Closed Bug 1197254 Opened 7 years ago Closed 7 years ago

Reliable segfault in mozilla::a11y::ARIAGridCellAccessible::GroupPosition() in Nightly

Categories

(Core :: Disability Access APIs, defect)

Unspecified
Linux
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 1194859
Tracking Status
firefox43 --- affected

People

(Reporter: jdiggs, Unassigned)

References

(Blocks 2 open bugs, )

Details

Attachments

(1 file)

Steps to reproduce:
1. Launch the attached accessible-event listener in a terminal
2. Launch http://archive.dojotoolkit.org/nightly/dojotoolkit/dijit/tests/form/test_Button.html
3. Click on the "Color" dropdown button in the first row of buttons

Expected results: No segfault.
Actual results: Reliable segfault. See below.

Crashes on: 42.0a1 (2015-06-29)
Does NOT crash on: 41.0a1 (2015-06-28)
Looks a lot like bug 1178817

Program received signal SIGSEGV, Segmentation fault.
0x00007fffe946dc9f in mozilla::a11y::ARIAGridCellAccessible::GroupPosition (this=<optimized out>)
    at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/accessible/generic/ARIAGridAccessible.cpp:693

(gdb) bt
#0  0x00007fffe946dc9f in mozilla::a11y::ARIAGridCellAccessible::GroupPosition() (this=<optimized out>)
    at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/accessible/generic/ARIAGridAccessible.cpp:693
#1  0x00007fffe94739ae in mozilla::a11y::Accessible::NativeAttributes() (this=<optimized out>)
    at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/accessible/generic/Accessible.cpp:938
#2  0x00007fffe946d6c9 in mozilla::a11y::HyperTextAccessible::NativeAttributes() (this=<optimized out>)
    at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/accessible/generic/HyperTextAccessible.cpp:959
#3  0x00007fffe946d234 in mozilla::a11y::ARIAGridCellAccessible::NativeAttributes() (this=<optimized out>)
    at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/accessible/generic/ARIAGridAccessible.cpp:653
#4  0x00007fffe9472e1a in mozilla::a11y::Accessible::Attributes() (this=0x60c00021a0c0)
    at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/accessible/generic/Accessible.cpp:858
#5  0x00007fffe940d162 in GetAttributeSet(mozilla::a11y::Accessible*) (aAccessible=0x60c00021a0c0)
    at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/accessible/atk/AccessibleWrap.cpp:737
#6  0x00007fffe94125de in getAttributesCB(_AtkObject*) (aAtkObj=<optimized out>)
    at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/accessible/atk/AccessibleWrap.cpp:758
#7  0x00007fffcf68ed30 in impl_GetAttributes () at /lib64/libatk-bridge-2.0.so.0
#8  0x00007fffcf68d29a in handle_message () at /lib64/libatk-bridge-2.0.so.0
#9  0x00007fffe0d5c153 in _dbus_object_tree_dispatch_and_unlock () at /lib64/libdbus-1.so.3
#10 0x00007fffe0d4d6e4 in dbus_connection_dispatch () at /lib64/libdbus-1.so.3
#11 0x00007fffcf45a0a5 in message_queue_dispatch () at /lib64/libatspi.so.0
#12 0x00007fffe07f2f2a in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#13 0x00007fffe07f32c0 in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#14 0x00007fffe07f336c in g_main_context_iteration () at /lib64/libglib-2.0.so.0
#15 0x00007fffe843dd9f in nsAppShell::ProcessNextNativeEvent(bool) (this=<optimized out>, mayWait=<optimized out>)
    at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/widget/gtk/nsAppShell.cpp:158
#16 0x00007fffe83d3934 in nsBaseAppShell::DoProcessNextNativeEvent(bool, unsigned int) (this=0x60c0000238c0, mayWait=false, recursionDepth=0) at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/widget/nsBaseAppShell.cpp:141
#17 0x00007fffe83d41a2 in nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool, unsigned int) (this=<optimized out>, thr=<optimized out>, mayWait=64, recursionDepth=<optimized out>)
    at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/widget/nsBaseAppShell.cpp:281
#18 0x00007fffe83d45f0 in non-virtual thunk to nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool, unsigned int) ()
    at Unified_cpp_widget1.cpp:316
#19 0x00007fffe41fe71a in nsThread::ProcessNextEvent(bool, bool*) (this=<optimized out>, aMayWait=<optimized out>, aResult=<optimized out>) at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/xpcom/threads/nsThread.cpp:817
#20 0x00007fffe428074f in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, aMayWait=true)
    at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
#21 0x00007fffe49c853d in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=<optimized out>, aDelegate=<optimized out>) at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/ipc/glue/MessagePump.cpp:127
#22 0x00007fffe493efd2 in MessageLoop::RunInternal() (this=<optimized out>)
    at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
#23 0x00007fffe493ee79 in MessageLoop::Run() (this=0x61400002d640)
    at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
#24 0x00007fffe83d3a67 in nsBaseAppShell::Run() (this=<optimized out>)
    at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/widget/nsBaseAppShell.cpp:165
#25 0x00007fffe98fe436 in nsAppStartup::Run() (this=0x607000010d30)
    at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:280
#26 0x00007fffe99d9d57 in XREMain::XRE_mainRun() (this=<optimized out>)
    at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4275
#27 0x00007fffe99dafdf in XREMain::XRE_main(int, char**, nsXREAppData const*) (this=0x7fffffffc500, argc=<optimized out>, argv=<optimized out>, aAppData=<optimized out>) at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4359
#28 0x00007fffe99dbb23 in XRE_main(int, char**, nsXREAppData const*, uint32_t) (argc=2, argv=0x7fffffffddd8, aAppData=<optimized out>, aFlags=<optimized out>) at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4448
#29 0x000000000048b5c1 in do_main(int, char**, nsIFile*) (argc=<optimized out>, argv=<optimized out>, xreDirectory=<optimized out>)
    at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/browser/app/nsBrowserApp.cpp:214
#30 0x000000000048ab42 in main(int, char**) (argc=2, argv=0x5c)
    at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/browser/app/nsBrowserApp.cpp:478
Blocks: 1171559
Joanie, can you still reproduce this after bug 1194859 has been fixed? Not sure that one had landed yet in the nightly you were testing. Could you re-test?
Flags: needinfo?(jdiggs)
I'm still seeing the crash using 43.0a1 (2015-08-25).
Flags: needinfo?(jdiggs)
OK thanks, I just wanted to make sure this wasn't a duplicate, since the signatures look very similar. We'l have to wait for Surkov to come back from PTO to take a look.
Flags: needinfo?(surkov.alexander)
it's strange, can I have a link at crash stats for this crash?
Flags: needinfo?(surkov.alexander)
Marco asked me if I was still seeing this crash after the subsequent changes/fix for bug 1194859. Having just tested with the 09-02 nightly, I'm no longer seeing the crash. Therefore marking this as a duplicate.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1194859
You need to log in before you can comment on or make changes to this bug.