Found while fuzzing m-c 20230112-e5ed23660819 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: value > 0, at /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3599

#0 0x7feb35f190a5 in mozilla::a11y::LocalAccessible::BundleFieldsForCache(unsigned long, mozilla::a11y::CacheUpdateType) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3599:7
#1 0x7feb35f14c6f in mozilla::a11y::DocAccessible::ProcessQueuedCacheUpdates() /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:1521:16
#2 0x7feb35ece3f0 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:890:16
#3 0x7feb346e0752 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2550:12
#4 0x7feb346ea41d in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:374:13
#5 0x7feb346ea41d in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:352:7
#6 0x7feb346ea323 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:5
#7 0x7feb346ea200 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:912:5
#8 0x7feb346e956a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:826:5
#9 0x7feb346e8d36 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:747:5
#10 0x7feb346e8849 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:593:14
#11 0x7feb346e845d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:550:9
#12 0x7feb33b74bfb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:68:15
#13 0x7feb33e0d798 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#14 0x7feb2ff7c26a in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6196:32
#15 0x7feb2ff0afda in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
#16 0x7feb2ff07c57 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
#17 0x7feb2ff08785 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#18 0x7feb2ff09abf in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#19 0x7feb2f2fa995 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
#20 0x7feb2f2f5f6c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
#21 0x7feb2f2f4b3a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
#22 0x7feb2f2f4e95 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
#23 0x7feb2f2fe309 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:191:37
#24 0x7feb2f2fe309 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#25 0x7feb2f313b35 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16
#26 0x7feb2f31a07d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:473:10
#27 0x7feb2ff10ed3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#28 0x7feb2fe32cd8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#29 0x7feb2fe32be1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#30 0x7feb2fe32be1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#31 0x7feb34383938 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#32 0x7feb365b742b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20
#33 0x7feb2ff11de9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#34 0x7feb2fe32cd8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#35 0x7feb2fe32be1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#36 0x7feb2fe32be1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#37 0x7feb365b6f88 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34
#38 0x55911c899ca0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#39 0x55911c899ca0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#40 0x7feb43c9fd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#41 0x7feb43c9fe3f in __libc_start_main csu/../csu/libc-start.c:392:3
#42 0x55911c870308 in _start (/home/user/workspace/browsers/m-c-20230116140954-fuzzing-debug/firefox-bin+0x5b308) (BuildId: 3c0a2e4948582c120895ff85171c1335af2e1568)

prefs.js file for bugmon

Verified bug as reproducible on mozilla-central 20230116211903-23c1be504632.
The bug appears to have been introduced in the following build range:

Start: 2d625e5d6ff86fda6d83464bb315478f94afc577 (20221114233128)
End: 1adc82d1eb960a8a6aac68b9abceaac3fd491abb (20221115021943)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2d625e5d6ff86fda6d83464bb315478f94afc577&tochange=1adc82d1eb960a8a6aac68b9abceaac3fd491abb

There are a couple of issues here:

1. We probably shouldn't create Table*Accessibles for a table part which has an overridden role. Supporting this was intentional, but I don't think it makes sense these days and Chromium doesn't do it either.
2. Even if we fix that, I think we'll still have a problem with aria-owns if the table doesn't override the role. When aria-owns moves an HTML table cell outside of its table, it will still be an HTMLTableCellAccessible, so we'll still try to fetch its col/row spans. When we try to walk the Accessible parents to get the table, we won't find one, so we'll return 0 for the spans, triggering the assertion.
   • I guess we could fix this by verifying that there's a valid table, but that seems pretty wasteful.
   • It'd be easiest to just remove the assertion, but that'd mean we miss potentially real problems here.
   • Perhaps we modify the assertion so that it doesn't fail if the table is invalid?

Regardless, this doesn't cause a problem in real usage and would be extremely rare.

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Testcase crashes using the initial build (mozilla-central 20230112213033-e5ed23660819) but not with tip (mozilla-central 20230609214634-501ade4b55d9.)

The bug appears to have been fixed in the following build range:

Start: c7b58ffeb92bc7c684aebb8f162b5816c8bc013b (20230608091506)
End: a86d5a3f177d480362c07a9ed34166ae41840ab6 (20230608105722)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c7b58ffeb92bc7c684aebb8f162b5816c8bc013b&tochange=a86d5a3f177d480362c07a9ed34166ae41840ab6

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Fixed by bug 1832261.

Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:Jamie, if possible, could you fill the Regressed by field?

For more information, please visit BugBot documentation.

Set release status flags based on info from the regressing bug 1798621