Crash in memmove | nsTArray_base<T>::ShiftData<T> | nsTArray_Impl<T>::InsertElementAt<T> | mozilla::a11y::Accessible::MoveChild

RESOLVED FIXED in Firefox 52

Status

()

Core
Disability Access APIs
--
critical
RESOLVED FIXED
a year ago
a year ago

People

(Reporter: tspivey, Assigned: surkov)

Tracking

({crash})

50 Branch
mozilla54
x86
Windows 10
crash
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox51 wontfix, firefox52 fixed, firefox-esr52 fixed, firefox53 fixed, firefox54 fixed)

Details

(crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

a year ago
This bug was filed from the Socorro interface and is 
report bp-2bcffa8a-e508-46b2-bb26-db07c2170130.
=============================================================

This crash occurs if I view a commit in one of my GitHub projects.
Alex, this looks like it fallls in your court.
Blocks: 1133213
Status: UNCONFIRMED → NEW
Component: Disability Access → Disability Access APIs
Ever confirmed: true
Flags: needinfo?(surkov.alexander)
Keywords: crash
Product: Firefox → Core
(Reporter)

Comment 2

a year ago
I'm also using the GitHub accessibility fixes Greasemonkey script, specifically this one:
https://raw.githubusercontent.com/nvaccess/axSGrease/13d47a65aa30637679a847c964d59e572cc81ac6/GitHubA11yFixes.user.js
Tyler, I see you've been using Firefox 50 for this. Firefox 51 came out a week ago. Can you still reproduce the crash with that version, too?
Flags: needinfo?(tspivey)
(Reporter)

Comment 4

a year ago
(In reply to Marco Zehe (:MarcoZ) from comment #3)
> Tyler, I see you've been using Firefox 50 for this. Firefox 51 came out a
> week ago. Can you still reproduce the crash with that version, too?

I'm using 51.0.1 according to Help/About, and it still crashes. I haven't received any update notifications since I created the bug.
All right. Am I right in assuming that the version you're using is a bit outdated? The commit ID seems to point to a version that is almost a year old.
I meant the version of the GreaseMonkey script, sorry!
(Reporter)

Comment 7

a year ago
(In reply to Marco Zehe (:MarcoZ) from comment #6)
> I meant the version of the GreaseMonkey script, sorry!

It is. I matched the same version I was running with the file on GitHub in case something changed in a newer version which would stop the crash.
(Assignee)

Comment 8

a year ago
(In reply to tspivey from comment #2)
> I'm also using the GitHub accessibility fixes Greasemonkey script,
> specifically this one:
> https://raw.githubusercontent.com/nvaccess/axSGrease/
> 13d47a65aa30637679a847c964d59e572cc81ac6/GitHubA11yFixes.user.js

could you please share exact steps to reproduce?
Flags: needinfo?(surkov.alexander)
(Reporter)

Comment 9

a year ago
(In reply to alexander :surkov from comment #8)
> could you please share exact steps to reproduce?

STR, from a new profile:
1. Install Greasemonkey from addons.
2. Install this old version of the GitHub a11y fixes script by opening the page (the latest as of now won't crash):
https://raw.githubusercontent.com/nvaccess/axSGrease/13d47a65aa30637679a847c964d59e572cc81ac6/GitHubA11yFixes.user.js
3. Sign in to GitHub.
4. Open any commit, example from one of my repos:
https://github.com/tspivey/classicSelection/commit/3777951339fa1b1e95ab097ef9cbac38279b724d
Or this one from NVDA:
https://github.com/nvaccess/nvda/commit/08af4cef7e83fa33ada0678b495af44b00d8c843
(Assignee)

Comment 10

a year ago
here's what happens here, when aria-owns refers to a child inaccessible span, then aria-owns processing makes this span accessible and the span steals children from the owner, which breaks our moving logic.

despite the fix may be straightforward, it'd be good to have something to avoid cases like this in the future.
Flags: needinfo?(tspivey)
(Assignee)

Comment 11

a year ago
Created attachment 8832952 [details] [diff] [review]
patch
Assignee: nobody → surkov.alexander
Attachment #8832952 - Flags: review?(yzenevich)
Attachment #8832952 - Flags: review?(yzenevich) → review+
(Assignee)

Comment 12

a year ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/8518a4c295122b90473a24b396102ed5453fcb62
Bug 1334972 - crash when aria-owned child takes children from its parent, r=yzen

Comment 13

a year ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/8518a4c29512
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox54: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Please request Aurora/Beta approval on this when you get a chance.
status-firefox51: --- → wontfix
status-firefox52: --- → affected
status-firefox53: --- → affected
Flags: needinfo?(surkov.alexander)
(Assignee)

Comment 15

a year ago
Comment on attachment 8832952 [details] [diff] [review]
patch

Approval Request Comment
[Feature/Bug causing the regression]:unknown
[User impact if declined]:crashes
[Is this code covered by automated tests?]:yes
[Has the fix been verified in Nightly?]:yes
[Needs manual test from QE? If yes, steps to reproduce]: comment #9
[List of other uplifts needed for the feature/fix]:no
[Is the change risky?]:fair risk
[Why is the change risky/not risky?]:simple change in complicated code
[String changes made/needed]:no
Flags: needinfo?(surkov.alexander)
Attachment #8832952 - Flags: approval-mozilla-aurora?
Attachment #8832952 - Flags: approval-mozilla-beta?
Comment on attachment 8832952 [details] [diff] [review]
patch

Fix a crash. Aurora53+.
Attachment #8832952 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

Comment 17

a year ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-aurora/rev/5c83367f7a7f
status-firefox53: affected → fixed
Comment on attachment 8832952 [details] [diff] [review]
patch

let's get this fix in 52.0b5
Attachment #8832952 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment 19

a year ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-beta/rev/efb9b503adae
status-firefox52: affected → fixed
Flags: in-testsuite+

Comment 20

a year ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-esr52/rev/efb9b503adae
status-firefox-esr52: --- → fixed
You need to log in before you can comment on or make changes to this bug.