Closed Bug 1268069 Opened 5 years ago Closed 5 years ago

crash in mozilla::a11y::ia2AccessibleHypertext::get_hyperlink

Categories

(Core :: Disability Access APIs, defect)

Unspecified
Windows NT
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla49
Tracking Status
firefox48 --- fixed
firefox49 --- fixed

People

(Reporter: MarcoZ, Assigned: surkov)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is 
report bp-07505ccb-a8c6-4e9e-9a53-3e6ac2160427.
=============================================================

I ran into this just now while doing the following:

1. Was reading http://www.kobinet-nachrichten.org/de/1/nachrichten/33572/Behindertenpolitik-in-Bewegung.htm.
2. Wanted to share it on FB, so first dismissed the cookie notice, second clicked the "FB click dummy", third dismissed the info that comes up by clicking on "Nicht mit Facebook verbunden".
3. The FB iframe doesn't load for me.
4. Pressed Ctrl+L to go to the address bar, and entered facebook.com.
5. Pressed Enter.
6. Crash.

However this crash looks quite corrupted. VBufBackend_GeckoIA2.dll is the injected NVDA module for the virtual buffers in Gecko.

I'll file this just in case, but doubt we'll se this come up again. I could not reproduce upon second attempt.
bp-add09e4c-8373-41f8-9fe6-5c1ed2160524

I can reliably reproduce this, but it's ... obscure to say the least.

STR:
1. Start NVDA and Firefox.
2. NVDA menu -> Preferences -> Review cursr, ensure "Simple review mode" is unchecked.
3. Open this URL: https://get.adobe.com/flashplayer/
4. Uncheck the "Yes, install the free McAfee Security Scan Plus utility..." check box.
5. Tab to the "Install now" link.
6. Press NVDA+numpad8 (laptop: NVDA+upArrow). NVDA shuold say "paragraph".
7. Press NVDA+control+z to open the Python console.
8. Paste the following:
nav.iaHypertext.hyperlink(0)
Result: Crash!

Notes:
1. I noticed this because once you uncheck that check box, the "Install now" link disappeas from NVDA's buffer. Oddly, though, the buffer doing it in-process doesn't seem to cause a crash. Even force reloading the entire buffer with NVDA+f5 doesn't crash, though the link is still gone.
2. If you grab a reference to that paragraph accessible *before* unchecking the check box, then uncheck the check box, then call .iaHypertext.hyperlink(0) on that original reference, it *doesn't* crash. Something about fetching a new reference to the object triggers this.
3. Unfortunately, I'm stumped on this one. No idea whatsoever what's going on. :(
I can definitely confirm that this link cannot be brought back. This reminds me a lot about what I describe in bug 1268916 with Bugzilla. I haven't tried getting to anything from that element where thhe link resided, but I bet it is a very similar issue. Jamie, mind checking if something similar is at work here?

Alex, this sounds a lot like there are still some indexes or arrays not being properly updated with some events. Maybe loosely related to bug 1270218?
Flags: needinfo?(surkov.alexander)
Flags: needinfo?(jamie)
(In reply to Marco Zehe (:MarcoZ) from comment #2)

> Alex, this sounds a lot like there are still some indexes or arrays not
> being properly updated with some events. Maybe loosely related to bug
> 1270218?

it's rather bug 1266226
Flags: needinfo?(surkov.alexander)
Attached patch patchSplinter Review
this is probably too bold approach, but I'm going to rework this code, so a small fix for now, which can be backported
Assignee: nobody → surkov.alexander
Flags: needinfo?(jamie)
Attachment #8756444 - Flags: review?(yzenevich)
Comment on attachment 8756444 [details] [diff] [review]
patch

Review of attachment 8756444 [details] [diff] [review]:
-----------------------------------------------------------------

code looks fine to me thanks
Attachment #8756444 - Flags: review?(yzenevich) → review+
https://hg.mozilla.org/mozilla-central/rev/045768176a0b
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
Alex, this looks like an uplift candidate for 48, right?
Flags: needinfo?(surkov.alexander)
Comment on attachment 8756444 [details] [diff] [review]
patch

Approval Request Comment
[Feature/regressing bug #]:bug 1261425
[User impact if declined]:crashes, missed content for screen readers
[Describe test coverage new/current, TreeHerder]:mochitest
[Risks and why]: low, make an update unconditionally
[String/UUID change made/needed]:no
Flags: needinfo?(surkov.alexander)
Attachment #8756444 - Flags: approval-mozilla-aurora?
Comment on attachment 8756444 [details] [diff] [review]
patch

Crash fix, Aurora48+
Attachment #8756444 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.