Yesterday I asked Jesse whether we've been doing any fuzzing with a11y enabled. He said we hadn't, but after a bit of playing with it and talking to Alexander he discovered that: 1) The accessibility mochitests assert in a debug build (we need to fix this!). 2) reftest and crashtest don't pass with accessibility enabled, apparently. Given that, fuzzing doesn't seem like a good time investment at the moment. But given the number of people on Windows who are apparently browsing with a11y on, we need to make this mode of operation not have correctness issues and not be obviously exploitable. That is, we need to fix the above issues and then fuzz-test the heck out of it. This is a tracking bug to track whatever needs to happen to make that work.

I've been fuzzing with accessibility enabled, but ignoring assertion failures in accessible/. I've found some crashes this way. I have some ideas for fuzzing the accessibility API more directly (beyond enabling accessibility and "doing DOM stuff"), but probably won't implement them soon.

With bug 571613 in good shape and bug 852150 fixed, I've started reporting bugs on accessible/ assertions again. Hopefully my new bug reports are helpful.