m-c-20221115095444-fuzzing-debug/firefox-bin+0x5b248) (BuildId: dffe064ce03c5f235e4a9afc252b16cccb76259f)
Flags: in-testsuite?
Attached file prefs.js

A prefs.js file for bugmon

Doesn't cause a crash in release builds. My guess is that the timing of where we queue selection updates vs mutations isn't quite right.

Blocks: a11y-ctw
Severity: -- → S4

Verified bug as reproducible on mozilla-central 20221118154632-3b5a8f67189b.
The bug appears to have been introduced in the following build range:

Start: 2d625e5d6ff86fda6d83464bb315478f94afc577 (20221114233128)
End: 1adc82d1eb960a8a6aac68b9abceaac3fd491abb (20221115021943)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2d625e5d6ff86fda6d83464bb315478f94afc577&tochange=1adc82d1eb960a8a6aac68b9abceaac3fd491abb

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

:eeejay, since you are the author of the regressor, bug 1798621, could you take a look?

For more information, please visit auto_nag documentation.

Flags: needinfo?(eitan)
Assignee: nobody → jteh
Flags: needinfo?(eitan)

When a selection event is dropped due to coalescence, we still include the impacted Accessible in the SelectedAccessiblesChanged notification we send to the parent process.
Although we skip events with defunct targets, we weren't skipping defunct items referenced by selection events.
This meant that if an Accessible was selected/unselected but was shut down before we sent SelectedAccessiblesChanged, the notification would include a dead Accessible.
This was causing an assertion in the parent process.
To fix this, we now ignore defunct items in selection events.

Pushed by jteh@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6116a9ffa58c
Don't send selection changes for defunct Accessibles. r=morgan

https://hg.mozilla.org/mozilla-central/rev/6116a9ffa58c

Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox109: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 109 Branch

Verified bug as fixed on rev mozilla-central 20221122094606-bd8c9b741d01.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox109: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: