Closed Bug 1334972 Opened 3 years ago Closed 3 years ago

Crash in memmove | nsTArray_base<T>::ShiftData<T> | nsTArray_Impl<T>::InsertElementAt<T> | mozilla::a11y::Accessible::MoveChild

Categories

(Core :: Disability Access APIs, defect, critical)

50 Branch
x86
Windows 10
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla54
Tracking Status
firefox51 --- wontfix
firefox52 --- fixed
firefox-esr52 --- fixed
firefox53 --- fixed
firefox54 --- fixed

People

(Reporter: tspivey, Assigned: surkov)

References

()

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is 
report bp-2bcffa8a-e508-46b2-bb26-db07c2170130.
=============================================================

This crash occurs if I view a commit in one of my GitHub projects.
Alex, this looks like it fallls in your court.
Blocks: 1133213
Status: UNCONFIRMED → NEW
Component: Disability Access → Disability Access APIs
Ever confirmed: true
Flags: needinfo?(surkov.alexander)
Keywords: crash
Product: Firefox → Core
I'm also using the GitHub accessibility fixes Greasemonkey script, specifically this one:
https://raw.githubusercontent.com/nvaccess/axSGrease/13d47a65aa30637679a847c964d59e572cc81ac6/GitHubA11yFixes.user.js
Tyler, I see you've been using Firefox 50 for this. Firefox 51 came out a week ago. Can you still reproduce the crash with that version, too?
Flags: needinfo?(tspivey)
(In reply to Marco Zehe (:MarcoZ) from comment #3)
> Tyler, I see you've been using Firefox 50 for this. Firefox 51 came out a
> week ago. Can you still reproduce the crash with that version, too?

I'm using 51.0.1 according to Help/About, and it still crashes. I haven't received any update notifications since I created the bug.
All right. Am I right in assuming that the version you're using is a bit outdated? The commit ID seems to point to a version that is almost a year old.
I meant the version of the GreaseMonkey script, sorry!
(In reply to Marco Zehe (:MarcoZ) from comment #6)
> I meant the version of the GreaseMonkey script, sorry!

It is. I matched the same version I was running with the file on GitHub in case something changed in a newer version which would stop the crash.
(In reply to tspivey from comment #2)
> I'm also using the GitHub accessibility fixes Greasemonkey script,
> specifically this one:
> https://raw.githubusercontent.com/nvaccess/axSGrease/
> 13d47a65aa30637679a847c964d59e572cc81ac6/GitHubA11yFixes.user.js

could you please share exact steps to reproduce?
Flags: needinfo?(surkov.alexander)
(In reply to alexander :surkov from comment #8)
> could you please share exact steps to reproduce?

STR, from a new profile:
1. Install Greasemonkey from addons.
2. Install this old version of the GitHub a11y fixes script by opening the page (the latest as of now won't crash):
https://raw.githubusercontent.com/nvaccess/axSGrease/13d47a65aa30637679a847c964d59e572cc81ac6/GitHubA11yFixes.user.js
3. Sign in to GitHub.
4. Open any commit, example from one of my repos:
https://github.com/tspivey/classicSelection/commit/3777951339fa1b1e95ab097ef9cbac38279b724d
Or this one from NVDA:
https://github.com/nvaccess/nvda/commit/08af4cef7e83fa33ada0678b495af44b00d8c843
here's what happens here, when aria-owns refers to a child inaccessible span, then aria-owns processing makes this span accessible and the span steals children from the owner, which breaks our moving logic.

despite the fix may be straightforward, it'd be good to have something to avoid cases like this in the future.
Flags: needinfo?(tspivey)
Attached patch patchSplinter Review
Assignee: nobody → surkov.alexander
Attachment #8832952 - Flags: review?(yzenevich)
Attachment #8832952 - Flags: review?(yzenevich) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/8518a4c295122b90473a24b396102ed5453fcb62
Bug 1334972 - crash when aria-owned child takes children from its parent, r=yzen
https://hg.mozilla.org/mozilla-central/rev/8518a4c29512
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Please request Aurora/Beta approval on this when you get a chance.
Flags: needinfo?(surkov.alexander)
Comment on attachment 8832952 [details] [diff] [review]
patch

Approval Request Comment
[Feature/Bug causing the regression]:unknown
[User impact if declined]:crashes
[Is this code covered by automated tests?]:yes
[Has the fix been verified in Nightly?]:yes
[Needs manual test from QE? If yes, steps to reproduce]: comment #9
[List of other uplifts needed for the feature/fix]:no
[Is the change risky?]:fair risk
[Why is the change risky/not risky?]:simple change in complicated code
[String changes made/needed]:no
Flags: needinfo?(surkov.alexander)
Attachment #8832952 - Flags: approval-mozilla-aurora?
Attachment #8832952 - Flags: approval-mozilla-beta?
Comment on attachment 8832952 [details] [diff] [review]
patch

Fix a crash. Aurora53+.
Attachment #8832952 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment on attachment 8832952 [details] [diff] [review]
patch

let's get this fix in 52.0b5
Attachment #8832952 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.