Found while fuzzing m-c 20230503-f99ee8082b68 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb

Note: Using --xvfb will run the test in a consistent manner and will make reproducing the issue more reliable.

Assertion failure: owned->SafeElementAt(idx) != child (Already in place!), at /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2318

#0 0x7f50592442af in mozilla::a11y::DocAccessible::DoARIAOwnsRelocation(mozilla::a11y::LocalAccessible*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:2318:5
#1 0x7f50591f4221 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:896:18
#2 0x7f50579d5080 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2568:12
#3 0x7f50579defbd in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
#4 0x7f50579defbd in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#5 0x7f50579deec0 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
#6 0x7f50579ded9d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:911:5
#7 0x7f50579de156 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:825:5
#8 0x7f50579dd419 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#9 0x7f5056de42cb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#10 0x7f50570a6cfe in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#11 0x7f5053034d21 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6230:32
#12 0x7f5052fca0ff in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1799:25
#13 0x7f5052fc6db2 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1724:9
#14 0x7f5052fc78e4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1524:3
#15 0x7f5052fc8c0f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1622:14
#16 0x7f5052364437 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#17 0x7f505235f63a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:879:26
#18 0x7f505235e117 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:702:15
#19 0x7f505235e495 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#20 0x7f5052367a59 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:221:37
#21 0x7f5052367a59 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#22 0x7f505237dd7a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1240:16
#23 0x7f505238439d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#24 0x7f5052fd0053 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#25 0x7f5052ef1a11 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
#26 0x7f5052ef1a11 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
#27 0x7f5057657e88 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#28 0x7f50598ac96b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:724:20
#29 0x7f5052fd0f56 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#30 0x7f5052ef1a11 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:361:3
#31 0x7f5052ef1a11 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:343:3
#32 0x7f50598ac232 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:659:34
#33 0x55c69c7fc7a6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#34 0x55c69c7fc7a6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#35 0x7f5065a29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#36 0x7f5065a29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#37 0x55c69c7d3a28 in _start (/home/user/workspace/browsers/m-c-20230526162417-fuzzing-debug/firefox-bin+0x58a28) (BuildId: 5ecb48ba200c9d08fec0efd0f8e5740595c50ad1)

prefs.js file for bugmon

Verified bug as reproducible on mozilla-central 20230526215433-fc6056442a0f.
The bug appears to have been introduced in the following build range:

Start: 2e227bee7e5a0bbfe3bfa9a26221a9c1ff5bb913 (20221104042106)
End: 3f828529f7b2a08c99508d80d5120823145dc471 (20221104071305)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2e227bee7e5a0bbfe3bfa9a26221a9c1ff5bb913&tochange=3f828529f7b2a08c99508d80d5120823145dc471

:jamie, looking at the Pushlog in Comment 2, could this be caused by Bug 1798098?

Unfortunately, it's most likely bug 1798500, which is useless because that's just when we got the force accessibility pref working on Linux (so a11y wasn't being fuzzed for a while before that point). Bug 1798098 is Windows only and this failure occurred on Linux.

Set release status flags based on info from the regressing bug 1798500

Testcase crashes using the initial build (mozilla-central 20230916091445-10a16ed7ab96) but not with tip (mozilla-central 20240913214507-b91e1b615932.)

The bug appears to have been fixed in the following build range:

Start: 2bf0a3120d5801d91f3ee44536d9c706dfb63f6e (20240907223603)
End: 71a5ed7faf61810d4e610496013fb43224f34ca3 (20240908040658)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2bf0a3120d5801d91f3ee44536d9c706dfb63f6e&tochange=71a5ed7faf61810d4e610496013fb43224f34ca3

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Most likely fixed by bug 1696309.