1802240 - Assertion failure: value > 0, at /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3580

Status: VERIFIED FIXED

(Core :: Disability Access APIs, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20221121-a29b80b10710 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: value > 0, at /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3580

#0 0x7f4b59f9c0b2 in mozilla::a11y::LocalAccessible::BundleFieldsForCache(unsigned long, mozilla::a11y::CacheUpdateType) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3580:7
#1 0x7f4b59fcd644 in mozilla::a11y::DocAccessibleChildBase::InsertIntoIpcTree(mozilla::a11y::LocalAccessible*, mozilla::a11y::LocalAccessible*, unsigned int, bool) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleChildBase.cpp:106:16
#2 0x7f4b59f9cde7 in mozilla::a11y::DocAccessible::DoInitialUpdate() /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:1671:17
#3 0x7f4b59f51a2c in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:671:16
#4 0x7f4b5875f9a2 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2525:12
#5 0x7f4b5876956d in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:375:13
#6 0x7f4b5876956d in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:7
#7 0x7f4b58769473 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:369:5
#8 0x7f4b58769350 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:913:5
#9 0x7f4b587686ba in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:827:5
#10 0x7f4b58767e76 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:748:5
#11 0x7f4b58767989 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:594:14
#12 0x7f4b5876759d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:551:9
#13 0x7f4b57c3b2cb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:68:15
#14 0x7f4b57ebefd8 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#15 0x7f4b540a2cca in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6306:32
#16 0x7f4b5403b4aa in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1756:25
#17 0x7f4b54038107 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1681:9
#18 0x7f4b54038c55 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1481:3
#19 0x7f4b54039f8f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1579:14
#20 0x7f4b5343a235 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#21 0x7f4b5343581c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#22 0x7f4b534343ea in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#23 0x7f4b53434745 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#24 0x7f4b5343db36 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#25 0x7f4b5343db36 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#26 0x7f4b534534c8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#27 0x7f4b53459c3d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:474:10
#28 0x7f4b54040d83 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#29 0x7f4b53f66b38 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#30 0x7f4b53f66a41 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#31 0x7f4b53f66a41 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#32 0x7f4b58414e58 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#33 0x7f4b5a62ff4b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:884:20
#34 0x7f4b54041c49 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#35 0x7f4b53f66b38 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#36 0x7f4b53f66a41 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#37 0x7f4b53f66a41 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#38 0x7f4b5a62f4dc in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
#39 0x5602a1ecdbe0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#40 0x5602a1ecdbe0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#41 0x7f4b66e59082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#42 0x5602a1ea4248 in _start (/home/worker/builds/m-c-20221121153827-fuzzing-debug/firefox-bin+0x5b248) (BuildId: 2c5cabf1f97817a4b11c4781e3335d19e7a2232e)

Comment 1

[Tyson Smith [:tsmith]]

Attachment: prefs.js

prefs.js file for bugmon

Comment 2

[James Teh [:Jamie]]

MathML table cell (mtd) with a non-table display style. We shouldn't be using HTMLTableCellAccessible in this case. This needs to be tweaked in MathMLMarkupMap. I guess we should fall back to ARIAGrid*Accessible like we do for HTML table parts.

Comment 3

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20221123213526-c300f1dba775.
The bug appears to have been introduced in the following build range:

Start: 2d625e5d6ff86fda6d83464bb315478f94afc577 (20221114233128)
End: 1adc82d1eb960a8a6aac68b9abceaac3fd491abb (20221115021943)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2d625e5d6ff86fda6d83464bb315478f94afc577&tochange=1adc82d1eb960a8a6aac68b9abceaac3fd491abb

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

:eeejay, since you are the author of the regressor, bug 1798621, could you take a look?

For more information, please visit auto_nag documentation.

Comment 5

[Nathan LaPré]

I think we know what to do to address this, I'm going to tackle it (see Jamie's comment above). Un-need-info-ing :eeejay.

Comment 6

[Nathan LaPré]

Still looking at this; it doesn't seem like the solution we're using in HTMLMarkupMap.h for td will work quite the same for mtd. If I add the same condition to the mtd code, the conditions never pass. The difference is, for mtd, aElement->GetPrimaryFrame()->AccessibleType() is eHTMLTableCellType even when I set different display styles that presumably cause it to break (as it broke td and th). In the td case, for instance, the frame's accessible type is eHyperTextType with the non-table display styles applied. I'm trying to trace this back to figure out why there's a discrepancy here, but I figure I should post the info now in case anyone has an idea. Maybe there's something else I can check to detect the non-table display style case (element attributes?). FWIW, forcibly creating ARIAGridCellAccessible seems to work just fine (at least the roles are still reported properly). I think it's just a matter of massaging the condition to get there.

Comment 7

[James Teh [:Jamie]]

That suggests that mtd uses layout's nsTableCellFrame regardless of its display style, which is interesting and makes me wonder why we're hitting this problem in the first place. I guess layout chooses the wrong frame type here and then barfs when a11y tries to query it?

Probably the easiest way to deal with this is to check for the table-cell display style explicitly.

dholbert or emilio might be able to provide further context from the layout side if you get stuck.

Comment 8

[Nathan LaPré]

Attachment: Bug 1802240: Use generic ARIA grid cell accessible for mtd elements without table style, r?Jamie

This revision changes the logic in MathMLMarkupMap such that mtd elements create
generic ARIA grid accessibles if the display style for the element is something
other than 'table'. This revision also adds a test that verifies that the roles
remain as expected, even with this change.

Comment 9

[Pulsebot]

Pushed by nlapre@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/29d3931389be
Use generic ARIA grid cell accessible for mtd elements without table style, r=Jamie

Comment 10

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/29d3931389be

Comment 11

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20221207041118-99052dd249cc.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.