1991451 - Assertion failure: domRange == *domRanges.rbegin(), at /accessible/base/TextLeafRange.cpp:1948

Status: NEW

(Core :: Disability Access APIs, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 2dfd502d8f50 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 2dfd502d8f50 --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: domRange == *domRanges.rbegin(), at /accessible/base/TextLeafRange.cpp:1948

    ==66624==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x73a7ac7f3ef0 bp 0x7ffcd11ebef0 sp 0x7ffcd11ebe80 T66624)
    ==66624==The signal is caused by a WRITE memory access.
    ==66624==Hint: address points to the zero page.
        #0 0x73a7ac7f3ef0 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:238:3
        #1 0x73a7ac7f3ef0 in mozilla::a11y::TextLeafPoint::GetTextOffsetAttributes(mozilla::a11y::LocalAccessible*) /accessible/base/TextLeafRange.cpp:1948:9
        #2 0x73a7ac823c9f in mozilla::a11y::LocalAccessible::BundleFieldsForCache(unsigned long, mozilla::a11y::CacheUpdateType, unsigned long) /accessible/generic/LocalAccessible.cpp:3791:24
        #3 0x73a7ac850a20 in mozilla::a11y::DocAccessibleChild::SerializeAcc(mozilla::a11y::LocalAccessible*) /accessible/ipc/DocAccessibleChild.cpp:71:20
        #4 0x73a7ac85115a in mozilla::a11y::DocAccessibleChild::InsertIntoIpcTree(mozilla::a11y::LocalAccessible*, bool) /accessible/ipc/DocAccessibleChild.cpp:116:24
        #5 0x73a7ac8517a2 in mozilla::a11y::DocAccessibleChild::ShowEvent(mozilla::a11y::AccShowEvent*) /accessible/ipc/DocAccessibleChild.cpp:137:3
        #6 0x73a7ac81dfc9 in mozilla::a11y::LocalAccessible::HandleAccEvent(mozilla::a11y::AccEvent*) /accessible/generic/LocalAccessible.cpp:894:19
        #7 0x73a7ac7e7902 in nsEventShell::FireEvent(mozilla::a11y::AccEvent*) /accessible/base/nsEventShell.cpp:46:15
        #8 0x73a7ac7e71c3 in mozilla::a11y::NotificationController::ProcessMutationEvents() /accessible/base/NotificationController.cpp:615:7
        #9 0x73a7ac7e86a5 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /accessible/base/NotificationController.cpp:1025:3
        #10 0x73a7ac1cc675 in nsRefreshDriver::TickObserverArray(unsigned int, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:2261:10
        #11 0x73a7ac1cab64 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2551:8
        #12 0x73a7ac1d4381 in TickDriver /layout/base/nsRefreshDriver.cpp:371:13
        #13 0x73a7ac1d4381 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /layout/base/nsRefreshDriver.cpp:349:7
        #14 0x73a7ac1d4280 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:365:5
        #15 0x73a7ac1d412d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:955:5
        #16 0x73a7ac1d36ca in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:865:5
        #17 0x73a7ac1d2bc6 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /layout/base/nsRefreshDriver.cpp:596:14
        #18 0x73a7ab5a43ab in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:66:15
        #19 0x73a7ab824d2d in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:229:78
        #20 0x73a7a6f933b2 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5097:32
        #21 0x73a7a6f337be in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1797:25
        #22 0x73a7a6f30d40 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, std::unique_ptr<IPC::Message, std::default_delete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1723:9
        #23 0x73a7a6f31747 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1512:3
        #24 0x73a7a6f32729 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1614:14
        #25 0x73a7a6340d37 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:705:16
        #26 0x73a7a633b617 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1325:20
        #27 0x73a7a633a2c7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1148:15
        #28 0x73a7a633a745 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:641:36
        #29 0x73a7a63476a6 in operator() /xpcom/threads/TaskController.cpp:333:37
        #30 0x73a7a63476a6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:549:5
        #31 0x73a7a6359823 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1157:16
        #32 0x73a7a63600df in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:462:10
        #33 0x73a7a6f390d7 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #34 0x73a7a6e93441 in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
        #35 0x73a7a6e93441 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
        #36 0x73a7abdd8e18 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #37 0x73a7abea4b84 in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:471:33
        #38 0x73a7aceb0e9b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:657:20
        #39 0x73a7a6f39f84 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #40 0x73a7a6e93441 in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
        #41 0x73a7a6e93441 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
        #42 0x73a7aceb05f1 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:595:34
        #43 0x64b53af6605c in main /browser/app/nsBrowserApp.cpp:420:22
        #44 0x73a7b72571c9 in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #45 0x73a7b725728a in __libc_start_main ./csu/../csu/libc-start.c:360:3
        #46 0x64b53af39898 in _start ??:0:0
    
    ==66624==Register values:
    rax = 0x0000000000000000  rbx = 0x000064b55d9beca8  rcx = 0x000000000000079c  rdx = 0x000073a7b7431563
    rdi = 0x000073a7b7432700  rsi = 0x0000000000000000  rbp = 0x00007ffcd11ebef0  rsp = 0x00007ffcd11ebe80
     r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000000  r11 = 0x0000000000000293
    r12 = 0x0000000000000002  r13 = 0x0000000000000000  r14 = 0x000064b55d3da3b0  r15 = 0x000064b55d83bc38
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV (/home/jkratzer/builds/m-c-20250929081533-fuzzing-debug/libxul.so+0xa7d6ef0) (BuildId: 83bad32a41ab9caec670e0e2c425a87b8d770e58)
    ==66624==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20250929081533-2dfd502d8f50.
The bug appears to have been introduced in the following build range:

Start: 30aa94561355b435455f4aeae6f54c745d484eb7 (20250210093546)
End: 53c2f68b34286aa7043545e8af2f5a43f76e78c6 (20250210104807)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=30aa94561355b435455f4aeae6f54c745d484eb7&tochange=53c2f68b34286aa7043545e8af2f5a43f76e78c6

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1909142

:Jamie, since you are the author of the regressor, bug 1909142, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Comment 4

[James Teh [:Jamie]]

I don't really understand what's going on here. However, it doesn't seem to have any user observable impact.

Comment 5

[Bugmon [:jkratzer for issues]]

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 6

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1909142

Comment 8

[Bugmon [:jkratzer for issues]]

Testcase crashes using the initial build (mozilla-central 20250929081533-2dfd502d8f50) but not with tip (mozilla-central 20251129091101-5d9afcd27956.)

The bug appears to have been fixed in the following build range:

Start: 10798ba795f6d1118ad18053e74d640ceefe7f69 (20251121175010)
End: 1c73ec2b970cfd10424aa988c50c2876f5d39b84 (20251121191147)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=10798ba795f6d1118ad18053e74d640ceefe7f69&tochange=1c73ec2b970cfd10424aa988c50c2876f5d39b84

jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 9

[Jason Kratzer [:jkratzer]]

:eeejay, could this have been fixed by bug 1998242?