2036141 - Assertion failure: aBounds.IsZeroArea(), at accessible/base/TextLeafRange.cpp:2224

Status: NEW

(Core :: Disability Access APIs, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20260403-a7aeacfbb1b3 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: aBounds.IsZeroArea(), at accessible/base/TextLeafRange.cpp:2224

#0 0x79c1c541f8ce in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:235:3
#1 0x79c1c541f8ce in operator() /builds/worker/workspace/obj-build/accessible/base/./../../../../checkouts/gecko/accessible/base/TextLeafRange.cpp:2224:5
#2 0x79c1c541f8ce in mozilla::a11y::TextLeafPoint::CharBounds() const /builds/worker/workspace/obj-build/accessible/base/./../../../../checkouts/gecko/accessible/base/TextLeafRange.cpp:2260:5
#3 0x79c1c5460090 in mozilla::a11y::HyperTextAccessible::GetCaretRect() /builds/worker/workspace/obj-build/accessible/generic/./../../../../checkouts/gecko/accessible/generic/HyperTextAccessible.cpp:657:45
#4 0x79c1c5485c03 in mozilla::a11y::DocAccessibleChild::GetCaretRectForIPCEvent(mozilla::a11y::LocalAccessible*) /builds/worker/workspace/obj-build/accessible/ipc/./../../../../checkouts/gecko/accessible/ipc/DocAccessibleChild.cpp:397:31
#5 0x79c1c544d576 in mozilla::a11y::LocalAccessible::HandleAccEvent(mozilla::a11y::AccEvent*) /builds/worker/workspace/obj-build/accessible/generic/./../../../../checkouts/gecko/accessible/generic/LocalAccessible.cpp:922:15
#6 0x79c1c54132b8 in nsEventShell::FireEvent(mozilla::a11y::AccEvent*) /builds/worker/workspace/obj-build/accessible/base/./../../../../checkouts/gecko/accessible/base/nsEventShell.cpp:45:15
#7 0x79c1c5415c87 in mozilla::a11y::SelectionManager::ProcessTextSelChangeEvent(mozilla::a11y::AccEvent*) /builds/worker/workspace/obj-build/accessible/base/./../../../../checkouts/gecko/accessible/base/SelectionManager.cpp:161:5
#8 0x79c1c5402c1f in mozilla::a11y::EventQueue::ProcessEventQueue() /builds/worker/workspace/obj-build/accessible/base/./../../../../checkouts/gecko/accessible/base/EventQueue.cpp:444:23
#9 0x79c1c5414077 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/workspace/obj-build/accessible/base/./../../../../checkouts/gecko/accessible/base/NotificationController.cpp:1042:3
#10 0x79c1c4dfe2c5 in nsRefreshDriver::TickObserverArray(unsigned int, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2254:10
#11 0x79c1c4dfc736 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2550:8
#12 0x79c1c4e06221 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:364:13
#13 0x79c1c4e06221 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:342:7
#14 0x79c1c4e06120 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:358:5
#15 0x79c1c4e05fcd in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:948:5
#16 0x79c1c4e0556a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:858:5
#17 0x79c1c4e04a56 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:589:14
#18 0x79c1c41459cb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:64:15
#19 0x79c1c43c2f59 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/dom/ipc/./../../ipc/ipdl/PVsyncChild.cpp:229:78
#20 0x79c1bf757722 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/glue/./../ipdl/PBackgroundChild.cpp:4942:32
#21 0x79c1bf6f5e8e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/obj-build/ipc/glue/./../../../../checkouts/gecko/ipc/glue/MessageChannel.cpp:1798:25
#22 0x79c1bf6f3404 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, std::unique_ptr<IPC::Message, std::default_delete<IPC::Message>>) /builds/worker/workspace/obj-build/ipc/glue/./../../../../checkouts/gecko/ipc/glue/MessageChannel.cpp:1724:9
#23 0x79c1bf6f3e17 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/obj-build/ipc/glue/./../../../../checkouts/gecko/ipc/glue/MessageChannel.cpp:1513:3
#24 0x79c1bf6f4df9 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/obj-build/ipc/glue/./../../../../checkouts/gecko/ipc/glue/MessageChannel.cpp:1615:14
#25 0x79c1beafe7b7 in mozilla::RunnableTask::Run() /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:719:16
#26 0x79c1beafcb52 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:1358:20
#27 0x79c1beafb7d7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:1181:15
#28 0x79c1beafbc55 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:655:36
#29 0x79c1beb072c6 in operator() /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/TaskController.cpp:347:37
#30 0x79c1beb072c6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:547:5
#31 0x79c1beb1bff3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/nsThread.cpp:1179:16
#32 0x79c1beb21c6f in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/obj-build/xpcom/threads/./../../../../checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#33 0x79c1bf6fbd97 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/obj-build/ipc/glue/./../../../../checkouts/gecko/ipc/glue/MessagePump.cpp:83:21
#34 0x79c1bf6548d1 in RunHandler /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:364:3
#35 0x79c1bf6548d1 in MessageLoop::Run() /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:346:3
#36 0x79c1c49ebca8 in nsBaseAppShell::Run() /builds/worker/workspace/obj-build/widget/./../../../checkouts/gecko/widget/nsBaseAppShell.cpp:151:27
#37 0x79c1c4ab9034 in nsAppShell::Run() /builds/worker/workspace/obj-build/widget/gtk/./../../../../checkouts/gecko/widget/gtk/nsAppShell.cpp:553:33
#38 0x79c1c5b235cb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652:20
#39 0x79c1bf6fcc44 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/workspace/obj-build/ipc/glue/./../../../../checkouts/gecko/ipc/glue/MessagePump.cpp:233:9
#40 0x79c1bf6548d1 in RunHandler /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:364:3
#41 0x79c1bf6548d1 in MessageLoop::Run() /builds/worker/workspace/obj-build/ipc/chromium/./../../../../checkouts/gecko/ipc/chromium/src/base/message_loop.cc:346:3
#42 0x79c1c5b22d26 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:590:34
#43 0x6333097181ec in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:466:22

Comment 1

[Tyson Smith [:tsmith]]

Attachment: prefs.js

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20260430212929-d0c43f211001.
The bug appears to have been introduced in the following build range:

Start: 5fd74ae493296584f2c24194b3fcb2122cf4740b (20250715215327)
End: ed7dbc4874644390416e9cc1577583cf895dbfaf (20250716001646)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5fd74ae493296584f2c24194b3fcb2122cf4740b&tochange=ed7dbc4874644390416e9cc1577583cf895dbfaf

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1966812

:eeejay, since you are the author of the regressor, bug 1966812, could you take a look?

For more information, please visit BugBot documentation.