crash in mozilla::a11y::ia2AccessibleHypertext::get_hyperlink

RESOLVED FIXED in Firefox 48

Status

()

defect
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: MarcoZ, Assigned: surkov)

Tracking

({crash})

Trunk
mozilla49
Unspecified
Windows NT
Points:
---

Firefox Tracking Flags

(firefox48 fixed, firefox49 fixed)

Details

(crash signature)

Attachments

(1 attachment)

This bug was filed from the Socorro interface and is 
report bp-07505ccb-a8c6-4e9e-9a53-3e6ac2160427.
=============================================================

I ran into this just now while doing the following:

1. Was reading http://www.kobinet-nachrichten.org/de/1/nachrichten/33572/Behindertenpolitik-in-Bewegung.htm.
2. Wanted to share it on FB, so first dismissed the cookie notice, second clicked the "FB click dummy", third dismissed the info that comes up by clicking on "Nicht mit Facebook verbunden".
3. The FB iframe doesn't load for me.
4. Pressed Ctrl+L to go to the address bar, and entered facebook.com.
5. Pressed Enter.
6. Crash.

However this crash looks quite corrupted. VBufBackend_GeckoIA2.dll is the injected NVDA module for the virtual buffers in Gecko.

I'll file this just in case, but doubt we'll se this come up again. I could not reproduce upon second attempt.
bp-add09e4c-8373-41f8-9fe6-5c1ed2160524

I can reliably reproduce this, but it's ... obscure to say the least.

STR:
1. Start NVDA and Firefox.
2. NVDA menu -> Preferences -> Review cursr, ensure "Simple review mode" is unchecked.
3. Open this URL: https://get.adobe.com/flashplayer/
4. Uncheck the "Yes, install the free McAfee Security Scan Plus utility..." check box.
5. Tab to the "Install now" link.
6. Press NVDA+numpad8 (laptop: NVDA+upArrow). NVDA shuold say "paragraph".
7. Press NVDA+control+z to open the Python console.
8. Paste the following:
nav.iaHypertext.hyperlink(0)
Result: Crash!

Notes:
1. I noticed this because once you uncheck that check box, the "Install now" link disappeas from NVDA's buffer. Oddly, though, the buffer doing it in-process doesn't seem to cause a crash. Even force reloading the entire buffer with NVDA+f5 doesn't crash, though the link is still gone.
2. If you grab a reference to that paragraph accessible *before* unchecking the check box, then uncheck the check box, then call .iaHypertext.hyperlink(0) on that original reference, it *doesn't* crash. Something about fetching a new reference to the object triggers this.
3. Unfortunately, I'm stumped on this one. No idea whatsoever what's going on. :(
I can definitely confirm that this link cannot be brought back. This reminds me a lot about what I describe in bug 1268916 with Bugzilla. I haven't tried getting to anything from that element where thhe link resided, but I bet it is a very similar issue. Jamie, mind checking if something similar is at work here?

Alex, this sounds a lot like there are still some indexes or arrays not being properly updated with some events. Maybe loosely related to bug 1270218?
Flags: needinfo?(surkov.alexander)
Flags: needinfo?(jamie)
(In reply to Marco Zehe (:MarcoZ) from comment #2)

> Alex, this sounds a lot like there are still some indexes or arrays not
> being properly updated with some events. Maybe loosely related to bug
> 1270218?

it's rather bug 1266226
Flags: needinfo?(surkov.alexander)
Posted patch patchSplinter Review
this is probably too bold approach, but I'm going to rework this code, so a small fix for now, which can be backported
Assignee: nobody → surkov.alexander
Flags: needinfo?(jamie)
Attachment #8756444 - Flags: review?(yzenevich)
Comment on attachment 8756444 [details] [diff] [review]
patch

Review of attachment 8756444 [details] [diff] [review]:
-----------------------------------------------------------------

code looks fine to me thanks
Attachment #8756444 - Flags: review?(yzenevich) → review+
https://hg.mozilla.org/mozilla-central/rev/045768176a0b
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
Alex, this looks like an uplift candidate for 48, right?
Flags: needinfo?(surkov.alexander)
Comment on attachment 8756444 [details] [diff] [review]
patch

Approval Request Comment
[Feature/regressing bug #]:bug 1261425
[User impact if declined]:crashes, missed content for screen readers
[Describe test coverage new/current, TreeHerder]:mochitest
[Risks and why]: low, make an update unconditionally
[String/UUID change made/needed]:no
Flags: needinfo?(surkov.alexander)
Attachment #8756444 - Flags: approval-mozilla-aurora?
Comment on attachment 8756444 [details] [diff] [review]
patch

Crash fix, Aurora48+
Attachment #8756444 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.