Closed Bug 1380214 Opened 8 years ago Closed 8 years ago

Crash in IPCError-browser | PBrowserParent::RecvPDocAccessibleConstructor Constructing a top-level PDocAccessible with null COM

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla56
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox54 --- unaffected
firefox55 --- unaffected
firefox56 --- fixed

People

(Reporter: ting, Assigned: bugzilla)

References

Details

(Keywords: crash, Whiteboard: aes+)

Crash Data

Attachments

(1 file, 2 obsolete files)

In addition to checking for null mSerializer pointer, also check for failed state (r3)
1.60 KB, patch
eeejay
: review+
Details | Diff | Splinter Review
This bug was filed from the Socorro interface and is report bp-fcb2988f-32ca-4188-ac71-362590170710. ============================================================= Top #17 of Nightly 20170709030204 on Windows.
See Also: → 1354077, 1378141
Whiteboard: aes+
One cause of this is that if we fail to serialize the handler payload, we fail marshaling entirely. This is entirely possible if for example there is a sandboxing violation during serialization. Since failing to serialize the handler payload is non-fatal, I think we can modify our code so that we successfully marshal with an empty payload.
Assignee: nobody → aklotz
Status: NEW → ASSIGNED
This patch adds a check that ends up calling https://dxr.mozilla.org/mozilla-central/rev/aff336ac161daa3ea350e59a288963edbd58ed39/ipc/mscom/StructStream.h#92 to check for a successful error code. It is non-fatal for payload serialization to fail, so we just resort to writing an empty struct in that case. This allows us to successfully marshal an accessible even if the payload fails to serialize for some reason, thus preventing some (hopefully most or all) instances of the crash in this bug.
Attachment #8887256 - Flags: review?(eitan)
I realized that we should also be checking this when computing the payload size.
Attachment #8887256 - Attachment is obsolete: true
Attachment #8887256 - Flags: review?(eitan)
Attachment #8887281 - Flags: review?(eitan)
For real this time.
Attachment #8887281 - Attachment is obsolete: true
Attachment #8887281 - Flags: review?(eitan)
Attachment #8887289 - Flags: review?(eitan)
Attachment #8887289 - Flags: review?(eitan) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/9fa7419d9080260365669174e4ed13c65280492d Bug 1380214: Ensure that if the handler payload fails to serialize that we may still marshal the accessible itself; r=eeejay
https://hg.mozilla.org/mozilla-central/rev/9fa7419d9080
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox56: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
This signature is still showing up in the Windows nightly of 20170720030203, as topcrash #3.
Aaron, do we need to file a new bug for this stack signature (comment 7)?
Flags: needinfo?(aklotz)
We can use bug 1383501 for that purpose.
Flags: needinfo?(aklotz)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: