Open Bug 2011050 Opened 3 months ago Updated 2 months ago

Assertion failure: owned->SafeElementAt(idx) != child (Already in place!), at /accessible/generic/DocAccessible.cpp:2733

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
x86_64
Linux
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
4.43 KB, application/zip
Details

Testcase found while fuzzing mozilla-central rev 79c680d8be01 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework pipx --upgrade
$ python -m pipx ensurepath
$ fuzzfetch --build 79c680d8be01 --debug --fuzzing  -n firefox
$ grizzly-replay-bugzilla ./firefox/firefox <bugid>

Assertion failure: owned->SafeElementAt(idx) != child (Already in place!), at /accessible/generic/DocAccessible.cpp:2733

    ==1515931==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x76b9bf5a26e5 bp 0x7fff68ad13b0 sp 0x7fff68ad1290 T1515931)
    ==1515931==The signal is caused by a WRITE memory access.
    ==1515931==Hint: address points to the zero page.
        #0 0x76b9bf5a26e5 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
        #1 0x76b9bf5a26e5 in mozilla::a11y::DocAccessible::DoARIAOwnsRelocation(mozilla::a11y::LocalAccessible*) /accessible/generic/DocAccessible.cpp:2733:5
        #2 0x76b9bf55a762 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /accessible/base/NotificationController.cpp:984:18
        #3 0x76b9bef2bc05 in nsRefreshDriver::TickObserverArray(unsigned int, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:2252:10
        #4 0x76b9bef2a136 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2548:8
        #5 0x76b9bef33bf1 in TickDriver /layout/base/nsRefreshDriver.cpp:366:13
        #6 0x76b9bef33bf1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /layout/base/nsRefreshDriver.cpp:344:7
        #7 0x76b9bef33af0 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:360:5
        #8 0x76b9bef3399d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:950:5
        #9 0x76b9bef32f3a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:860:5
        #10 0x76b9bef32426 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /layout/base/nsRefreshDriver.cpp:591:14
        #11 0x76b9be2dc61b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:66:15
        #12 0x76b9be55fef9 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:229:78
        #13 0x76b9b9abb0d2 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5102:32
        #14 0x76b9b9a5b0fe in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1793:25
        #15 0x76b9b9a58680 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, std::unique_ptr<IPC::Message, std::default_delete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1719:9
        #16 0x76b9b9a59087 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1508:3
        #17 0x76b9b9a5a069 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1610:14
        #18 0x76b9b8e50577 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:705:16
        #19 0x76b9b8e4aef4 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1325:20
        #20 0x76b9b8e49b77 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1148:15
        #21 0x76b9b8e49ff5 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:641:36
        #22 0x76b9b8e57459 in operator() /xpcom/threads/TaskController.cpp:336:37
        #23 0x76b9b8e57459 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /xpcom/threads/nsThreadUtils.h:549:5
        #24 0x76b9b8e69593 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1164:16
        #25 0x76b9b8e6fe8f in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:461:10
        #26 0x76b9b9a60943 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #27 0x76b9b99b9ca1 in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
        #28 0x76b9b99b9ca1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
        #29 0x76b9beb2cdc8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:152:27
        #30 0x76b9bebf88d4 in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:555:33
        #31 0x76b9bfc4482b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:656:20
        #32 0x76b9b9a61834 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #33 0x76b9b99b9ca1 in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
        #34 0x76b9b99b9ca1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
        #35 0x76b9bfc43f81 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:594:34
        #36 0x6505c6e6f0ac in main /browser/app/nsBrowserApp.cpp:465:22
        #37 0x76b9ca22a1c9 in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #38 0x76b9ca22a28a in __libc_start_main ./csu/../csu/libc-start.c:360:3
        #39 0x6505c6e42f08 in _start ??:0:0
    
    ==1515931==Register values:
    rax = 0x0000000000000000  rbx = 0x00006505ee0b2760  rcx = 0x0000000000000aad  rdx = 0x000076b9ca404563
    rdi = 0x000076b9ca405700  rsi = 0x0000000000000000  rbp = 0x00007fff68ad13b0  rsp = 0x00007fff68ad1290
     r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000002  r11 = 0x0000000000000293
    r12 = 0x00006505ee0683c0  r13 = 0x00006505edc47120  r14 = 0x0000000000000000  r15 = 0x00006505edbf56a0
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV (/home/jkratzer/builds/m-c-20260116093521-fuzzing-debug/libxul.so+0xb1a26e5) (BuildId: c5819ec3ac3605372d2a80ac1c385b424eea0c96)
    ==1515931==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20260118214518-cd28f573b791.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: a54625216170e0a916a37e58da2ca5c1145183d6 (20250120214839)
End: 79c680d8be019bcf496f4becc9cc7d18de3d817d (20260116093521)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Blocks: ariaowns
Severity: -- → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: