Closed Bug 1928730 Opened 3 months ago Closed 21 days ago

Assertion failure: !(NativeState() & states::PROTECTED), at /builds/worker/checkouts/gecko/accessible/html/HTMLFormControlAccessible.cpp:342

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
134 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox132 --- wontfix
firefox133 --- wontfix
firefox134 --- fixed

People

(Reporter: tsmith, Assigned: Jamie)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
204 bytes, text/html
Details
Bug 1928730: Don't expose the protected a11y state for <textarea type="password">.
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20241022-c71b36339200 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: !(NativeState() & states::PROTECTED), at /builds/worker/checkouts/gecko/accessible/html/HTMLFormControlAccessible.cpp:342

#0 0x7ec298f634c6 in mozilla::a11y::HTMLTextFieldAccessible::Value(nsTString<char16_t>&) const /builds/worker/checkouts/gecko/accessible/html/HTMLFormControlAccessible.cpp:342:5
#1 0x7ec298f3cec2 in mozilla::a11y::LocalAccessible::BundleFieldsForCache(unsigned long, mozilla::a11y::CacheUpdateType, unsigned long) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3466:7
#2 0x7ec298f6bea0 in mozilla::a11y::DocAccessibleChild::SerializeAcc(mozilla::a11y::LocalAccessible*) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleChild.cpp:63:20
#3 0x7ec298f6c2e5 in mozilla::a11y::DocAccessibleChild::InsertIntoIpcTree(mozilla::a11y::LocalAccessible*, bool) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleChild.cpp:98:24
#4 0x7ec298f43fa1 in mozilla::a11y::DocAccessible::DoInitialUpdate() /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:1746:17
#5 0x7ec298f040b7 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:762:16
#6 0x7ec2988dbb75 in nsRefreshDriver::TickObserverArray(unsigned int, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2560:10
#7 0x7ec2988d82e2 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2823:8
#8 0x7ec2988e13a1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:13
#9 0x7ec2988e13a1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:346:7
#10 0x7ec2988e12a0 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:362:5
#11 0x7ec2988e113d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:948:5
#12 0x7ec2988e046c in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:858:5
#13 0x7ec2988df7f9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:593:14
#14 0x7ec297d2767b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#15 0x7ec297fba2e7 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:235:78
#16 0x7ec2938f3a7d in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5428:32
#17 0x7ec29388bfbf in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1726:25
#18 0x7ec293888f42 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1653:9
#19 0x7ec293889bc2 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1444:3
#20 0x7ec29388ad0f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1544:14
#21 0x7ec292ced747 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
#22 0x7ec292ce2fa9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
#23 0x7ec292ce19e7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
#24 0x7ec292ce1e65 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
#25 0x7ec292cf1126 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:268:37
#26 0x7ec292cf1126 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#27 0x7ec292d049db in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
#28 0x7ec292d0b6bf in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#29 0x7ec293891b45 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#30 0x7ec2937e3f41 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#31 0x7ec2937e3f41 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#32 0x7ec298549e08 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#33 0x7ec2985fb1d8 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#34 0x7ec2994d72ab in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:651:20
#35 0x7ec293892996 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#36 0x7ec2937e3f41 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#37 0x7ec2937e3f41 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#38 0x7ec2994d66ca in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:586:34
#39 0x5590518cde9e in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:397:22
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20241101161158-961c0ab30e4d.
The bug appears to have been introduced in the following build range:

Start: d35e5083efa973e4b4fb0a8b2bfc9bfd441709f5 (20241022132355)
End: 6b872256a37f5eb4be01b258690ce72e0ca4a45d (20241022135047)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d35e5083efa973e4b4fb0a8b2bfc9bfd441709f5&tochange=6b872256a37f5eb4be01b258690ce72e0ca4a45d

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Regressed by: 1694789

Set release status flags based on info from the regressing bug 1694789

:vhilla, since you are the author of the regressor, bug 1694789, could you take a look?

For more information, please visit BugBot documentation.

status-firefox132: --- → unaffected
status-firefox133: --- → affected
status-firefox-esr128: --- → unaffected
Flags: needinfo?(vincenthilla5)

Wow. I think this bug has existed for a very long time, but it's just never shown up before because we didn't have this assertion. Gecko accessibility exposes the protected state when a textarea has type="password", but type="password" is meaningless on a textarea. HTMLTextFieldAccessible::NativeState needs to be a bit smarter about this check.

Blocks: statea11y
Severity: -- → S4

<textarea type="password"> isn't a thing.
However, we use HTMLTextFieldAccessible for both text <kinput> and <textarea>, and NativeState() wasn't restricting the password check.
Now, we restrict the password check to <input>.

Assignee: nobody → jteh
Status: NEW → ASSIGNED
Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b1ccb4856549 Don't expose the protected a11y state for <textarea type="password">. r=eeejay

https://hg.mozilla.org/mozilla-central/rev/b1ccb4856549

Status: ASSIGNED → RESOLVED
Closed: 3 months ago
status-firefox134: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 134 Branch

Thanks for the fix

Flags: needinfo?(vincenthilla5)

The patch landed in nightly and beta is affected.
:Jamie, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox133 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(jteh)

The patch is low risk and covered by a test. However, this bug has existed for many years, the likelihood of some author doing <textarea type="password"> seems low, and the consequences aren't terrible (the user can still access the text even though the field incorrectly reports as a password field).

status-firefox132: unaffectedwontfix
status-firefox133: affectedwontfix
status-firefox-esr115: --- → wontfix
status-firefox-esr128: unaffectedaffected
Flags: needinfo?(jteh)
status-firefox-esr128: affectedwontfix
Flags: in-testsuite? → in-testsuite+

Bug marked as FIXED but still reproduces on mozilla-central 20241105092845-0f235ae77130. If you believe this to be incorrect, please remove the bugmon keyword to prevent further analysis.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

:jkratzer, could Bugmon be misbehaving here? I don't understand how we could still be hitting this and it's also odd that this is being flagged now (unless there was just a delay in running).

Flags: needinfo?(jkratzer)

:jamie, this is a false positive. I'm not sure exactly what happened here but I cannot reproduce this on tip nor are the fuzzers seeing it anymore.

Status: REOPENED → RESOLVED
Closed: 3 months ago1 month ago
Flags: needinfo?(jkratzer)
Resolution: --- → FIXED

Bug marked as FIXED but still reproduces on mozilla-central 20241105092845-0f235ae77130. If you believe this to be incorrect, please remove the bugmon keyword to prevent further analysis.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Status: REOPENED → RESOLVED
Closed: 1 month ago21 days ago
Resolution: --- → FIXED
Keywords: bugmon

I forgot to remove the bugmon keyword which caused the bot to flip the status of this again. This issue is fixed.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: