Assertion failure: hyperAcc, at /builds/worker/checkouts/gecko/accessible/base/TextLeafRange.cpp:1345
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
People
(Reporter: tsmith, Assigned: sefeng)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker])
Attachments
(2 files)
Found while fuzzing m-c 20221224-dfbd00b278b0 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: hyperAcc, at /builds/worker/checkouts/gecko/accessible/base/TextLeafRange.cpp:1345
#0 0x7fdd0debd3e8 in mozilla::a11y::TextLeafPoint::GetTextAttributesLocalAcc(bool) const /builds/worker/checkouts/gecko/accessible/base/TextLeafRange.cpp:1345:3
#1 0x7fdd0def0fc1 in mozilla::a11y::LocalAccessible::BundleFieldsForCache(unsigned long, mozilla::a11y::CacheUpdateType) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3339:45
#2 0x7fdd0df24f77 in mozilla::a11y::DocAccessibleChildBase::InsertIntoIpcTree(mozilla::a11y::LocalAccessible*, mozilla::a11y::LocalAccessible*, unsigned int, bool) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleChildBase.cpp:106:16
#3 0x7fdd0df05b61 in mozilla::a11y::LocalAccessible::HandleAccEvent(mozilla::a11y::AccEvent*) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:852:19
#4 0x7fdd0de82808 in mozilla::a11y::AccessibleWrap::HandleAccEvent(mozilla::a11y::AccEvent*) /builds/worker/checkouts/gecko/accessible/atk/AccessibleWrap.cpp:1019:34
#5 0x7fdd0deb4949 in nsEventShell::FireEvent(mozilla::a11y::AccEvent*) /builds/worker/checkouts/gecko/accessible/base/nsEventShell.cpp:54:15
#6 0x7fdd0dea83f3 in mozilla::a11y::NotificationController::ProcessMutationEvents() /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:561:7
#7 0x7fdd0dea93a0 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:894:3
#8 0x7fdd0c6b76e2 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2550:12
#9 0x7fdd0c6c78a2 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1786:25
#10 0x7fdd0c6c78a2 in mozilla::detail::RunnableFunction<nsRefreshDriver::EnsureTimerStarted(nsRefreshDriver::EnsureTimerStartedFlags)::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#11 0x7fdd072f8bd5 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
#12 0x7fdd072f41ac in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
#13 0x7fdd072f2d7a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
#14 0x7fdd072f30d5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
#15 0x7fdd072fc4d6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#16 0x7fdd072fc4d6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#17 0x7fdd07311d75 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16
#18 0x7fdd073182bd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:476:10
#19 0x7fdd07f06653 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#20 0x7fdd07e2a118 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#21 0x7fdd07e2a021 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#22 0x7fdd07e2a021 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#23 0x7fdd0c35f7b8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#24 0x7fdd0e593dab in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20
#25 0x7fdd07f07519 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#26 0x7fdd07e2a118 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#27 0x7fdd07e2a021 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#28 0x7fdd07e2a021 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#29 0x7fdd0e593908 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34
#30 0x5625ba279ca0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#31 0x5625ba279ca0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#32 0x7fdd1b705d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#33 0x7fdd1b705e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#34 0x5625ba250308 in _start (/home/user/workspace/browsers/m-c-20221227093156-fuzzing-debug/firefox-bin+0x5b308) (BuildId: a628991bed63abb840106c8ac1f1bc985b09820e)
|
Reporter | |
Comment 1•2 years ago
|
||
|
||
Comment 2•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20221228213747-5dde89820aa5.
The bug appears to have been introduced in the following build range:
Start: 2d625e5d6ff86fda6d83464bb315478f94afc577 (20221114233128)
End: 1adc82d1eb960a8a6aac68b9abceaac3fd491abb (20221115021943)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2d625e5d6ff86fda6d83464bb315478f94afc577&tochange=1adc82d1eb960a8a6aac68b9abceaac3fd491abb
|
||
Updated•2 years ago
|
|
||
Comment 3•2 years ago
|
||
:eeejay, since you are the author of the regressor, bug 1798621, could you take a look? Also, could you set the severity field?
For more information, please visit auto_nag documentation.
|
||
Updated•2 years ago
|
|
|
Reporter | |
Comment 4•2 years ago
|
||
Fuzzers are hitting this frequently, marking as fuzzblocker. Please prioritize appropriately.
|
|
||
Updated•2 years ago
|
|
|
||
Comment 5•2 years ago
|
||
Testcase crashes using the initial build (mozilla-central 20221224090645-dfbd00b278b0) but not with tip (mozilla-central 20230218045051-50be9c4a3f06.)
The bug appears to have been fixed in the following build range:
Start: dafb2e6890e11b74ec00d49c8f2767903a67aa92 (20230213153318)
End: 073223bab35f4149bf5665ec59b16684b7b9a65b (20230213163401)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=dafb2e6890e11b74ec00d49c8f2767903a67aa92&tochange=073223bab35f4149bf5665ec59b16684b7b9a65b
tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 6•2 years ago
|
||
The assertion was due to obscure image map state. The bisection range includes bug 1815913, which changes the way nsImageMap is initialised, so I'm fairly sure this is what would have fixed this.
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
Description
•