Closed
Bug 1318645
Opened 7 years ago
Closed 6 years ago
Crash in mozilla::a11y::Accessible::Elm
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
People
(Reporter: philipp, Unassigned)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [post-critsmash-triage][adv-main54+])
Crash Data
This bug was filed from the Socorro interface and is report bp-4ebec930-123c-4dc2-a687-7d95e2161110. ============================================================= Crashing Thread (0) Frame Module Signature Source 0 xul.dll mozilla::a11y::Accessible::Elm() accessible/generic/Accessible.h:176 1 xul.dll mozilla::a11y::DocAccessible::RemoveDependentIDsFor(mozilla::a11y::Accessible*, nsIAtom*) accessible/generic/DocAccessible.cpp:1599 2 xul.dll mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) accessible/generic/DocAccessible.cpp:2269 3 xul.dll mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) accessible/generic/DocAccessible.cpp:2273 4 xul.dll mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) accessible/generic/DocAccessible.cpp:2273 5 xul.dll mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) accessible/generic/DocAccessible.cpp:2273 6 xul.dll mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) accessible/generic/DocAccessible.cpp:2273 7 xul.dll mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) accessible/generic/DocAccessible.cpp:2273 8 xul.dll mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) accessible/generic/DocAccessible.cpp:2273 9 xul.dll mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) accessible/generic/DocAccessible.cpp:2273 10 xul.dll mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) accessible/generic/DocAccessible.cpp:2273 11 xul.dll mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) accessible/generic/DocAccessible.cpp:2273 12 xul.dll mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) accessible/generic/DocAccessible.cpp:2273 13 xul.dll mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) accessible/generic/DocAccessible.cpp:2273 14 xul.dll mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) accessible/generic/DocAccessible.cpp:2273 15 xul.dll mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) accessible/generic/DocAccessible.cpp:2273 16 xul.dll mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) accessible/generic/DocAccessible.cpp:2273 17 xul.dll mozilla::a11y::DocAccessible::UpdateTreeOnRemoval(mozilla::a11y::Accessible*, nsIContent*) accessible/generic/DocAccessible.cpp:1953 18 xul.dll mozilla::a11y::DocAccessible::ContentRemoved(mozilla::a11y::Accessible*, nsIContent*) accessible/generic/DocAccessible.h:351 19 xul.dll nsAccessibilityService::ContentRemoved(nsIPresShell*, nsIContent*) accessible/base/nsAccessibilityService.cpp:600 20 xul.dll mozilla::ElementRestyler::SendAccessibilityNotifications() layout/base/RestyleManager.cpp:3757 21 xul.dll mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) layout/base/RestyleManager.cpp:3253 22 xul.dll mozilla::ElementRestyler::Restyle(nsRestyleHint) layout/base/RestyleManager.cpp:2295 23 xul.dll mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) layout/base/RestyleManager.cpp:3717 24 xul.dll mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) layout/base/RestyleManager.cpp:3250 25 xul.dll mozilla::ElementRestyler::Restyle(nsRestyleHint) layout/base/RestyleManager.cpp:2295 26 xul.dll mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) layout/base/RestyleManager.cpp:3717 27 xul.dll mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) layout/base/RestyleManager.cpp:3250 28 xul.dll mozilla::ElementRestyler::Restyle(nsRestyleHint) layout/base/RestyleManager.cpp:2295 29 xul.dll mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) layout/base/RestyleManager.cpp:3717 30 xul.dll mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) layout/base/RestyleManager.cpp:3250 31 xul.dll mozilla::ElementRestyler::Restyle(nsRestyleHint) layout/base/RestyleManager.cpp:2295 32 xul.dll mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) layout/base/RestyleManager.cpp:3717 33 xul.dll mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) layout/base/RestyleManager.cpp:3250 34 xul.dll mozilla::ElementRestyler::Restyle(nsRestyleHint) layout/base/RestyleManager.cpp:2295 35 xul.dll mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) layout/base/RestyleManager.cpp:3717 36 xul.dll mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) layout/base/RestyleManager.cpp:3250 37 xul.dll mozilla::ElementRestyler::Restyle(nsRestyleHint) layout/base/RestyleManager.cpp:2295 38 xul.dll mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) layout/base/RestyleManager.cpp:3717 39 xul.dll nsFrame::DidSetStyleContext(nsStyleContext*) layout/generic/nsFrame.cpp:820 40 xul.dll mozilla::FrameLayerBuilder::GetDedicatedLayer(nsIFrame*, unsigned int) layout/base/FrameLayerBuilder.cpp:5452 41 xul.dll mozilla::ElementRestyler::MustReframeForPseudo(mozilla::CSSPseudoElementType, nsIFrame*, nsIFrame*, nsIContent*, nsStyleContext*) layout/base/RestyleManager.cpp:3619 42 xul.dll mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) layout/base/RestyleManager.cpp:3250 43 xul.dll nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::ShrinkCapacity(unsigned int, unsigned int) obj-firefox/dist/include/nsTArray-inl.h:230 crashes with this signature have been around for a while but judging on the 51.0a2 cycle & early data from 51.0b1 they might be on the rise starting with firefox 51. many of the crash comments mention that users were browsing on ancestry.com when the crash happened. (marking the report as security sensitive as precaution as well due to the prevalent crashing address)
Flags: needinfo?
|
||
Updated•7 years ago
|
Group: core-security → dom-core-security
|
||
Updated•7 years ago
|
Flags: needinfo?
|
||
Comment 3•7 years ago
|
||
I feel like I've seen another bug about this signature, but don't have any real idea what's going on. It seems like the most likely explanation is an accessible has mChildren containing a pointer to an accessible that has been deleted, but no real idea how that can happen.
Flags: needinfo?(tbsaunde+mozbugs)
|
||
Comment 4•6 years ago
|
||
The volume of this crash is quite high, ~3000 in one week on 51.0.1. ~70% of the crashes have address = 0xffffffffe5e5e5fd.
|
||
Comment 5•6 years ago
|
||
This looks bad. Is this people force enabling e10s with a11y or is this something that affects non-e10s?
Keywords: csectype-uaf,
sec-high
|
|
||
Comment 6•6 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #5) > This looks bad. Is this people force enabling e10s with a11y or is this > something that affects non-e10s? I think it affects non-e10s, dom_ipc_enabled is never defined: https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Aa11y%3A%3AAccessible%3A%3AElm&product=Firefox&date=%3E%3D2017-03-01T18%3A51%3A00.000Z&date=%3C2017-03-08T18%3A51%3A00.000Z&_sort=-date&_facets=dom_ipc_enabled&_facets=e10s_cohort&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-dom_ipc_enabled.
|
||
Comment 7•6 years ago
|
||
has to be same problem as bug 1309686 and bug 1321384
|
||
Comment 8•6 years ago
|
||
Alexander, is this indeed bug 1309686 or bug 1321384? If so, please close as duplicate.
Flags: needinfo?(surkov.alexander)
|
||
Comment 9•6 years ago
|
||
Too late for firefox 52, mass-wontfix.
|
|
||
Comment 10•6 years ago
|
||
marking as blocking the bug 1309686 to double check this bug was fixed when the referred one is fixed
Depends on: 1309686
Flags: needinfo?(surkov.alexander)
|
|
||
Comment 11•6 years ago
|
||
The crash volume really spiked in 52 (500+ a day), and now since the release of 53 it's down to the lower levels seen before the 52 release (50 a day). Maybe an old bug and a new bug with the same signature, and the new bug got fixed in 53?
Keywords: testcase-wanted
|
||
Comment 12•6 years ago
|
||
Alexander, bug 1309686 looks inactive, what's the plan there?
Flags: needinfo?(surkov.alexander)
|
|
||
Comment 13•6 years ago
|
||
I suspecting bug 1270916 causes these crashes, it doesn't explain the difference between 52 and 53/54 though. I'm gonna try to backport bug 1363027, which hopefully will fix the bug (and others).
Flags: needinfo?(surkov.alexander)
|
|
||
Comment 14•6 years ago
|
||
appears fixed by bug 1363027 backported to firefox 52 May 25, no new crashes after that https://crash-stats.mozilla.com/signature/?product=Firefox&signature=mozilla%3A%3Aa11y%3A%3AAccessible%3A%3AElm&date=%3E%3D2017-05-23T18%3A03%3A00.000Z&date=%3C2017-05-30T18%3A03%3A00.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-build_id&_sort=-date&page=1
|
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
Whiteboard: [post-critsmash-triage]
|
|
||
Updated•6 years ago
|
Group: dom-core-security → core-security-release
|
||
Comment 15•6 years ago
|
||
Fixed ESR52 status since the fix was never backported to ESR52.
tracking-firefox-esr52:
--- → ?
|
|
||
Updated•6 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main54+]
|
|
||
Comment 16•6 years ago
|
||
Bug 1363027 was backported to ESR52 for the 52.3 release.
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•