Open Bug 1929710 Opened 4 months ago Updated 3 months ago

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Event coalescence killed the accessible), at /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2327

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox134 --- affected
firefox135 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs,
URL
)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
366 bytes, text/html
Details
prefs.js
11.88 KB, application/x-javascript
Details
Attached file testcase.html

Found while fuzzing m-c 20240907-8a9983896462 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

NOTE: The test case uses FuzzingFunctions.garbageCollect() which requires a --enable-fuzzing build.

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Event coalescence killed the accessible), at /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2327

#0 0x7ad12914b913 in mozilla::a11y::DocAccessible::ContentRemoved(mozilla::a11y::LocalAccessible*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2327:5
#1 0x7ad12914a26d in mozilla::a11y::DocAccessible::PruneOrInsertSubtree(nsIContent*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:1415:7
#2 0x7ad12914a4d5 in mozilla::a11y::DocAccessible::PruneOrInsertSubtree(nsIContent*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:1507:11
#3 0x7ad12914a4d5 in mozilla::a11y::DocAccessible::PruneOrInsertSubtree(nsIContent*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:1507:11
#4 0x7ad1291467d6 in mozilla::a11y::DocAccessible::ContentInserted(nsIContent*, nsIContent*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:1315:9
#5 0x7ad12916b9ce in mozilla::a11y::RootAccessible::ProcessDOMEvent(mozilla::dom::Event*, nsINode*) /builds/worker/checkouts/gecko/accessible/generic/RootAccessible.cpp:269:21
#6 0x7ad129114811 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:982:25
#7 0x7ad128aeb9d5 in nsRefreshDriver::TickObserverArray(unsigned int, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2560:10
#8 0x7ad128ae8142 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2823:8
#9 0x7ad128af1201 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:13
#10 0x7ad128af1201 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:346:7
#11 0x7ad128af1100 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:362:5
#12 0x7ad128af0f9d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:948:5
#13 0x7ad128af02cc in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:858:5
#14 0x7ad128aef659 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:593:14
#15 0x7ad128af1451 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:565:23
#16 0x7ad128af1451 in mozilla::detail::RunnableFunction<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&)::'lambda'()>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
#17 0x7ad122ef3767 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
#18 0x7ad122ee8fc9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
#19 0x7ad122ee7a07 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
#20 0x7ad122ee7e85 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
#21 0x7ad122ef71a9 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:271:37
#22 0x7ad122ef71a9 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#23 0x7ad122f0a9fb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16
#24 0x7ad122f116df in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#25 0x7ad123a992b3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#26 0x7ad1239eb701 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#27 0x7ad1239eb701 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#28 0x7ad128759238 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#29 0x7ad12880b238 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#30 0x7ad1295bb964 in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
#31 0x7ad1296dff8a in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5789:22
#32 0x7ad1296e1754 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:6024:8
#33 0x7ad1296e25a8 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:6097:21
#34 0x5bd4a5792126 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:232:22
#35 0x5bd4a5792126 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:464:16
Attached file prefs.js

prefs.js for bugmon

This has been reported by live site testing.

Blocks: site-scout
URL: http://inbox.google.com/

Verified bug as reproducible on mozilla-central 20241112214908-aef84d293121.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 0083ca2f4709e599083520545d538d1ee1b8356d (20231115052415)
End: 8a9983896462b75fe2308f51aec174bec95fb17f (20240907214052)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]

Marking this an S3 for now, but if we have crash reports from inbox.google.com, that might tip it higher since it's such an important site. cc-ing Jamie who may be interested in this.

Accessibility Severity: --- → s3
Severity: -- → S3
Accessibility Severity: s3 → ---

Testcase crashes using the initial build (mozilla-central 20240907214052-8a9983896462) but not with tip (mozilla-central 20241207091049-78d8afbe5767.)

The bug appears to have been fixed in the following build range:

Start: d3050805adf87151b0cab7b3dae7d6154163e1a4 (20241203211122)
End: 02fd9c8f6a49cdcedca3523dd32a414a0efd1f3c (20241203223915)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d3050805adf87151b0cab7b3dae7d6154163e1a4&tochange=02fd9c8f6a49cdcedca3523dd32a414a0efd1f3c

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(twsmith)
Keywords: bugmon

I'm still able to reproduce the issue with m-c 20241217-10fe3e4fee81. I'm guessing this was a bugmon hiccup.

status-firefox135: --- → affected
Flags: needinfo?(twsmith)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: