Found while fuzzing m-c 20230221-58d33c517857 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: hyperAcc, at /builds/worker/checkouts/gecko/accessible/base/TextLeafRange.cpp:1466

#0 0x7fa1d9de9268 in mozilla::a11y::TextLeafPoint::GetTextAttributesLocalAcc(bool) const /builds/worker/checkouts/gecko/accessible/base/TextLeafRange.cpp:1466:3
#1 0x7fa1d9e1dc52 in mozilla::a11y::LocalAccessible::BundleFieldsForCache(unsigned long, mozilla::a11y::CacheUpdateType) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3394:45
#2 0x7fa1d9e520f7 in mozilla::a11y::DocAccessibleChildBase::InsertIntoIpcTree(mozilla::a11y::LocalAccessible*, mozilla::a11y::LocalAccessible*, unsigned int, bool) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleChildBase.cpp:107:16
#3 0x7fa1d9e21867 in mozilla::a11y::DocAccessible::DoInitialUpdate() /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:1721:17
#4 0x7fa1d9dd46ca in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:671:16
#5 0x7fa1d85d8bd2 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2567:12
#6 0x7fa1d85e2a1d in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
#7 0x7fa1d85e2a1d in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#8 0x7fa1d85e2923 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
#9 0x7fa1d85e2800 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:911:5
#10 0x7fa1d85e1b6a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:825:5
#11 0x7fa1d85e1336 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:746:5
#12 0x7fa1d85e0e49 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#13 0x7fa1d85e0a5d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:549:9
#14 0x7fa1d79bb7ab in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#15 0x7fa1d7cb4b43 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:228:78
#16 0x7fa1d7b8aa96 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8785:32
#17 0x7fa1d3b9e29a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
#18 0x7fa1d3b9af17 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
#19 0x7fa1d3b9ba45 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#20 0x7fa1d3b9cd7f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#21 0x7fa1d2f43455 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:541:16
#22 0x7fa1d2f3e5a8 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:855:26
#23 0x7fa1d2f3d17a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:686:15
#24 0x7fa1d2f3d4d5 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464:36
#25 0x7fa1d2f46f06 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#26 0x7fa1d2f46f06 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#27 0x7fa1d2f5cfc7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1225:16
#28 0x7fa1d2f6347d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#29 0x7fa1d3ba41e3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#30 0x7fa1d3ac6058 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#31 0x7fa1d3ac5f61 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#32 0x7fa1d3ac5f61 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#33 0x7fa1d8261278 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#34 0x7fa1da4dbb3b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:20
#35 0x7fa1d3ba50a9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#36 0x7fa1d3ac6058 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#37 0x7fa1d3ac5f61 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#38 0x7fa1d3ac5f61 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#39 0x7fa1da4db698 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:675:34
#40 0x556fa83a6d80 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#41 0x556fa83a6d80 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
#42 0x7fa1e801ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#43 0x7fa1e801ae3f in __libc_start_main csu/../csu/libc-start.c:392:3
#44 0x556fa837d3e8 in _start (/home/user/workspace/browsers/m-c-20230221212648-fuzzing-debug/firefox-bin+0x5b3e8) (BuildId: e19d06a5994e31aeeb37a7c68e2fa2a7fb336343)

pref.js file for bugmon

Testcase crashes using the initial build (mozilla-central 20230221212648-58d33c517857) but not with tip (mozilla-central 20230222214030-5bb3e281dc9e.)

The bug appears to have been fixed in the following build range:

Start: bdf88c9a1a0690c2598f13e5d93049ad4a886932 (20230222040213)
End: 71a1eb34bc9090c5faeebf696ae1c5d5617fae20 (20230222084535)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=bdf88c9a1a0690c2598f13e5d93049ad4a886932&tochange=71a1eb34bc9090c5faeebf696ae1c5d5617fae20

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Verified bug as reproducible on mozilla-central 20230223172038-8abe8c3a6233.
The bug appears to have been introduced in the following build range:

Start: 2d625e5d6ff86fda6d83464bb315478f94afc577 (20221114233128)
End: 1adc82d1eb960a8a6aac68b9abceaac3fd491abb (20221115021943)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2d625e5d6ff86fda6d83464bb315478f94afc577&tochange=1adc82d1eb960a8a6aac68b9abceaac3fd491abb

:eeejay do you think you can take a look if anything in this regression range caused this or if it was fixed? If not, could you point me in the right direction?

Bug 1798621, which enabled Cache the World on nightly, is what allowed this test case to trigger an assertion. However, the underlying problem goes back much further than that, probably to when SVG accessibility support was first introduced.

It's curious to me that <text><a>foo displays foo, even though the text container is actually the outer <text>. (In contrast, <a>foo without the outer <text> doesn't display foo.) Strictly speaking, we should probably make the <a> a HyperTextAccessible only if it is contained within <text>. Pragmatically speaking, it's probably going to be easier to just make <a> a HyperTextAccessible always.

Marking as fuzzblocker. This is frequently reported by fuzzers while fuzzing with a11y enabled. Please prioritize appropriately.

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:Jamie, could you increase the severity?

For more information, please visit auto_nag documentation.

This ensures that these are HyperTextAccessibles if they contain text, which prevents assertions and exposes formatting information.
It also gives these the correct role.

Based on comment #4, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:Jamie, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Marking as regressed by bug 1798621 to make the bot happy, but please note comment 6.

Set release status flags based on info from the regressing bug 1798621

https://hg.mozilla.org/mozilla-central/rev/8e3596085874

Verified bug as fixed on rev mozilla-central 20230531214354-860d4ed91dff.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

The patch landed in nightly and beta is affected.
:Jamie, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox114 to wontfix.

For more information, please visit BugBot documentation.