Closed Bug 1318645 Opened 4 years ago Closed 4 years ago

Crash in mozilla::a11y::Accessible::Elm

Categories

(Core :: Disability Access APIs, defect)

51 Branch
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox50 --- wontfix
firefox51 --- wontfix
firefox52 --- wontfix
firefox-esr52 55+ fixed
firefox53 --- wontfix
firefox54 --- fixed
firefox55 --- fixed

People

(Reporter: philipp, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main54+])

Crash Data

This bug was filed from the Socorro interface and is 
report bp-4ebec930-123c-4dc2-a687-7d95e2161110.
=============================================================
Crashing Thread (0)
Frame 	Module 	Signature 	Source
0 	xul.dll 	mozilla::a11y::Accessible::Elm() 	accessible/generic/Accessible.h:176
1 	xul.dll 	mozilla::a11y::DocAccessible::RemoveDependentIDsFor(mozilla::a11y::Accessible*, nsIAtom*) 	accessible/generic/DocAccessible.cpp:1599
2 	xul.dll 	mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) 	accessible/generic/DocAccessible.cpp:2269
3 	xul.dll 	mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) 	accessible/generic/DocAccessible.cpp:2273
4 	xul.dll 	mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) 	accessible/generic/DocAccessible.cpp:2273
5 	xul.dll 	mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) 	accessible/generic/DocAccessible.cpp:2273
6 	xul.dll 	mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) 	accessible/generic/DocAccessible.cpp:2273
7 	xul.dll 	mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) 	accessible/generic/DocAccessible.cpp:2273
8 	xul.dll 	mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) 	accessible/generic/DocAccessible.cpp:2273
9 	xul.dll 	mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) 	accessible/generic/DocAccessible.cpp:2273
10 	xul.dll 	mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) 	accessible/generic/DocAccessible.cpp:2273
11 	xul.dll 	mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) 	accessible/generic/DocAccessible.cpp:2273
12 	xul.dll 	mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) 	accessible/generic/DocAccessible.cpp:2273
13 	xul.dll 	mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) 	accessible/generic/DocAccessible.cpp:2273
14 	xul.dll 	mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) 	accessible/generic/DocAccessible.cpp:2273
15 	xul.dll 	mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) 	accessible/generic/DocAccessible.cpp:2273
16 	xul.dll 	mozilla::a11y::DocAccessible::UncacheChildrenInSubtree(mozilla::a11y::Accessible*) 	accessible/generic/DocAccessible.cpp:2273
17 	xul.dll 	mozilla::a11y::DocAccessible::UpdateTreeOnRemoval(mozilla::a11y::Accessible*, nsIContent*) 	accessible/generic/DocAccessible.cpp:1953
18 	xul.dll 	mozilla::a11y::DocAccessible::ContentRemoved(mozilla::a11y::Accessible*, nsIContent*) 	accessible/generic/DocAccessible.h:351
19 	xul.dll 	nsAccessibilityService::ContentRemoved(nsIPresShell*, nsIContent*) 	accessible/base/nsAccessibilityService.cpp:600
20 	xul.dll 	mozilla::ElementRestyler::SendAccessibilityNotifications() 	layout/base/RestyleManager.cpp:3757
21 	xul.dll 	mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) 	layout/base/RestyleManager.cpp:3253
22 	xul.dll 	mozilla::ElementRestyler::Restyle(nsRestyleHint) 	layout/base/RestyleManager.cpp:2295
23 	xul.dll 	mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) 	layout/base/RestyleManager.cpp:3717
24 	xul.dll 	mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) 	layout/base/RestyleManager.cpp:3250
25 	xul.dll 	mozilla::ElementRestyler::Restyle(nsRestyleHint) 	layout/base/RestyleManager.cpp:2295
26 	xul.dll 	mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) 	layout/base/RestyleManager.cpp:3717
27 	xul.dll 	mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) 	layout/base/RestyleManager.cpp:3250
28 	xul.dll 	mozilla::ElementRestyler::Restyle(nsRestyleHint) 	layout/base/RestyleManager.cpp:2295
29 	xul.dll 	mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) 	layout/base/RestyleManager.cpp:3717
30 	xul.dll 	mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) 	layout/base/RestyleManager.cpp:3250
31 	xul.dll 	mozilla::ElementRestyler::Restyle(nsRestyleHint) 	layout/base/RestyleManager.cpp:2295
32 	xul.dll 	mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) 	layout/base/RestyleManager.cpp:3717
33 	xul.dll 	mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) 	layout/base/RestyleManager.cpp:3250
34 	xul.dll 	mozilla::ElementRestyler::Restyle(nsRestyleHint) 	layout/base/RestyleManager.cpp:2295
35 	xul.dll 	mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) 	layout/base/RestyleManager.cpp:3717
36 	xul.dll 	mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) 	layout/base/RestyleManager.cpp:3250
37 	xul.dll 	mozilla::ElementRestyler::Restyle(nsRestyleHint) 	layout/base/RestyleManager.cpp:2295
38 	xul.dll 	mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) 	layout/base/RestyleManager.cpp:3717
39 	xul.dll 	nsFrame::DidSetStyleContext(nsStyleContext*) 	layout/generic/nsFrame.cpp:820
40 	xul.dll 	mozilla::FrameLayerBuilder::GetDedicatedLayer(nsIFrame*, unsigned int) 	layout/base/FrameLayerBuilder.cpp:5452
41 	xul.dll 	mozilla::ElementRestyler::MustReframeForPseudo(mozilla::CSSPseudoElementType, nsIFrame*, nsIFrame*, nsIContent*, nsStyleContext*) 	layout/base/RestyleManager.cpp:3619
42 	xul.dll 	mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) 	layout/base/RestyleManager.cpp:3250
43 	xul.dll 	nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::ShrinkCapacity(unsigned int, unsigned int) 	obj-firefox/dist/include/nsTArray-inl.h:230

crashes with this signature have been around for a while but judging on the 51.0a2 cycle & early data from 51.0b1 they might be on the rise starting with firefox 51.

many of the crash comments mention that users were browsing on ancestry.com when the crash happened.

(marking the report as security sensitive as precaution as well due to the prevalent crashing address)
Flags: needinfo?
Group: core-security → dom-core-security
Duplicate of this bug: 1320680
Flags: needinfo?
Any ideas, Trevor?
Flags: needinfo?(tbsaunde+mozbugs)
I feel like I've seen another bug about this signature, but don't have any real idea what's going on.  It seems like the most likely explanation is an accessible has mChildren containing a pointer to an accessible that has been deleted, but no real idea how that can happen.
Flags: needinfo?(tbsaunde+mozbugs)
The volume of this crash is quite high, ~3000 in one week on 51.0.1. ~70% of the crashes have address = 0xffffffffe5e5e5fd.
This looks bad. Is this people force enabling e10s with a11y or is this something that affects non-e10s?
has to be same problem as bug 1309686 and bug 1321384
Alexander, is this indeed bug 1309686 or bug 1321384? If so, please close as duplicate.
Flags: needinfo?(surkov.alexander)
Too late for firefox 52, mass-wontfix.
marking as blocking the bug 1309686 to double check this bug was fixed when the referred one is fixed
Depends on: 1309686
Flags: needinfo?(surkov.alexander)
The crash volume really spiked in 52 (500+ a day), and now since the release of 53 it's down to the lower levels seen before the 52 release (50 a day). Maybe an old bug and a new bug with the same signature, and the new bug got fixed in 53?
Keywords: testcase-wanted
Alexander, bug 1309686 looks inactive, what's the plan there?
Flags: needinfo?(surkov.alexander)
I suspecting bug 1270916 causes these crashes, it doesn't explain the difference between 52 and 53/54 though. I'm gonna try to backport bug 1363027, which hopefully will fix the bug (and others).
Flags: needinfo?(surkov.alexander)
Whiteboard: [post-critsmash-triage]
Group: dom-core-security → core-security-release
Fixed ESR52 status since the fix was never backported to ESR52.
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main54+]
Bug 1363027 was backported to ESR52 for the 52.3 release.
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.