Closed Bug 1394659 Opened 8 years ago Closed 2 years ago

Full UIA traversals during AT DLL virtual buffer traversals

Categories

(Core :: Disability Access APIs, defect, P3)

Product:
Core
Component:
Disability Access APIs
Platform:
Unspecified
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- wontfix
firefox113 --- fixed
firefox114 --- fixed
firefox115 --- fixed

People

(Reporter: bugzilla, Unassigned)

References

Details

(Whiteboard: aes+)

Attachments

(1 file)

Test patch - debug break when UIA message hits
2.38 KB, patch
Details | Diff | Splinter Review
The touch blocking stuff doesn't kick in once a11y is turned on, so this gets through. Some ideas: * Block tiptsf even when a11y is turned on; * Somehow detect reentry by UIA; * If UIA is disabled, somehow stop its traversal; * Try augmenting the main thread message filter to see if we can make it delay the UIA stuff until after the AT is done (via COM causality ID) Provided that it works, the first option is probably the easiest.
I can't remember next steps here. Are we targeting 59?
status-firefox57: fix-optionalwontfix
status-firefox58: affectedfix-optional
Flags: needinfo?(aklotz)
TL;DR we need to reproduce again and then debug. Effectively targeting 59, though if we can crack this early in the cycle we could probably (and ideally should) uplift. I haven't been able to reproduce using NVDA (but that doesn't mean that there isn't a problem there, of course). Profiling with JAWS on the World War I Wikipedia page can generate this issue. Once we know the call stack that triggers it, we can then repro with some breakpoints set and see what we can do from there. I've set up my Surface Book to attempt another repro. We'll see what I can find...
Flags: needinfo?(aklotz)
I managed to get another repro. UIA traversals are being triggered by a CallWndProc hook that looks for a registered window message named "HOOKUTIL_MSG". In this particular case, the lParam was 92 and the wParam was 0x751b. Not sure how consistent that is. The relevant frames of the call stack are: 13 OLEAUT32!IEnumVARIANT_Next_Proxy+0x37 14 OLEACC!AccWrap_Base::Next+0x1d52 15 UIAutomationCore!MsaaProxy::GetNextOrPrevSibling+0x2bc 16 UIAutomationCore!MsaaProxy::Navigate+0x5f4 17 UIAutomationCore!InProcClientAPIStub::UiaNodeTraverser_NavigateProvider+0xf9 18 UIAutomationCore!InProcClientAPIStub::InvokeInProcAPI+0x41c 19 UIAutomationCore!UiaNodeTraverser::GetNextSibling+0x148 1a UIAutomationCore!UiaNodeTraverser::Traverse+0x583 1b UIAutomationCore!InProcClientAPIStub::UiaNode_Find+0xc6 1c UIAutomationCore!InProcClientAPIStub::InvokeInProcAPI+0x27b 1d UIAutomationCore!UiaNode::CrossProcess_Find+0x8b 1e UIAutomationCore!RemoteUiaNodeStub::Incoming_Find+0x131 1f UIAutomationCore!InvokeOnCorrectContext_Callback+0x2f5 20 UIAutomationCore!ComInvoker::CallTarget+0x1d2 21 UIAutomationCore!ProcessIncomingRequest+0x1db 22 UIAutomationCore!HookBasedServerConnectionManager::HookCallback+0x155 23 UIAutomationCore!HookUtil<&HookBasedClientConnection::HookCallback,0>::CallOut+0x17 24 UIAutomationCore!HandleHookMessage+0x2a1 25 UIAutomationCore!HookUtil<&HookBasedClientConnection::HookCallback,0>::CallWndProc+0x37 26 user32!fnHkINLPCWPSTRUCTW+0xce 27 user32!_fnDWORD+0x33 28 ntdll!KiUserCallbackDispatcherContinue 29 win32u!NtUserPeekMessage+0x14 2a user32!PeekMessageW+0x88 2b MSCTF!CThreadInputMgr::PeekMessageW+0x97 2c xul!mozilla::widget::WinUtils::PeekMessageW+0x45 2d xul!nsAppShell::ProcessNextNativeEvent+0xe6 2e xul!nsBaseAppShell::DoProcessNextNativeEvent+0x24 2f xul!nsBaseAppShell::OnProcessNextEvent+0x199 30 xul!nsThread::ProcessNextEvent+0x147 31 xul!NS_ProcessNextEvent+0x37 32 xul!mozilla::ipc::MessagePump::Run+0xcb 33 xul!MessageLoop::Run+0x4b 34 xul!nsBaseAppShell::Run+0x38 35 xul!nsAppShell::Run+0x24 36 xul!nsAppStartup::Run+0x23 37 xul!XREMain::XRE_mainRun+0xbad 38 xul!XREMain::XRE_main+0x58d 39 xul!XRE_main+0xe5 3a firefox!do_main+0x20e 3b firefox!NS_internal_main+0x142 3c firefox!wmain+0x172 3d firefox!invoke_main+0x22 3e firefox!__scrt_common_main_seh+0x11d 3f KERNEL32!BaseThreadInitThunk+0x14 40 ntdll!RtlUserThreadStart+0x21
Summary: tiptsf is triggering full UIA traversals during AT DLL virtual buffer traversals → Full UIA traversals during AT DLL virtual buffer traversals
Moving to p3 because no activity for at least 24 weeks.
Priority: P1 → P3
Depends on: 1737192
Severity: normal → S3

This should no longer be a problem with Cache the World, which is enabled by default in Firefox 113.

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox113: --- → fixed
status-firefox114: --- → fixed
status-firefox115: --- → fixed
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: