Found while fuzzing m-c 20210522-f2d7667fc838 (--enable-debug --enable-fuzzing)

Assertion failure: origContainer == prevChild->LocalParent() (Broken tree), at src/accessible/generic/DocAccessible.cpp:2484

#0 0x7f57de0ba2b4 in mozilla::a11y::DocAccessible::PutChildrenBack(nsTArray<RefPtr<mozilla::a11y::LocalAccessible> >*, unsigned int) src//accessible/generic/DocAccessible.cpp:2483:11
#1 0x7f57de0b9adc in mozilla::a11y::DocAccessible::DoARIAOwnsRelocation(mozilla::a11y::LocalAccessible*) src//accessible/generic/DocAccessible.cpp:2442:3
#2 0x7f57de055d99 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) src//accessible/base/NotificationController.cpp:828:18
#3 0x7f57dac357e9 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) src//layout/base/nsRefreshDriver.cpp:2195:12
#4 0x7f57dac42217 in TickDriver src//layout/base/nsRefreshDriver.cpp:346:13
#5 0x7f57dac42217 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src//layout/base/nsRefreshDriver.cpp:324:7
#6 0x7f57dac41f7d in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src//layout/base/nsRefreshDriver.cpp:340:5
#7 0x7f57dac41d05 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src//layout/base/nsRefreshDriver.cpp:773:5
#8 0x7f57dac4130f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src//layout/base/nsRefreshDriver.cpp:702:16
#9 0x7f57dac408c9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() src//layout/base/nsRefreshDriver.cpp:615:7
#10 0x7f57dac40041 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src//layout/base/nsRefreshDriver.cpp:536:9
#11 0x7f57d9e9c057 in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src//dom/ipc/VsyncChild.cpp:68:15
#12 0x7f57d4954e0c in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
#13 0x7f57d4592626 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6008:32
#14 0x7f57d3fd732a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src//ipc/glue/MessageChannel.cpp:2155:25
#15 0x7f57d3fd3a58 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src//ipc/glue/MessageChannel.cpp:2079:9
#16 0x7f57d3fd53b5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src//ipc/glue/MessageChannel.cpp:1924:3
#17 0x7f57d3fd5f1b in mozilla::ipc::MessageChannel::MessageTask::Run() src//ipc/glue/MessageChannel.cpp:1955:13
#18 0x7f57d2e3e822 in mozilla::RunnableTask::Run() src//xpcom/threads/TaskController.cpp:482:16
#19 0x7f57d2e0b240 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src//xpcom/threads/TaskController.cpp:766:26
#20 0x7f57d2e08d47 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src//xpcom/threads/TaskController.cpp:621:15
#21 0x7f57d2e0919d in mozilla::TaskController::ProcessPendingMTTask(bool) src//xpcom/threads/TaskController.cpp:405:36
#22 0x7f57d2e48861 in operator() src//xpcom/threads/TaskController.cpp:138:37
#23 0x7f57d2e48861 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() src//xpcom/threads/nsThreadUtils.h:534:5
#24 0x7f57d2e25b98 in nsThread::ProcessNextEvent(bool, bool*) src//xpcom/threads/nsThread.cpp:1159:16
#25 0x7f57d2e3094c in NS_ProcessNextEvent(nsIThread*, bool) src//xpcom/threads/nsThreadUtils.cpp:548:10
#26 0x7f57d3fdeaaf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src//ipc/glue/MessagePump.cpp:85:21
#27 0x7f57d3ee6cd1 in RunInternal src//ipc/chromium/src/base/message_loop.cc:335:10
#28 0x7f57d3ee6cd1 in RunHandler src//ipc/chromium/src/base/message_loop.cc:328:3
#29 0x7f57d3ee6cd1 in MessageLoop::Run() src//ipc/chromium/src/base/message_loop.cc:310:3
#30 0x7f57da750697 in nsBaseAppShell::Run() src//widget/nsBaseAppShell.cpp:137:27
#31 0x7f57de9918ef in XRE_RunAppShell() src//toolkit/xre/nsEmbedFunctions.cpp:911:20
#32 0x7f57d3ee6cd1 in RunInternal src//ipc/chromium/src/base/message_loop.cc:335:10
#33 0x7f57d3ee6cd1 in RunHandler src//ipc/chromium/src/base/message_loop.cc:328:3
#34 0x7f57d3ee6cd1 in MessageLoop::Run() src//ipc/chromium/src/base/message_loop.cc:310:3
#35 0x7f57de9912c8 in XRE_InitChildProcess(int, char**, XREChildData const*) src//toolkit/xre/nsEmbedFunctions.cpp:743:34
#36 0x556f75f7974d in content_process_main(mozilla::Bootstrap*, int, char**) src//browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#37 0x556f75f79b7d in main src//browser/app/nsBrowserApp.cpp:313:18
#38 0x7f57f46090b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#39 0x556f75ecaa49 in _start (/home/worker/builds/m-c-20210522093129-fuzzing-asan-opt/firefox+0x5ba49)

A Pernosco session is available here: https://pernos.co/debug/pewakA70cptTJtYW6aSICg/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20221017150207-3bda8bf14d80.
Unable to bisect testcase (failed to find build near f2d7667fc838)

I guess this was critical/S2 by default as it was filed as a crash, but it's not actually that severe.

Adding prefs.js for bugmon

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

It's probably worth re-testing this now that the work of Bug 1455416 and its follow-on issues has been completed. I reworked that code a fair amount recently. Testing locally I'm not able to get it to fail, but I might be doing things wrong.

I was able to successfully reproduce the issue with m-c 20230616-2d1b642cb391 on Ubuntu 22.04.

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html -p prefs.js

Testcase crashes using the initial build (mozilla-central 20230617092009-29e4ffb2c397) but not with tip (mozilla-central 20240614204945-97bce31758a5.)

The bug appears to have been fixed in the following build range:

Start: 369d5331352d27705546143e21e194b8cd88b5be (20240604094831)
End: 179b4068029ab78efe95cf160bf4d13026349a4d (20240604104127)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=369d5331352d27705546143e21e194b8cd88b5be&tochange=179b4068029ab78efe95cf160bf4d13026349a4d

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.