Open Bug 1870407 Opened 1 year ago Updated 1 month ago

Assertion failure: hyperAcc, at /builds/worker/checkouts/gecko/accessible/base/TextLeafRange.cpp:1598

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox122 --- wontfix
firefox123 --- affected
firefox124 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
55 bytes, text/html
Details
prefs.js
10.06 KB, application/x-javascript
Details
Attached file testcase.html

Found while fuzzing m-c 20231213-63aeef886ee6 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: hyperAcc, at /builds/worker/checkouts/gecko/accessible/base/TextLeafRange.cpp:1598

#0 0x7f791f2d23d3 in mozilla::a11y::TextLeafPoint::GetTextAttributesLocalAcc(bool) const /builds/worker/checkouts/gecko/accessible/base/TextLeafRange.cpp:1598:3
#1 0x7f791f30174d in mozilla::a11y::LocalAccessible::BundleFieldsForCache(unsigned long, mozilla::a11y::CacheUpdateType) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3458:45
#2 0x7f791f331fcd in mozilla::a11y::DocAccessibleChild::SerializeAcc(mozilla::a11y::LocalAccessible*) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleChild.cpp:64:15
#3 0x7f791f33241c in mozilla::a11y::DocAccessibleChild::InsertIntoIpcTree(mozilla::a11y::LocalAccessible*, bool) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleChild.cpp:97:24
#4 0x7f791f2fc582 in mozilla::a11y::LocalAccessible::HandleAccEvent(mozilla::a11y::AccEvent*) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:876:19
#5 0x7f791f2c894d in nsEventShell::FireEvent(mozilla::a11y::AccEvent*) /builds/worker/checkouts/gecko/accessible/base/nsEventShell.cpp:54:15
#6 0x7f791f2bc0e3 in mozilla::a11y::NotificationController::ProcessMutationEvents() /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:616:7
#7 0x7f791f2bd4cd in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:984:3
#8 0x7f791dc7eae2 in nsRefreshDriver::TickObserverArray(unsigned int, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2442:10
#9 0x7f791dc7bbe5 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2733:28
#10 0x7f791dc85511 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:366:13
#11 0x7f791dc85511 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:344:7
#12 0x7f791dc85410 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:360:5
#13 0x7f791dc852ad in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:949:5
#14 0x7f791dc84541 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:859:5
#15 0x7f791dc837a9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:591:14
#16 0x7f791cfafd3b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#17 0x7f791d29bd4d in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:227:78
#18 0x7f7919126b91 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5589:32
#19 0x7f79190ba26f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1813:25
#20 0x7f79190b6fc2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1732:9
#21 0x7f79190b7c42 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#22 0x7f79190b8d8f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#23 0x7f79183cedb7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:549:16
#24 0x7f79183c49c3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:876:26
#25 0x7f79183c31b7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:699:15
#26 0x7f79183c3635 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:485:36
#27 0x7f79183d2d26 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:211:37
#28 0x7f79183d2d26 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#29 0x7f79183e7e12 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#30 0x7f79183eef3d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#31 0x7f79190c01d5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#32 0x7f7918fd9d11 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#33 0x7f7918fd9d11 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#34 0x7f791d8b96f8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#35 0x7f791d9764a8 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#36 0x7f791f98f6db in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#37 0x7f79190c10b6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#38 0x7f7918fd9d11 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#39 0x7f7918fd9d11 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#40 0x7f791f98ef42 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#41 0x55c959512f76 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#42 0x55c959512f76 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#43 0x7f792c942d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#44 0x7f792c942e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#45 0x55c9594e8ca8 in _start (/home/worker/builds/m-c-20231213214249-fuzzing-debug/firefox-bin+0x58ca8) (BuildId: 76ae9b20fe68d09c9d75c1fa641ced1cd3795d82)
Flags: in-testsuite?
Attached file prefs.js

Verified bug as reproducible on mozilla-central 20231215214115-8fd04cb03fbd.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 59c15c902a18e4ba5998f9dc6235c226cf58bc9a (20221217093017)
End: 63aeef886ee6d36af635d8354f1f1bf798f8357e (20231213214249)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]
Severity: -- → S4

This has been detected by live site testing.

Blocks: site-scout
status-firefox122: affectedwontfix
status-firefox123: --- → affected
status-firefox124: --- → affected

We should create a HyperTextAccessible for textPath and tspan if they must be accessible, similar to what we do for foreignObject. SVG-AAM says textPath, tspan and foreignObject should get role group if an accessible is created for them. We're not currently giving foreignObject role group.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: