Closed
Bug 1284314
Opened 8 years ago
Closed 8 years ago
Investigate stability of tear-off interfaces with remote COM objects
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
People
(Reporter: bugzilla, Assigned: bugzilla)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
1.26 KB,
patch
|
tbsaunde
:
review+
|
Details | Diff | Splinter Review |
I wrote a test program for traversing our a11y interfaces. It crashes when CoUninitialize tries to disconnect its proxies. After reducing this down to a test case, it looks like this only happens when resolving two separate IServiceProvider objects for the same underlying Accessible. Note that this is more complicated than just calling QueryInterface twice on the same IAccessible object; COM proxies cache QI results so it will just return the same IServiceProvider for both calls. Where this gets messy is if I do something like: root->QueryInterface(IID_IServiceProvider, sp1) root->getChild(0) child0->getParent() parent->QueryInterface(IServiceProvider, sp2); In this case, the COM proxy manager doesn't realize that parent and root are actually the same objects, so sp1 and sp2 are remoted as distinct interfaces. I am not 100% certain as to the *why* of this crash, other than the fact that in my "Essential COM" book, tear-offs are considered "risky" when they are remoted. I probably need to dive deeper into the details of reference counting of remote objects to determine why this messes up the client.
Assignee | ||
Comment 1•8 years ago
|
||
Here's the client call stack at the crash site: 00 combase!CStdMarshal::DisconnectProxyFromChannel+0x2f 01 combase!CStdMarshal::DisconnectCliIPIDs+0x16f 02 combase!CStdMarshal::Disconnect+0x184 03 combase!DisconnectSwitch+0x21 04 combase!CStdMarshal::DisconnectAndRelease+0x2a 05 combase!COIDTable::ThreadCleanup+0xed 06 combase!FinishShutdown::__l5::<lambda_59bccf517150cc90d93e23ea9348175e>::operator()+0x5 07 combase!ObjectMethodExceptionHandlingAction<<lambda_59bccf517150cc90d93e23ea9348175e> >+0x15 08 combase!FinishShutdown+0x37 09 combase!ApartmentUninitialize+0x68 0a combase!wCoUninitialize+0xd0 0b combase!CoUninitialize+0x7e 0c a11ytest!mozilla::COMApartmentRegion<2>::~COMApartmentRegion<2>+0x15 0d a11ytest!main+0x426 0e a11ytest!invoke_main+0x1d 0f a11ytest!__scrt_common_main_seh+0xff 10 KERNEL32!BaseThreadInitThunk+0x24 11 ntdll!__RtlUserThreadStart+0x2f 12 ntdll!_RtlUserThreadStart+0x1b
Assignee | ||
Comment 2•8 years ago
|
||
Jamie, have you ever encountered anything like this?
Flags: needinfo?(jamie)
Assignee | ||
Comment 3•8 years ago
|
||
(Also, I should point out that this very well could be a bug elsewhere in my code, but the circumstances surrounding its test case make me suspicious)
Assignee | ||
Comment 5•8 years ago
|
||
Note that we're now hitting similar crashes in Marionette. I temporarily disable the affected test (see https://hg.mozilla.org/integration/mozilla-inbound/rev/4d00141b4cb9), but we're going to need to fix this before that can be reenabled.
Assignee | ||
Comment 6•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/baf4430c62c0e6bd5c9ca45ed7454dc311dd99b2 Bug 1284314: Disable a11y jsat mochitests on Windows e10s; r=bustage a=philor CLOSED TREE
Assignee | ||
Comment 7•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/748308e48c83a96aa8e18dad709e082669eaf5b3 Bug 1284314: Disable a11y jsat mochitests on Windows; r=bustage CLOSED TREE
Assignee | ||
Updated•8 years ago
|
Keywords: leave-open
Comment 8•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/baf4430c62c0 https://hg.mozilla.org/mozilla-central/rev/748308e48c83
Assignee | ||
Comment 9•8 years ago
|
||
It appears that our tearoff for IEnumVARIANT is implementing its own QI entry for IUnknown, which breaks the rules of COM because it messes up object identity. IUnknown *must* unconditionally query back to the original interface from which the tearoff was spawned. I suspect that this is the problem, but will need to verify with testing.
Assignee | ||
Comment 10•8 years ago
|
||
Good news: the client crashes that I was seeing were a result of a bug in my test code. Bad news: I do see a tearoff QI that could mess up object identity.
Assignee | ||
Comment 11•8 years ago
|
||
Tearoffs need their IUnknown to resolve to the IUnknown that belonged to the original object that created them. Otherwise it violates the rules of COM and may impair the COM runtime's ability to properly manage object lifetime. I think this should be okay given that we have checks elsewhere for IsDefunct().
Assignee: nobody → aklotz
Status: NEW → ASSIGNED
Attachment #8789095 -
Flags: review?(tbsaunde+mozbugs)
Comment 12•8 years ago
|
||
(In reply to Aaron Klotz [:aklotz] from comment #11) > Created attachment 8789095 [details] [diff] [review] > Make sure that ChildrenEnumVariant always forwards to mAnchorAcc > > Tearoffs need their IUnknown to resolve to the IUnknown that belonged to the > original object that created them. Otherwise it violates the rules of COM > and may impair the COM runtime's ability to properly manage object lifetime. Implementing COM is so much fun as usual. > I think this should be okay given that we have checks elsewhere for > IsDefunct(). yeah, and we don't ever reset mAnchorAcc that I can see.
Updated•8 years ago
|
Attachment #8789095 -
Flags: review?(tbsaunde+mozbugs) → review+
Assignee | ||
Comment 13•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/16a3dac277fffccef2c6c8ba68a96921e4d7ade0 Bug 1284314: Fix EnumVariant's QI so that it always resolves the original object's IUnknown; r=tbsaunde
Comment 14•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/16a3dac277ff
Assignee | ||
Updated•8 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox49:
--- → wontfix
status-firefox51:
--- → wontfix
status-firefox52:
--- → fixed
Keywords: leave-open
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•