Found while fuzzing m-c 20240722-a11b1907822b (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: rowFrame (Table hierarchy got screwed up), at /builds/worker/checkouts/gecko/accessible/html/HTMLTableAccessible.cpp:601

#0 0x7d7b384d7db1 in mozilla::a11y::HTMLTableAccessible::IsProbablyLayoutTable() /builds/worker/checkouts/gecko/accessible/html/HTMLTableAccessible.cpp:601:7
#1 0x7d7b384ae983 in mozilla::a11y::LocalAccessible::BundleFieldsForCache(unsigned long, mozilla::a11y::CacheUpdateType) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3941:18
#2 0x7d7b384d92cd in mozilla::a11y::DocAccessibleChild::SerializeAcc(mozilla::a11y::LocalAccessible*) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleChild.cpp:64:15
#3 0x7d7b384d9715 in mozilla::a11y::DocAccessibleChild::InsertIntoIpcTree(mozilla::a11y::LocalAccessible*, bool) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleChild.cpp:97:24
#4 0x7d7b384b24c1 in mozilla::a11y::DocAccessible::DoInitialUpdate() /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:1704:17
#5 0x7d7b384730c0 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:747:16
#6 0x7d7b37e52aa5 in nsRefreshDriver::TickObserverArray(unsigned int, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2481:10
#7 0x7d7b37e4fadf in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2724:8
#8 0x7d7b37e58611 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:13
#9 0x7d7b37e58611 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:346:7
#10 0x7d7b37e58510 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:362:5
#11 0x7d7b37e583ad in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:952:5
#12 0x7d7b37e5769c in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:862:5
#13 0x7d7b37e56a29 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:593:14
#14 0x7d7b372d1b3b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#15 0x7d7b3754d787 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:222:78
#16 0x7d7b374823a0 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8172:32
#17 0x7d7b333267cf in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1820:25
#18 0x7d7b33323522 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1739:9
#19 0x7d7b333241a2 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1530:3
#20 0x7d7b333252ef in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1630:14
#21 0x7d7b327ae8a7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:16
#22 0x7d7b327a4316 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26
#23 0x7d7b327a2d27 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:768:15
#24 0x7d7b327a31a5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36
#25 0x7d7b327b2279 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:271:37
#26 0x7d7b327b2279 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#27 0x7d7b327c5bfd in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#28 0x7d7b327cc8ff in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#29 0x7d7b3332c303 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#30 0x7d7b33282f71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#31 0x7d7b33282f71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#32 0x7d7b37acbce8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#33 0x7d7b37b84964 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#34 0x7d7b38a1c64b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:714:20
#35 0x7d7b3332d1a6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#36 0x7d7b33282f71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#37 0x7d7b33282f71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#38 0x7d7b38a1bedb in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:649:34
#39 0x6198ef20c17f in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#40 0x6198ef20c17f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:18
#41 0x7d7b45a29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#42 0x7d7b45a29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#43 0x6198ef1e1bb8 in _start (/home/user/workspace/browsers/m-c-20240730164742-fuzzing-debug/firefox-bin+0x58bb8) (BuildId: 696736f42c0ef67fd9e1335017affdd98fdc3008)

prefs.js for bugmon

Verified bug as reproducible on mozilla-central 20240731034758-fe23e201d6cd.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 323a980eddb18489b9d7de1ffeff427026574b4c (20230802040706)
End: a11b1907822beb2f6249337fd54e59ba2f39556d (20240722092846)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

A Pernosco session is available here: https://pernos.co/debug/0s9zulyN1cw1ahSZ4MLINA/index.html

The severity field is not set for this bug.
:eeejay, could you have a look please?

For more information, please visit BugBot documentation.

From a quick glance it looks like the table row has "display: contents", so it doesn't get a frame. Seems like a simple fix.

Testcase crashes using the initial build (mozilla-central 20240722092846-a11b1907822b) but not with tip (mozilla-central 20240913214507-b91e1b615932.)

The bug appears to have been fixed in the following build range:

Start: 9df375df8b809ac5b938fd14b069b7463f5c9900 (20240909233923)
End: ec6625c1ead27137cb8887c5e68fa717d833606d (20240910000044)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=9df375df8b809ac5b938fd14b069b7463f5c9900&tochange=ec6625c1ead27137cb8887c5e68fa717d833606d

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Potentially fixed by bug 1794974?

Nathan: What do you think?

I would love to take credit for this, but I didn't do anything to directly address the problem, as far as I know. The bug you reference did make some big changes to what accessibility information gets cached in the parent process: Previously, we always cached everything, but now we cache selectively as-needed. The assertion here happens when building that information in content in order to send it to the parent. It might be that this test case no longer triggers caching of Table information, which could cause the code to sidestep the call to IsProbablyLayoutTable entirely. If that's the case, then I doubt the assertion is really "fixed," but this test case may no longer trigger it.

Thanks, I'll update the bug if/when a new test case is discovered by fuzzers.

Maybe we should force all fuzzing tests to have all accessibility caching enabled? After discussing with the accessibility team, we think that's a better way to go, since that way we would exercise as many code paths as possible. I'm not familiar with how the harness works, but there is an XPCOM interface to set the desired cache domains, something like:

var accService = Cc["@mozilla.org/accessibilityService;1"].getService(nsIAccessibilityService);
accService.setCacheDomains(~0x0);  // enable everything

which should run before page load starts. The harness instantiates accessibility, so I figure you might have access to the accessibility service?

Otherwise, we could maybe implement a pref that the harness could use to set cache domains. Tyson, could you advise whether either of those options sounds viable?

A pref is the way to go for fuzzing. Please CC me on the bug for adding the pref when it is opened and I can take care of adding the pref to prefpicker.