crash in mozilla::a11y::Accessible::HasGenericType(mozilla::a11y::AccGenericType)

RESOLVED FIXED in Firefox 43

Status

()

defect
--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: davidb, Assigned: tbsaunde)

Tracking

({crash})

unspecified
mozilla43
x86
Windows NT
Points:
---

Firefox Tracking Flags

(firefox43 fixed)

Details

(crash signature)

Attachments

(2 attachments)

This bug was filed from the Socorro interface and is 
report bp-e8751db0-a2de-4931-bd06-93e202150720.
=============================================================

(Bizarre)

Range: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=38d03bf4616e&tochange=283b5f38ce57
(Assignee)

Comment 1

4 years ago
this is pretty strange, I don't see a place I would necessarily expect to see a break point instruction in that code.  I kind of wonder if this is another case of the child sending bad messages to the parent, and then the parent killing it.
Currently the top crash on nightly.
(In reply to David Bolter [:davidb] from comment #3)
> Currently the top crash on nightly.

(Over the last 3 days)
(In reply to Trevor Saunders (:tbsaunde) from comment #1)
> this is pretty strange, I don't see a place I would necessarily expect to
> see a break point instruction in that code.  I kind of wonder if this is
> another case of the child sending bad messages to the parent, and then the
> parent killing it.

That was true for the report in comment 0 but it was a one-off.

More often they look like bp-b116bf4b-79dc-4f35-844e-15fa52150901, with a null |this| pointer.
(Wondering, maybe a regression from bug 1172525?)
That would be consistent with the date ranges that we're seeing (this started in 0714).
(Assignee)

Comment 8

4 years ago
(In reply to David Major [:dmajor] from comment #5)
> (In reply to Trevor Saunders (:tbsaunde) from comment #1)
> > this is pretty strange, I don't see a place I would necessarily expect to
> > see a break point instruction in that code.  I kind of wonder if this is
> > another case of the child sending bad messages to the parent, and then the
> > parent killing it.
> 
> That was true for the report in comment 0 but it was a one-off.
> 
> More often they look like bp-b116bf4b-79dc-4f35-844e-15fa52150901, with a
> null |this| pointer.

ah, that makes a little more sense though its still pretty wierd that ChildCount() returned 1, but GetChildAt(0) returns null.  I was under the impression there was no xul trees in content processes, but GetChildAt / ChildCount() for them aren't just looking at an array so its a little more likely they could do strange things like this.  Anyway I guess we can work around this now :/
Trevor I'm guessing you are taking this?
Assignee: nobody → tbsaunde+mozbugs
(Assignee)

Comment 10

4 years ago
In theory this should be the same, but slightly faster than checking there is
one child and it is a document.  However it appears ChildCount() sometimes
returns 1 when there is no child 0.
Attachment #8656404 - Flags: review?(dbolter)
Comment on attachment 8656404 [details] [diff] [review]
make SerializeTree() use IsOuterDoc() to check if an accessible is an outer doc

Review of attachment 8656404 [details] [diff] [review]:
-----------------------------------------------------------------

r=me. Can you make sure we have a bug filed about ChildCount? That smells pretty bad. Also, make sure you get some sleep :)
Attachment #8656404 - Flags: review?(dbolter) → review+
https://hg.mozilla.org/mozilla-central/rev/5b4d92df0c1a
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
(Assignee)

Comment 14

4 years ago
(In reply to David Bolter [:davidb] from comment #11)
> Comment on attachment 8656404 [details] [diff] [review]
> make SerializeTree() use IsOuterDoc() to check if an accessible is an outer
> doc
> 
> Review of attachment 8656404 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> r=me. Can you make sure we have a bug filed about ChildCount? That smells
> pretty bad. Also, make sure you get some sleep :)

filed bug 1186536 though I suspect it won't go anywhere.
> filed bug 1186536 though I suspect it won't go anywhere.

That's this bug; I assume you meant bug 1201899.
(Assignee)

Comment 16

4 years ago
(In reply to David Major [:dmajor] from comment #15)
> > filed bug 1186536 though I suspect it won't go anywhere.
> 
> That's this bug; I assume you meant bug 1201899.

oops, yeah
Reports of this crash continue to come in on Nightly builds after the fix was landed.  Are those crashes to be tracked in bug 1201899?  Or should this bug be re-opened?
Thanks Tracy. Reopening this one for Trevor to take a look. Here's a recent stack (FWIW):
https://crash-stats.mozilla.com/report/index/1d1f4b08-58dc-4674-aa4f-2d49e2150908

The 4 comments in crash stats all related to (especially deleting?) Yahoo mail.
Status: RESOLVED → REOPENED
Flags: needinfo?(tbsaunde+mozbugs)
Resolution: FIXED → ---
(Assignee)

Comment 19

4 years ago
This probably should never happen, but it seems to sometimes in the wild, and
its hard to know what caused that without a test case.  So for now work around
the issue by adding a null check.
(In reply to Trevor Saunders (:tbsaunde) from comment #19)
> Created attachment 8658372 [details] [diff] [review]
> Bail out of ProxyTextChangeEvent() if the proxy doesn't have a wrapper
> 
> This probably should never happen, but it seems to sometimes in the wild, and
> its hard to know what caused that without a test case.  So for now work
> around
> the issue by adding a null check.

Want a review?

Do you have any wild ideas how it happens?
(Assignee)

Comment 21

4 years ago
(In reply to David Bolter [:davidb] from comment #20)
> (In reply to Trevor Saunders (:tbsaunde) from comment #19)
> > Created attachment 8658372 [details] [diff] [review]
> > Bail out of ProxyTextChangeEvent() if the proxy doesn't have a wrapper
> > 
> > This probably should never happen, but it seems to sometimes in the wild, and
> > its hard to know what caused that without a test case.  So for now work
> > around
> > the issue by adding a null check.
> 
> Want a review?

oops yeah

> Do you have any wild ideas how it happens?

no :(
Flags: needinfo?(tbsaunde+mozbugs)
(Assignee)

Updated

4 years ago
Attachment #8658372 - Flags: review?(dbolter)
Attachment #8658372 - Flags: review?(dbolter) → review+
https://hg.mozilla.org/mozilla-central/rev/2cef846e92e4
Status: REOPENED → RESOLVED
Last Resolved: 4 years ago4 years ago
Resolution: --- → FIXED
This HasGenericType signature greatly spiked in volume in the 0916 build. I'm not entirely sure if 0917 is better, or if the crashes merely haven't come in yet. Do you know what happened?

Example: bp-ed067ea1-340b-4fc3-9fd3-709fe2150916
Flags: needinfo?(tbsaunde+mozbugs)
(Assignee)

Comment 25

4 years ago
(In reply to David Major [:dmajor] from comment #24)
> This HasGenericType signature greatly spiked in volume in the 0916 build.
> I'm not entirely sure if 0917 is better, or if the crashes merely haven't
> come in yet. Do you know what happened?
> 
> Example: bp-ed067ea1-340b-4fc3-9fd3-709fe2150916

no :( I wouldn't expect anything I've checked in to cause that and would be somewhat suprised if they did.  My first guess would be bug 1133213 because it changes the accessible tree and events, which are both involved in this crash.
Flags: needinfo?(tbsaunde+mozbugs)
> I'm not entirely sure if 0917 is better, or if the crashes merely haven't come in yet.

With more precincts reporting, it seems that this is still quite a problem in the 0917 build.
(In reply to Trevor Saunders (:tbsaunde) from comment #25)
> (In reply to David Major [:dmajor] from comment #24)
> > This HasGenericType signature greatly spiked in volume in the 0916 build.
> > I'm not entirely sure if 0917 is better, or if the crashes merely haven't
> > come in yet. Do you know what happened?
> > 
> > Example: bp-ed067ea1-340b-4fc3-9fd3-709fe2150916
> 
> no :( I wouldn't expect anything I've checked in to cause that and would be
> somewhat suprised if they did.  My first guess would be bug 1133213 because
> it changes the accessible tree and events, which are both involved in this
> crash.

Bug 1133213 would fit the regression range. :surkov, any ideas?
Flags: needinfo?(surkov.alexander)
may I ask you to file a new bug for that since this bug's one and referred one have different stacks?
Flags: needinfo?(surkov.alexander)
No problem, bug 1206107.
You need to log in before you can comment on or make changes to this bug.