1800777 - Assertion failure: removed (Can't find old reverse relation), at /builds/worker/checkouts/gecko/accessible/ipc/RemoteAccessibleBase.cpp:933

Status: VERIFIED FIXED

(Core :: Disability Access APIs, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20221115-8495494c57f8 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: removed (Can't find old reverse relation), at /builds/worker/checkouts/gecko/accessible/ipc/RemoteAccessibleBase.cpp:933

#0 0x7f3d28a34697 in mozilla::a11y::RemoteAccessibleBase<mozilla::a11y::RemoteAccessible>::PreProcessRelations(mozilla::a11y::AccAttributes*) /builds/worker/checkouts/gecko/accessible/ipc/RemoteAccessibleBase.cpp:933:11
#1 0x7f3d28a2920a in mozilla::a11y::RemoteAccessibleBase<mozilla::a11y::RemoteAccessible>::ApplyCache(mozilla::a11y::CacheUpdateType, mozilla::a11y::AccAttributes*) /builds/worker/workspace/obj-build/dist/include/mozilla/a11y/RemoteAccessibleBase.h:266:45
#2 0x7f3d28a28d6b in mozilla::a11y::DocAccessibleParent::RecvCache(mozilla::a11y::CacheUpdateType const&, nsTArray<mozilla::a11y::CacheData>&&, bool const&) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleParent.cpp:638:13
#3 0x7f3d28a94fb1 in mozilla::a11y::PDocAccessibleParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PDocAccessibleParent.cpp:9512:52
#4 0x7f3d2686f65b in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6656:32
#5 0x7f3d22a9730a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1756:25
#6 0x7f3d22a93f67 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1681:9
#7 0x7f3d22a94ab5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1481:3
#8 0x7f3d22a95def in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1579:14
#9 0x7f3d21e96e75 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#10 0x7f3d21e9245c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#11 0x7f3d21e9102a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#12 0x7f3d21e91385 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#13 0x7f3d21e9a776 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#14 0x7f3d21e9a776 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#15 0x7f3d21eb0108 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#16 0x7f3d21eb687d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#17 0x7f3d22a9cbe3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#18 0x7f3d229c2da8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#19 0x7f3d229c2cb1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#20 0x7f3d229c2cb1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#21 0x7f3d26e6a538 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#22 0x7f3d28f36cb4 in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
#23 0x7f3d2907e873 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5736:22
#24 0x7f3d2907fbb2 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5929:8
#25 0x7f3d2908038a in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5985:21
#26 0x55a3b33beaec in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:226:22
#27 0x55a3b33beaec in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:430:16
#28 0x7f3d35328082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#29 0x55a3b3395248 in _start (/home/worker/builds/m-c-20221115095444-fuzzing-debug/firefox-bin+0x5b248) (BuildId: dffe064ce03c5f235e4a9afc252b16cccb76259f)

Comment 1

[James Teh [:Jamie] (away returning 28 Jan)]

Morgan, would you mind looking into this? This doesn't seem to cause a real crash, so I've marked it s4 for now. If your investigation reveals this could be a real problem that could crash or otherwise hurt users, it's probably worth fixing now, in which case please re-triage accordingly. If not, we could defer the fix until later. Thanks.

Comment 2

[Morgan Reschenberg [:morgan]]

Hmm maybe I'm doing this wrong, but I can't repro this locally.
I ran the python snippets above with the attached test case (and added --enable-fuzzing to my mozconfig + rebuilt) but I get "No results detected"

Is this a platform specific failure?

Comment 3

[Tyson Smith [:tsmith]]

(In reply to Morgan Reschenberg [:morgan] from comment #2)

Is this a platform specific failure?

I can repro on Linux but not Windows.

Comment 4

[James Teh [:Jamie] (away returning 28 Jan)]

I have no idea, unfortunately, so comment 3 is your best bet. :(

Comment 5

[James Teh [:Jamie] (away returning 28 Jan)]

Would a Pernosco session help? :tsmith, is that possible?

Comment 6

[Morgan Reschenberg [:morgan]]

blah I have tested on both linux and mac
:tsmith how are you enabling a11y? are you using GNOME_ACCESSIBILITY or is there another way to inject prefs ?

Comment 7

[Tyson Smith [:tsmith]]

I am using prefs.js. You can use prefsjs files with Grizzly via --prefs.

I can try to get a Pernosco session as well.

Comment 8

[Tyson Smith [:tsmith]]

Attachment: prefs.js

Comment 9

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/gD6Ch1n08ufzhbqiSvDyiQ/index.html

Comment 10

[Morgan Reschenberg [:morgan]]

Attachment: Bug 1800777: Don't recreate reverse rel maps for accs that have been shutdown r?Jamie

Comment 11

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20221118154632-3b5a8f67189b.
The bug appears to have been introduced in the following build range:

Start: 2d625e5d6ff86fda6d83464bb315478f94afc577 (20221114233128)
End: 1adc82d1eb960a8a6aac68b9abceaac3fd491abb (20221115021943)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2d625e5d6ff86fda6d83464bb315478f94afc577&tochange=1adc82d1eb960a8a6aac68b9abceaac3fd491abb

Comment 12

[Pulsebot]

Pushed by mreschenberg@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b5ef57b34bec
Don't recreate reverse rel maps for accs that have been shutdown r=Jamie

Comment 13

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/b5ef57b34bec

Comment 14

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20221122094606-bd8c9b741d01.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.