Found while fuzzing m-c 20230615-272d7188fe71 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --repeat 10

This test case may take a few refreshes to trigger the issue.

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Stored active item is unbound from document), at /builds/worker/checkouts/gecko/accessible/base/FocusManager.cpp:34

#0 0x7f3c1c782aaa in mozilla::a11y::FocusManager::FocusedLocalAccessible() const /builds/worker/checkouts/gecko/accessible/base/FocusManager.cpp:34:7
#1 0x7f3c1c782ca8 in mozilla::a11y::FocusManager::FocusedAccessible() const /builds/worker/checkouts/gecko/accessible/base/FocusManager.cpp:73:32
#2 0x7f3c1c7bf481 in IsFocused /builds/worker/workspace/obj-build/dist/include/mozilla/a11y/FocusManager.h:48:12
#3 0x7f3c1c7bf481 in mozilla::a11y::Accessible::ApplyImplicitState(unsigned long&) const /builds/worker/checkouts/gecko/accessible/basetypes/Accessible.cpp:605:19
#4 0x7f3c1c7e70a8 in mozilla::a11y::LocalAccessible::State() /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:1533:3
#5 0x7f3c1c7d20d2 in mozilla::a11y::LocalAccessible::BundleFieldsForCache(unsigned long, mozilla::a11y::CacheUpdateType) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3530:24
#6 0x7f3c1c802944 in mozilla::a11y::DocAccessibleChildBase::SerializeTree(nsTArray<mozilla::a11y::LocalAccessible*>&, nsTArray<mozilla::a11y::AccessibleData>&) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleChildBase.cpp:68:16
#7 0x7f3c1c802d10 in mozilla::a11y::DocAccessibleChildBase::InsertIntoIpcTree(mozilla::a11y::LocalAccessible*, mozilla::a11y::LocalAccessible*, unsigned int, bool) /builds/worker/checkouts/gecko/accessible/ipc/DocAccessibleChildBase.cpp:92:3
#8 0x7f3c1c7e60c8 in mozilla::a11y::LocalAccessible::HandleAccEvent(mozilla::a11y::AccEvent*) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:893:19
#9 0x7f3c1c764fa8 in mozilla::a11y::AccessibleWrap::HandleAccEvent(mozilla::a11y::AccEvent*) /builds/worker/checkouts/gecko/accessible/atk/AccessibleWrap.cpp:954:34
#10 0x7f3c1c79589d in nsEventShell::FireEvent(mozilla::a11y::AccEvent*) /builds/worker/checkouts/gecko/accessible/base/nsEventShell.cpp:54:15
#11 0x7f3c1c788f33 in mozilla::a11y::NotificationController::ProcessMutationEvents() /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:594:7
#12 0x7f3c1c78a19c in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:942:3
#13 0x7f3c1aef0649 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2580:12
#14 0x7f3c1aef9ee1 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
#15 0x7f3c1aef9ee1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#16 0x7f3c1aef9de0 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
#17 0x7f3c1aef9c7d in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:911:5
#18 0x7f3c1aef8ff6 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:825:5
#19 0x7f3c1aef8329 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
#20 0x7f3c1a285e4b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
#21 0x7f3c1a5532fe in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#22 0x7f3c1a445ed0 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8737:32
#23 0x7f3c162388af in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1811:25
#24 0x7f3c16235602 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1736:9
#25 0x7f3c16236282 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1536:3
#26 0x7f3c162373cf in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1634:14
#27 0x7f3c15572007 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#28 0x7f3c15569c91 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:880:26
#29 0x7f3c15568627 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:704:15
#30 0x7f3c15568a85 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#31 0x7f3c15575e46 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#32 0x7f3c15575e46 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#33 0x7f3c1558c4ca in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#34 0x7f3c1559323d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#35 0x7f3c1623e7b5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#36 0x7f3c16158411 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#37 0x7f3c16158411 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#38 0x7f3c1ab480e8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#39 0x7f3c1ce7020b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:717:20
#40 0x7f3c1623f696 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#41 0x7f3c16158411 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#42 0x7f3c16158411 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#43 0x7f3c1ce6fada in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652:34
#44 0x5563bf123526 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#45 0x5563bf123526 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#46 0x7f3c29229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#47 0x7f3c29229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#48 0x5563bf0fa7c8 in _start (/home/user/workspace/browsers/m-c-20230616214102-fuzzing-debug/firefox-bin+0x587c8) (BuildId: 8ce77c76ab58288fa94701b836e1066960983b07)

prefs.js for bugmon

Verified bug as reproducible on mozilla-central 20230617092009-29e4ffb2c397.
The bug appears to have been introduced in the following build range:

Start: 4c09044b23ac74fbeb813d33e4f8e6bbb822bb14 (20221117234107)
End: 859b32ad9584b4aa1dc3e83654693d787fb53a96 (20221118014103)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=4c09044b23ac74fbeb813d33e4f8e6bbb822bb14&tochange=859b32ad9584b4aa1dc3e83654693d787fb53a96

Set release status flags based on info from the regressing bug 1796734

:Jamie, since you are the author of the regressor, bug 1796734, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

I'm not able to reproduce this regardless of how many times I refresh. :(

Aha. This does reliably reproduce it for me though:
data:text/html,<select id="sel" size="5"><option>a</option></select><button onclick="sel.focus(); sel.size = 0;">go

When the Accessible is recreated for the focused node, DocAccessible::CreateSubtree calls FocusManager::DispatchFocusEvent directly.
If FocusManager::mActiveItem was set, DispatchFocusEvent previously didn't clear it, even though DispatchFocusEvent was given a new target overriding mActiveItem.
This meant that the old mActiveItem would remain until it was next set or cleared, causing assertions if it died and potentially other problems.
To fix this, DispatchFocusEvent clears mActiveItem if it is different to the target, since the target should override.

https://hg.mozilla.org/mozilla-central/rev/d0376dca2d43

Verified bug as fixed on rev mozilla-central 20230624091338-d9d61c7bc752.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Set release status flags based on info from the regressing bug 1796734