1840458 - Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Stored active item is unbound from document), at /builds/worker/checkouts/gecko/accessible/base/FocusManager.cpp:34

Status: NEW

(Core :: Disability Access APIs, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20230612-3db6c45f4918 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb --repeat 10

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Stored active item is unbound from document), at /builds/worker/checkouts/gecko/accessible/base/FocusManager.cpp:34

#0 0x7fa6ecf599aa in mozilla::a11y::FocusManager::FocusedLocalAccessible() const /builds/worker/checkouts/gecko/accessible/base/FocusManager.cpp:34:7
#1 0x7fa6ecf59ba8 in mozilla::a11y::FocusManager::FocusedAccessible() const /builds/worker/checkouts/gecko/accessible/base/FocusManager.cpp:73:32
#2 0x7fa6ecf9d6bb in IsFocused /builds/worker/workspace/obj-build/dist/include/mozilla/a11y/FocusManager.h:48:12
#3 0x7fa6ecf9d6bb in mozilla::a11y::DocAccessible::NativeState() const /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:235:19
#4 0x7fa6ecfc3e71 in mozilla::a11y::RootAccessible::NativeState() const /builds/worker/checkouts/gecko/accessible/generic/RootAccessible.cpp:101:39
#5 0x7fa6ecfbd686 in mozilla::a11y::LocalAccessible::State() /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:1497:20
#6 0x7fa6ecf4d052 in mozilla::a11y::AccTextChangeEvent::AccTextChangeEvent(mozilla::a11y::LocalAccessible*, int, nsTSubstring<char16_t> const&, bool, mozilla::a11y::EIsFromUserInput) /builds/worker/checkouts/gecko/accessible/base/AccEvent.cpp:96:20
#7 0x7fa6ecf59059 in mozilla::a11y::NotificationController::QueueMutationEvent(mozilla::a11y::AccTreeMutationEvent*) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:291:38
#8 0x7fa6ecf58a46 in mozilla::a11y::TreeMutation::AfterInsertion(mozilla::a11y::LocalAccessible*) /builds/worker/checkouts/gecko/accessible/base/EventTree.cpp:54:41
#9 0x7fa6ecfadb3a in mozilla::a11y::DocAccessible::ProcessContentInserted(mozilla::a11y::LocalAccessible*, nsTArray<nsCOMPtr<nsIContent>> const*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2051:10
#10 0x7fa6ecf60c43 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:832:16
#11 0x7fa6eb6c3f19 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2580:12
#12 0x7fa6eb6cd731 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
#13 0x7fa6eb6cd731 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#14 0x7fa6eb6cd630 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
#15 0x7fa6eb6cd4cd in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:911:5
#16 0x7fa6eb6cc846 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:825:5
#17 0x7fa6eb6cbb79 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#18 0x7fa6eaa5278b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#19 0x7fa6ead23b1e in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#20 0x7fa6e6b50f01 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6269:32
#21 0x7fa6e6ae3c3f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1811:25
#22 0x7fa6e6ae0992 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1736:9
#23 0x7fa6e6ae1612 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1536:3
#24 0x7fa6e6ae275f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1634:14
#25 0x7fa6e5e16d27 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#26 0x7fa6e5e0e991 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:880:26
#27 0x7fa6e5e0d327 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:704:15
#28 0x7fa6e5e0d785 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#29 0x7fa6e5e1ac19 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:221:37
#30 0x7fa6e5e1ac19 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#31 0x7fa6e5e312ea in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#32 0x7fa6e5e380ad in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#33 0x7fa6e6ae9b53 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#34 0x7fa6e6a02fd1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#35 0x7fa6e6a02fd1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#36 0x7fa6eb31a0d8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#37 0x7fa6ed6438fb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:717:20
#38 0x7fa6e6aeaa86 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#39 0x7fa6e6a02fd1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#40 0x7fa6e6a02fd1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#41 0x7fa6ed6431ca in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652:34
#42 0x55e7b28e5526 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#43 0x55e7b28e5526 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#44 0x7fa6f9a29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#45 0x7fa6f9a29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#46 0x55e7b28bc7c8 in _start (/home/user/workspace/browsers/m-c-20230626162305-fuzzing-debug/firefox-bin+0x587c8) (BuildId: 8ac417d88dd31d710d42469094b03ad0244e28b1)

Comment 1

[Tyson Smith [:tsmith]]

Attachment: prefs.js

prefs.js file for bugmon

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 3

[Eitan Isaacson [:eeejay]]

We safely return null there so not a functional problem. But need to set to s2 because we are blocking the fuzzers.

Comment 4

[James Teh [:Jamie]]

Even though the fuzzers have hit this, it isn't marked as a fuzzblocker, so I don't think we're blocking them. Comment 2 suggests the fuzzers can't reproduce this now (or at least not reliably enough for it to be a real problem). Downgrading severity.

Comment 5

[Tyson Smith [:tsmith]]

Attachment: testcase.html

This is a slightly more reduced and more reliable test case but still not great.

Comment 6

[Tyson Smith [:tsmith]]

(In reply to James Teh [:Jamie] from comment #4)

Even though the fuzzers have hit this, it isn't marked as a fuzzblocker, so I don't think we're blocking them.

Correct, the fuzzers do not appear to be blocked on this issue. We are seeing 5-10 reports or so per day.

Comment 2 suggests the fuzzers can't reproduce this now (or at least not reliably enough for it to be a real problem). Downgrading severity.

There seems to be a timing aspect to this, the unreduced test cases are much more (100%) reliable but not useful in that state.

Comment 7

[Bugmon [:jkratzer for issues]]

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 8

[Frederik Braun [:freddy] (OOO until August 18th)]

I have also hit this error when testing something unrelated (inline script handlers in about:config). Would be nice if we could fix this one way or another.

Comment 9

[Tyson Smith [:tsmith]]

This issue has been detected by live site testing.