Closed Bug 1040735 Opened 10 years ago Closed 10 years ago

crash in mozilla::a11y::Accessible::BindToParent(mozilla::a11y::Accessible*, unsigned int)

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla35

People

(Reporter: martijn.martijn, Assigned: surkov)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files, 2 obsolete files)

testcase
502 bytes, text/html
Details
patch3
13.31 KB, patch
davidb
: review+
Details | Diff | Splinter Review
Attached file testcase 
See testcase, which crash Mozilla within 100ms. 
You need to have specialpowers extension installed to see the crash:
http://people.mozilla.org/~mwargers/extensions/specialpowers/specialpowers_20140612.xpi
Or turn on accessibility for the document yourself.


This bug was filed from the Socorro interface and is 
report bp-18c2612f-5cdb-4be7-a4a4-d9db62140718.
=============================================================
0 	XUL 	mozilla::a11y::Accessible::BindToParent(mozilla::a11y::Accessible*, unsigned int) 	obj-firefox/x86_64/dist/include/nsTArray.h
1 	XUL 	mozilla::a11y::Accessible::InsertChildAt(unsigned int, mozilla::a11y::Accessible*) 	accessible/generic/Accessible.cpp
2 	XUL 	mozilla::a11y::AccessibleWrap::InsertChildAt(unsigned int, mozilla::a11y::Accessible*) 	accessible/mac/AccessibleWrap.mm
3 	XUL 	mozilla::a11y::DocAccessible::CacheChildren() 	accessible/generic/Accessible.h
4 	XUL 	mozilla::a11y::DocAccessible::CacheChildrenInSubtree(mozilla::a11y::Accessible*, mozilla::a11y::Accessible**) 	accessible/generic/Accessible.cpp
5 	XUL 	mozilla::a11y::DocAccessible::ProcessContentInserted(mozilla::a11y::Accessible*, nsTArray<nsCOMPtr<nsIContent> > const*) 	accessible/generic/DocAccessible.cpp
6 	XUL 	mozilla::a11y::NotificationController::ContentInsertion::Process() 	accessible/base/NotificationController.cpp
7 	XUL 	mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) 	accessible/base/NotificationController.cpp
8 	XUL 	nsRefreshDriver::Tick(long long, mozilla::TimeStamp) 	layout/base/nsRefreshDriver.cpp
it crashes in Accessible::BindToParent during child adoption, regardless child adoption is illegal, the crash is because mParent->RemoveChild(this) nullify mParent what makes subsequent mParent->InvalidateChildrenGroupInfo() to crash. It may be sidefixed by bug 1041070.
Depends on: 1041070
(In reply to alexander :surkov from comment #1)
> it crashes in Accessible::BindToParent during child adoption, regardless
> child adoption is illegal, the crash is because mParent->RemoveChild(this)
> nullify mParent what makes subsequent mParent->InvalidateChildrenGroupInfo()
> to crash. It may be sidefixed by bug 1041070.

maybe, but I don't see why we need that InvalidateChildrenGroupInfo call in BindToParent at all, the one in UndinbFromParent should be enough I'd think.
(In reply to Trevor Saunders (:tbsaunde) from comment #2)
> (In reply to alexander :surkov from comment #1)

> maybe, but I don't see why we need that InvalidateChildrenGroupInfo call in
> BindToParent at all, the one in UndinbFromParent should be enough I'd think.

it happens during adoption only what means UnbindFromParent wasn't triggered.

we deal with two problems here that has to be fixed: 1) crash and 2) child adoption
(In reply to alexander :surkov from comment #3)
> (In reply to Trevor Saunders (:tbsaunde) from comment #2)
> > (In reply to alexander :surkov from comment #1)
> 
> > maybe, but I don't see why we need that InvalidateChildrenGroupInfo call in
> > BindToParent at all, the one in UndinbFromParent should be enough I'd think.
> 
> it happens during adoption only what means UnbindFromParent wasn't triggered.

but then mParent wasn't set to null either.

> we deal with two problems here that has to be fixed: 1) crash and 2) child
> adoption

well, fixing the second automatically fixes the first.
(In reply to Trevor Saunders (:tbsaunde) from comment #4)

> > it happens during adoption only what means UnbindFromParent wasn't triggered.
> 
> but then mParent wasn't set to null either.

oh, right, RemoveChild should trigger it, so all we need is to remove that piece

> > we deal with two problems here that has to be fixed: 1) crash and 2) child
> > adoption
> 
> well, fixing the second automatically fixes the first.

for this case only
so the adoption problem is because DocAccessible::RemoveContent gets unexpected container element. The tree looks like

<marque>
  <div> marque impl #1
    <div> marque impl #2
      <div> explicit, hidden, moved in document #3
        <div> explicit, visible #4

when we receive notification that div #3 is removed then we get marque as container and thus our tree update logic fails as we expects div #2 as container.

presumably nsCSSFrameConstructor::ContentRemoved(nsIContent* aContainer is called for wrong container in terms of a11y needs. Perhaps we should do aChild->GetFlattenParent() instead for DocAccessible::RemoveContent call.

Boris, does it sound correct?
ContentRemoved is called with aContainer set to the parentNode in the DOM.

If you want something else, then yes, you need to do that yourself.
Ok, do you know if GetFlattenParent() returns #2 div for explicit #3 div or do I need different method? I need something to traverse up a compound document (similar to discussion from bug 1026047).
GetFlattenedParent on #3 should return #2, yes.
Attached patch patch (obsolete) — Splinter Review 
fix a11y tree update
Assignee: nobody → surkov.alexander
Status: NEW → ASSIGNED
Attachment #8460864 - Flags: review?(trev.saunders)
Attachment #8460864 - Flags: review?(bzbarsky)
OS: Mac OS X → All
Comment on attachment 8460864 [details] [diff] [review]
patch

> nsAccessibilityService::ContentRemoved(nsIPresShell* aPresShell,
>-                                       nsIContent* aContainer,
>                                        nsIContent* aChild)
> {
>+  nsIContent* container = aChild->GetFlattenedTreeParent();

why not do that in DocAccessible::ContentRemoved?

r=me if you add the testcase
Attachment #8460864 - Flags: review?(trev.saunders) → review+
(In reply to Trevor Saunders (:tbsaunde) from comment #11)

> >+  nsIContent* container = aChild->GetFlattenedTreeParent();
> 
> why not do that in DocAccessible::ContentRemoved?

container is logged here

> r=me if you add the testcase

test on assertion triggering?
(In reply to alexander :surkov from comment #12)
> (In reply to Trevor Saunders (:tbsaunde) from comment #11)
> 
> > >+  nsIContent* container = aChild->GetFlattenedTreeParent();
> > 
> > why not do that in DocAccessible::ContentRemoved?
> 
> container is logged here

bleh

> > r=me if you add the testcase
> 
> test on assertion triggering?

just checking ti doesn't assert or crash seems enough
Comment on attachment 8460864 [details] [diff] [review]
patch

There's a ton of irrelevant whitespace changes here, presumably from an over-zealous editor configuration.

Please either remove those changes or do them in a separate changeset from substantive changes.
Attachment #8460864 - Flags: review?(bzbarsky) → review-
Attached patch patch2 (obsolete) — Splinter Review 

        Attachment #8460864 -
        Attachment is obsolete: true

        Attachment #8461604 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 8461604 [details] [diff] [review]
patch2

>\ No newline at end of file

Should have one.

r=me

        Attachment #8461604 -
        Flags: review?(bzbarsky) → review+

    
    

    
  
(In reply to Boris Zbarsky [:bz] from comment #9)
> GetFlattenedParent on #3 should return #2, yes.

eventually it doesn't, could it be because #2 has visibility: hidden; style or is it specifics of marquee implementation?

    
    

    
  
I don't know offhand.

    
    

    
  
(In reply to Boris Zbarsky [:bz] from comment #18)
> I don't know offhand.

maybe you could recommend somebody who might know, I don't have good idea where to start looking.

    
    

    
  
Maybe try wchen?
Flags: needinfo?(wchen)

    
    

    
  
GetFlattenedTreeParent() on #3 should return #2, I've verified this for a basic marquee in gdb.

If this is not the case, I suspect the binding has not been installed on the marquee element by the time you call GetFlattenedTreeParent(), in which case it will just return the same thing as GetParent(), the marquee element. You can see if this is happening by checking if GetParent()->GetXBLBinding() is nullptr and GetParent()->HasFlag(NODE_MAY_BE_IN_BINDING_MNGR) is false. I've noticed that it may take a spin of the event loop for a binding to install, possibly more if XBL resources need to be loaded.

If adoption is involved here, then it may also be something weird such as uninstalling the binding on marquee and calling GetFlattenedTreeParent() before another binding is installed.
Flags: needinfo?(wchen)

    
    

    
  
It returns explicit parent when a11y receives removal notification from nsCSSFrameConstructor::ContentRemoved (https://hg.mozilla.org/try/annotate/ba8df173201e/layout/base/nsCSSFrameConstructor.cpp#l7738). Could it be that binding gets unattached at this point?

    
    

    
  
landing the patch https://hg.mozilla.org/integration/mozilla-inbound/rev/8589d9bdd501,

leaving the bug open to figure out what's wrong with flatterParent in this case
Keywords: leave-open

    
    

    
  
Reverted for B2G gaia-ui-test crashes:
https://tbpl.mozilla.org/php/getParsedLog.php?id=46034515&tree=Mozilla-Inbound
https://tbpl.mozilla.org/php/getParsedLog.php?id=46035590&tree=Mozilla-Inbound

Stack:
07:36:12     INFO -  TEST-START | test_launch_l10n.py TestLaunchL10n.test_launch_by_localised_name
07:36:24     INFO -  mozcrash INFO | Downloading symbols from: https://ftp-ssl.mozilla.org/pub/mozilla.org/b2g/tinderbox-builds/mozilla-inbound-macosx64_gecko/1408110373/en-US/b2g-34.0a1.en-US.mac64.crashreporter-symbols.zip
07:36:40    ERROR -  PROCESS-CRASH | runner.py | application crashed [@ mozilla::a11y::DocAccessible::UpdateTree(mozilla::a11y::Accessible*, nsIContent*, bool)]
07:36:40     INFO -  Crash dump filename: /var/folders/sx/862v_8y156bgd1w91grcm9m800000w/T/tmpBx7rEB/minidumps/F6C38351-DF2A-41A5-BCFC-98E58333FF98.dmp
07:36:40     INFO -  Operating system: Mac OS X
07:36:40     INFO -                    10.8.0 12A269
07:36:40     INFO -  CPU: amd64
07:36:40     INFO -       family 6 model 42 stepping 7
07:36:40     INFO -       8 CPUs
07:36:40     INFO -  Crash reason:  EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
07:36:40     INFO -  Crash address: 0x70
07:36:40     INFO -  Thread 0 (crashed)
07:36:40     INFO -   0  XUL!mozilla::a11y::DocAccessible::UpdateTree(mozilla::a11y::Accessible*, nsIContent*, bool) [Accessible-inl.h:8589d9bdd501 : 19 + 0x5]
07:36:40     INFO -      rbx = 0x0000000000000001   r12 = 0x000000010c71d040
07:36:40     INFO -      r13 = 0x000000010c7511c0   r14 = 0x00000001276fba80
07:36:40     INFO -      r15 = 0x000000010c7511c0   rip = 0x0000000102d46174
07:36:40     INFO -      rsp = 0x00007fff5fbfb050   rbp = 0x0000000121e72ca0
07:36:40     INFO -      Found by: given as instruction pointer in context
07:36:40     INFO -   1  XUL!nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags, bool*) [nsCSSFrameConstructor.cpp:8589d9bdd501 : 7790 + 0xe]
07:36:40     INFO -      rbx = 0x0000000126888bd0   r12 = 0x000000010c71d040
07:36:40     INFO -      r13 = 0x00000001266c2600   r14 = 0x0000000126888c48
07:36:40     INFO -      r15 = 0x0000000126888bd0   rip = 0x00000001029a6b3c
07:36:40     INFO -      rsp = 0x00007fff5fbfb0c0   rbp = 0x00000001266c2600
07:36:40     INFO -      Found by: call frame info
07:36:40     INFO -   2  XUL!nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, bool) [nsCSSFrameConstructor.cpp:8589d9bdd501 : 8948 + 0x16]
07:36:40     INFO -      rbx = 0x00000001266d5350   r12 = 0x0000000126888c48
07:36:40     INFO -      r13 = 0x00000001266c2600   r14 = 0x0000000000000001
07:36:40     INFO -      r15 = 0x000000010c71d040   rip = 0x00000001029a1497
07:36:40     INFO -      rsp = 0x00007fff5fbfb140   rbp = 0x00000001266d5470
07:36:40     INFO -      Found by: call frame info
07:36:40     INFO -   3  XUL!nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*, tag_nsresult*) [nsCSSFrameConstructor.cpp:8589d9bdd501 : 8775 + 0x4]
07:36:40     INFO -      rbx = 0x00007fff5fbfb210   r12 = 0x0000000129fb7ca8
07:36:40     INFO -      r13 = 0x0000000129fb7ca8   r14 = 0x0000000129fb7ca8
07:36:40     INFO -      r15 = 0x0000000129fb7c10   rip = 0x00000001029a7722
07:36:40     INFO -      rsp = 0x00007fff5fbfb180   rbp = 0x000000010c71d040
07:36:40     INFO -      Found by: call frame info
07:36:40     INFO -   4  XUL!nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags, bool*) [nsCSSFrameConstructor.cpp:8589d9bdd501 : 7737 + 0xa]
07:36:40     INFO -      rbx = 0x00000001266c2600   r12 = 0x000000010c71d040
07:36:40     INFO -      r13 = 0x00000001266c2600   r14 = 0x0000000129fb7ca8
07:36:40     INFO -      r15 = 0x0000000000000000   rip = 0x00000001029a69b5
07:36:40     INFO -      rsp = 0x00007fff5fbfb1d0   rbp = 0x00000001273adc10
07:36:40     INFO -      Found by: call frame info

remote:   https://hg.mozilla.org/integration/mozilla-inbound/rev/5de91aef0d9c

    
    

    
  
(In reply to alexander :surkov from comment #22)
> It returns explicit parent when a11y receives removal notification from
> nsCSSFrameConstructor::ContentRemoved
> (https://hg.mozilla.org/try/annotate/ba8df173201e/layout/base/
> nsCSSFrameConstructor.cpp#l7738). Could it be that binding gets unattached
> at this point?

it looks so,

flattened parent is expected right before IMPL_MUTATION_NOTIFICATION call in nsNodeUtils::ContentRemoved (http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsNodeUtils.cpp#181) and it returns explicit parent when this macros calls PresShell::ContentRemoved.

Is there a chance to make layout to not break flatten hierarchy before nsCSSFrameConstructor::ContentRemoved is done or that's something has to be handled on a11y side?
Flags: needinfo?(wchen)

    
    

    
  
What is happening here is that the binding manager has a mutation observer on the marquee and when a child is removed, the insertion parent is cleared on the child causing GetFlattenedTreeParent() to return the explicit parent (http://dxr.mozilla.org/mozilla-central/source/dom/xbl/nsBindingManager.cpp#956). Due to the order in which mutation observers are called (from descendants towards the root), PresShell::ContentRemoved is among the last to be notified.

If we want to have the flattened hierarchy to stay the same until until after nsCSSFrameConstructor::ContentRemoved, we will need some other mechanism to clear the insertion parent after all the mutation observers are called. I'm not sure if that would be more trouble than trying to handle this on the a11y side.
Flags: needinfo?(wchen)

    
    

    
  
for this particular case we care about flat hierarchy on root only so if PresShell::ContentRemoved is called before the root is unattached then it should work for us. I can think of a11y workaround but it's rather ugly and not supposed to be really performant.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch3Splinter Review
      

    


  
workaround the issue on a11y side

        Attachment #8461604 -
        Attachment is obsolete: true

        Attachment #8492273 -
        Flags: review?(dbolter)

    
    

    
  
Comment on attachment 8492273 [details] [diff] [review]
patch3

Review of attachment 8492273 [details] [diff] [review]:
-----------------------------------------------------------------

r=me, this looks like it does what I think you want to do. It is worrisome we have to do this but I'm ok if you are okay with it. I wonder if we'll hit cases in the wild where we feel this performance-wise.

(Aside: wchen says 'PresShell::ContentRemoved is among the last to be notified' - I wonder if we should be triggered from somewhere else in the removal code.)

::: accessible/base/nsAccessibilityService.cpp
@@ +407,5 @@
> +    // Flatten hierarchy may be broken at this point so we cannot get a true
> +    // container by traversing up the DOM tree. Find a parent of first accessible
> +    // from the subtree of the given DOM node, that'll be a container. If no
> +    // accessibles in subtree then we don't care about the change.
> +    Accessible* child = document->GetAccessible(aChildNode);

Sort of want a GetAccessibleOrFirstInTree, or GetAccessibleOrFirstChild... but I guess doing that explicitly below makes sense. I wonder how often we'll hit that code. Would be interesting to know how often child->Parent() != aChildNode->GetFlattenedTreeParent().

::: accessible/tests/mochitest/treeupdate/test_bug1040735.html
@@ +14,5 @@
> +  <script type="application/javascript">
> +    function doTest()
> +    {
> +      document.body.appendChild(document.getElementById("mw_a"));
> +      setTimeout(function() { ok(true, "no crash and assertions"); SimpleTest.finish(); } , 0);

Regarding organization of tests, should we have a crash test area/directory? It seems a bit odd to mingle this in with regular tests.

@@ +34,5 @@
> +  </pre>
> +
> +  <marquee>
> +    <div id="mw_a" style="visibility: hidden;">
> +      <div style="visibility: visible;" id="mw_inside"></div>

Curious about 'mw_a' and 'mw_inside' naming. What do they stand for?

::: accessible/tests/mochitest/treeupdate/test_optgroup.html
@@ +79,5 @@
>          this.selectNode.removeChild(this.selectNode.firstChild);
>        }
>  
>        this.eventSeq = [
> +        new invokerChecker(EVENT_REORDER, this.selectList)

Interesting.

        Attachment #8492273 -
        Flags: review?(dbolter) → review+

    
    

    
  
Comment on attachment 8492273 [details] [diff] [review]
patch3

>+  DocAccessible* document = GetDocAccessible(aPresShell);
>+  if (document) {
>+    // Flatten hierarchy may be broken at this point so we cannot get a true
>+    // container by traversing up the DOM tree. Find a parent of first accessible
>+    // from the subtree of the given DOM node, that'll be a container. If no
>+    // accessibles in subtree then we don't care about the change.
>+    Accessible* child = document->GetAccessible(aChildNode);
>+    if (!child) {
>+      a11y::TreeWalker walker(document->GetContainerAccessible(aChildNode),
>+                              aChildNode, a11y::TreeWalker::eWalkCache);
>+      child = walker.NextChild();
>+    }
>+
>+    if (child) {
>+      document->ContentRemoved(child->Parent(), aChildNode);

that seems broken if aChildNode is inaccessible, and has more than one accessible subtree within it.  For example if the content being removed is
<div role=presentation>
<div a role=button>foobar</div>
<div b role=button>another div</div>
</div>

I guess you'll remove a but not b.

    
    

    
  
(In reply to Trevor Saunders (:tbsaunde) from comment #30)

> that seems broken if aChildNode is inaccessible, and has more than one
> accessible subtree within it.  For example if the content being removed is
> <div role=presentation>
> <div a role=button>foobar</div>
> <div b role=button>another div</div>
> </div>
> 
> I guess you'll remove a but not b.

in this case container is accessible parent of presentation div (as a parent of accessible 'a' div), so in this particular case the logic is unchanged

    
    

    
  
(In reply to alexander :surkov from comment #31)
> (In reply to Trevor Saunders (:tbsaunde) from comment #30)
> 
> > that seems broken if aChildNode is inaccessible, and has more than one
> > accessible subtree within it.  For example if the content being removed is
> > <div role=presentation>
> > <div a role=button>foobar</div>
> > <div b role=button>another div</div>
> > </div>
> > 
> > I guess you'll remove a but not b.
> 
> in this case container is accessible parent of presentation div (as a parent
> of accessible 'a' div), so in this particular case the logic is unchanged

Oh, I see this works that's... tricky

    
  
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Keywords: leave-open
Resolution: --- → FIXED

    
  
Target Milestone: --- → mozilla35

    
    

    
  
Verified fixed, using 2014-10-02 Nightly.
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: