Assertion failure: aUpdateType == CacheUpdateType::Initial || mBounds.isSome() (Incremental cache push but mBounds is not set!), at /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3301
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox109 | --- | unaffected |
| firefox110 | --- | unaffected |
| firefox111 | blocking | verified |
People
(Reporter: tsmith, Assigned: Jamie)
References
(Blocks 1 open bug, Regression)
Details
(5 keywords, Whiteboard: [bugmon:bisected,confirmed] [ctw-m5])
Crash Data
Attachments
(4 files)
Found while fuzzing m-c 20230127-f75c73066b88 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: aUpdateType == CacheUpdateType::Initial || mBounds.isSome() (Incremental cache push but mBounds is not set!), at /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3301
#0 0x7ffaf5e82643 in mozilla::a11y::LocalAccessible::BundleFieldsForCache(unsigned long, mozilla::a11y::CacheUpdateType) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3300:5
#1 0x7ffaf5e7e27f in mozilla::a11y::DocAccessible::ProcessQueuedCacheUpdates() /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:1529:16
#2 0x7ffaf5e37790 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:890:16
#3 0x7ffaf4642142 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2548:12
#4 0x7ffaf464be0d in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
#5 0x7ffaf464be0d in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#6 0x7ffaf464bd13 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
#7 0x7ffaf464bbf0 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:911:5
#8 0x7ffaf464af5a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:825:5
#9 0x7ffaf464a726 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:746:5
#10 0x7ffaf464a239 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#11 0x7ffaf4649e4d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:549:9
#12 0x7ffaf3ac934b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#13 0x7ffaf3d62488 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#14 0x7ffaf3c69aeb in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8717:32
#15 0x7ffaefdaf84a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
#16 0x7ffaefdac4c7 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
#17 0x7ffaefdacff5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#18 0x7ffaefdae32f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#19 0x7ffaef1936a5 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
#20 0x7ffaef18ec7c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
#21 0x7ffaef18d84a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
#22 0x7ffaef18dba5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
#23 0x7ffaef197019 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:191:37
#24 0x7ffaef197019 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#25 0x7ffaef1ac4a5 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16
#26 0x7ffaef1b27cd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#27 0x7ffaefdb5743 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#28 0x7ffaefcd7358 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#29 0x7ffaefcd7261 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#30 0x7ffaefcd7261 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#31 0x7ffaf42dcaf8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#32 0x7ffaf6523cfb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:20
#33 0x7ffaefdb6659 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#34 0x7ffaefcd7358 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#35 0x7ffaefcd7261 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#36 0x7ffaefcd7261 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#37 0x7ffaf6523858 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:675:34
#38 0x55ae0c30fce0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#39 0x55ae0c30fce0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
#40 0x7ffb03d74d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#41 0x7ffb03d74e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#42 0x55ae0c2e6348 in _start (/home/user/workspace/browsers/m-c-20230127094652-fuzzing-debug/firefox-bin+0x5b348) (BuildId: 3dcd87d302507e33b27ddc81c1ad79da4ab2b653)
|
Reporter | |
Comment 1•1 year ago
|
||
prefs.js file for bugmon.
|
||
Comment 2•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20230127094652-f75c73066b88.
The bug appears to have been introduced in the following build range:
Start: 6d502ca911bed1ac7e80ba7ed24c9eb403cfc6a9 (20230126204049)
End: fb9e29f74b61bee02c4fe6f17e45f414f98be3ae (20230127003440)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6d502ca911bed1ac7e80ba7ed24c9eb403cfc6a9&tochange=fb9e29f74b61bee02c4fe6f17e45f414f98be3ae
|
||
Comment 3•1 year ago
|
||
Set release status flags based on info from the regressing bug 1811972
:Jamie, since you are the author of the regressor, bug 1811972, could you take a look? Also, could you set the severity field?
For more information, please visit auto_nag documentation.
|
Assignee | |
Comment 4•1 year ago
|
||
Although bug 1811972 triggered this, it is due to a problem elsewhere. DocAccessible::TrackMovedAccessible recurses into descendants, but it incorrectly crosses into descendant documents. As well as causing us to try to push the cache for Accessibles in the wrong document after bug 1811972, this could result in incorrect ids in DocAccessibleParent::mMovingIDs, which could in turn result in us not shutting down (and thus leaking) Accessibles that happen to use those ids later.
|
|
Assignee | |
Comment 6•1 year ago
|
||
This is causing crashes:
bp-a4067a2e-c80a-4918-a982-9c02e0230130
I don't understand why it doesn't always crash - I can't reproduce it in Nightly on my laptop, but it happens in local builds on my desktop - but it's definitely the same root cause.
|
|
Assignee | |
Comment 7•1 year ago
|
||
(In reply to James Teh [:Jamie] from comment #6)
I don't understand why it doesn't always crash - I can't reproduce it in Nightly on my laptop
Err... it'd help if I ran an up to date Nightly. I can repro it reliably on my laptop now.
|
||
Updated•1 year ago
|
|
||
Comment 8•1 year ago
|
||
It looks like this is showing up on Fenix under a slightly different signature.
|
|
||
Comment 9•1 year ago
•
|
||
Setting as a release blocker for 111 based on the Fenix nightly crash volume.
:jamie please consider requesting a backout of Bug 1811972, if you don't have a patch based on your investigation.
|
|
Assignee | |
Comment 10•1 year ago
|
||
The set of moved LocalAccessibles on a document should only include Accessibles within that document.
Previously, we were descending into iframe documents.
This resulted in notifying the parent process about incorrect ids being moved and potentially pushing the cache in an invalid state.
|
|
Assignee | |
Comment 11•1 year ago
|
||
I've just landed this patch. In the interest of getting it landed quickly, it doesn't contain a test, but I'll land a test in a follow-up.
|
|
Assignee | |
Updated•1 year ago
|
|
||
Comment 12•1 year ago
|
||
Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d20e3b5cc405 Don't descend into other documents when tracking moved LocalAccessibles. r=nlapre
|
|
Assignee | |
Comment 13•1 year ago
|
||
|
||
Comment 14•1 year ago
|
||
| bugherder | ||
|
|
||
Comment 15•1 year ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 AArch64 and ARM crashes on nightly
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Updated•1 year ago
|
|
|
||
Comment 16•1 year ago
|
||
Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e42393aed3ef follow-up: Add test. r=nlapre
|
||
Comment 17•1 year ago
|
||
| bugherder | ||
|
|
||
Comment 18•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20230201094356-dd0fdd1daa69.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•