Found while fuzzing m-c 20221115-8495494c57f8 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: No ancestor with frame?), at /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:634

#0 0x7fda85fb94a0 in mozilla::a11y::LocalAccessible::FindNearestAccessibleAncestorFrame() /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:634:5
#1 0x7fda85fb94fb in mozilla::a11y::LocalAccessible::ParentRelativeBounds() /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:644:31
#2 0x7fda85fa5730 in mozilla::a11y::LocalAccessible::BundleFieldsForCache(unsigned long, mozilla::a11y::CacheUpdateType) /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:3291:28
#3 0x7fda85fa467e in mozilla::a11y::DocAccessible::ProcessQueuedCacheUpdates() /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:1463:16
#4 0x7fda85f5f1aa in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:890:16
#5 0x7fda8476be02 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2525:12
#6 0x7fda847759cd in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:375:13
#7 0x7fda847759cd in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:7
#8 0x7fda847758d3 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:369:5
#9 0x7fda847757b0 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:913:5
#10 0x7fda84774b1a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:827:5
#11 0x7fda847742d6 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:748:5
#12 0x7fda84773de9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:594:14
#13 0x7fda847739fd in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:551:9
#14 0x7fda83c4926b in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:68:15
#15 0x7fda83eccf98 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#16 0x7fda800b5b2a in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6306:32
#17 0x7fda8004e30a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1756:25
#18 0x7fda8004af67 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1681:9
#19 0x7fda8004bab5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1481:3
#20 0x7fda8004cdef in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1579:14
#21 0x7fda7f44de75 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#22 0x7fda7f44945c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#23 0x7fda7f44802a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#24 0x7fda7f448385 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#25 0x7fda7f451776 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#26 0x7fda7f451776 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#27 0x7fda7f467108 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#28 0x7fda7f46d87d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#29 0x7fda80053be3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#30 0x7fda7ff79da8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#31 0x7fda7ff79cb1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#32 0x7fda7ff79cb1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#33 0x7fda84421538 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#34 0x7fda86639feb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:884:20
#35 0x7fda80054aa9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#36 0x7fda7ff79da8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#37 0x7fda7ff79cb1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#38 0x7fda7ff79cb1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#39 0x7fda8663957c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
#40 0x55827bf28be0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#41 0x55827bf28be0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#42 0x7fda93f4c082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#43 0x55827beff248 in _start (/home/worker/builds/m-c-20221115095444-fuzzing-debug/firefox-bin+0x5b248) (BuildId: dffe064ce03c5f235e4a9afc252b16cccb76259f)

prefs.js file for bugmon.

Verified bug as reproducible on mozilla-central 20221123213526-c300f1dba775.
The bug appears to have been introduced in the following build range:

Start: 2d625e5d6ff86fda6d83464bb315478f94afc577 (20221114233128)
End: 1adc82d1eb960a8a6aac68b9abceaac3fd491abb (20221115021943)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2d625e5d6ff86fda6d83464bb315478f94afc577&tochange=1adc82d1eb960a8a6aac68b9abceaac3fd491abb

:eeejay, since you are the author of the regressor, bug 1798621, could you take a look?

For more information, please visit auto_nag documentation.

Morgan noted in the CTW meeting today that this was due to an Accessible with an unbound parent. I think I know how that could happen.

The test case changes the type attribute of an ol. Currently, that causes the whole subtree to be re-created. It probably shouldn't because this is an ol, not an input, but that's a separate issue because this can probably happen in other ways too.

The ol contains an embed and the embed is effectively an iframe. When an OuterDocAccessible gets destroyed, its embedded document is detached from the tree and scheduled for rebinding. Before it is rebound, the DocAccessible will have no parent for a short while. The queued cache update is probably for the DocAccessible while it is in this state.

I'm not quite sure how to handle this. I know we kinda have to handle this case for OOP iframes (they have no useful parent), but I don't know if we can apply the same logic to in-process iframes. Anyway, when this occurs, you should see IsDoc() && !IsBoundToParent().

As discussed on Zoom, I'm taking this so Morgan can work on other more important things. :)

Previously, this test case caused an assertion, but that was fixed in bug 1792120.
We also ensure the x and y are the same before an dafter the re-creation.
This verifies that we aren't losing the iframe's border/padding.

https://hg.mozilla.org/mozilla-central/rev/279b2c645e53

Verified bug as fixed on rev mozilla-central 20221217211745-3ccb0b86ab11.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.