Closed Bug 1406043 Opened 7 years ago Closed 7 years ago

somtimes crash when Orca screen reader sets and gets the caret offset

Categories

(Core :: Disability Access APIs, defect, P2)

Product:
Core
Component:
Disability Access APIs
Version:
55 Branch
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: samuel.thibault, Unassigned)

Details

(Keywords: access, crash)

Attachments

(1 file, 1 obsolete file)

proposed fix
1.05 KB, patch
Details | Diff | Splinter Review
Attached patch setcaretoffset-removed (obsolete) — Splinter Review 
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0
Build ID: 20170929042838

Steps to reproduce:

This was triggered by a patch solving #1260598 . I'm here repeating the same information with more details (backtraces, notably) since it seems it is a separate bug just uncovered by the patch.

After applying patch proposed to bug #1260598 , running firefox on Linux with Orca, going to https://www.voyages-sncf.com/proposition?clientId=e7b78633-07e2-418b-ad6a-c37889b67f5a&language=fr&country=FR#!/  (or any other such train proposal list), move with cursor to the price for one of the trains, press enter (this opens details), move down several times to reach "choose this" and beyond


Actual results:

firefox crashes. This is the crash backtrace:

#0  0x00007fffeb1a4e20 in mozilla::a11y::HyperTextAccessible::CaretOffset() const (this=0x7fffb6369e40)
    at /var/tmp/firefox-55.0.3/accessible/generic/HyperTextAccessible.cpp:1403
#1  0x00007ffff3b5d4ca in impl_get_CaretOffset (iter=0x7fffffffc850, user_data=0x7fffb74737e0) at text-adaptor.c:48
#2  0x00007ffff3b5217d in impl_prop_GetSet (message=message@entry=0x7fffde59ed80, path=path@entry=0x7fffcbf72f40, pathstr=pathstr@entry=0x7fffb49cfd38 "/org/a11y/atspi/accessible/955", get=<optimized out>) at droute.c:363
#3  0x00007ffff3b52632 in handle_properties (iface=0x7fffb49cfd70 "org.freedesktop.DBus.Properties", pathstr=0x7fffb49cfd38 "/org/a11y/atspi/accessible/955", member=0x7fffb49cfd98 "Get", path=0x7fffcbf72f40, message=0x7fffde59ed80, bus=0x7fffc4a36df0)
    at droute.c:442
#4  0x00007ffff3b52632 in handle_message (bus=0x7fffc4a36df0, message=message@entry=0x7fffde59ed80, user_data=user_data@entry=0x7fffcbf72f40) at droute.c:596
#5  0x00007fffeffd31e0 in _dbus_object_tree_dispatch_and_unlock (tree=0x7fffcabe4800, message=message@entry=0x7fffde59ed80, found_object=found_object@entry=0x7fffffffca48) at ../../../dbus/dbus-object-tree.c:1020
#6  0x00007fffeffc49fa in dbus_connection_dispatch (connection=0x7fffc4a36df0) at ../../../dbus/dbus-connection.c:4746
#7  0x00007ffff0213835 in  () at /usr/lib/x86_64-linux-gnu/libatspi.so.0
#8  0x00007ffff1dddf67 in g_main_dispatch (context=0x7ffff6b5fb30) at ../../../../glib/gmain.c:3148
#9  0x00007ffff1dddf67 in g_main_context_dispatch (context=context@entry=0x7ffff6b5fb30) at ../../../../glib/gmain.c:3813
#10 0x00007ffff1dde1a0 in g_main_context_iterate (context=context@entry=0x7ffff6b5fb30, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../../../../glib/gmain.c:3886
#11 0x00007ffff1dde22c in g_main_context_iteration (context=0x7ffff6b5fb30, context@entry=0x0, may_block=1)
    at ../../../../glib/gmain.c:3947
#12 0x00007fffea50db5f in nsAppShell::ProcessNextNativeEvent(bool) (this=<optimized out>, mayWait=<optimized out>)
    at /var/tmp/firefox-55.0.3/widget/gtk/nsAppShell.cpp:278
#13 0x00007fffea4d9162 in nsBaseAppShell::DoProcessNextNativeEvent(bool) (this=this@entry=0x7fffe037a160, mayWait=<optimized out>)---Type <return> to continue, or q <return> to quit---
 at /var/tmp/firefox-55.0.3/widget/nsBaseAppShell.cpp:138
#14 0x00007fffea4d9316 in nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool) (this=0x7fffe037a160, thr=0x7fffe42206f0, mayWait=<optimized out>) at /var/tmp/firefox-55.0.3/widget/nsBaseAppShell.cpp:289
#15 0x00007fffe873877e in nsThread::ProcessNextEvent(bool, bool*) (this=0x7fffe42206f0, aMayWait=<optimized out>, aResult=0x7fffffffcd47) at /var/tmp/firefox-55.0.3/xpcom/threads/nsThread.cpp:1356
#16 0x00007fffe873b1aa in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, 
    aThread@entry=0x7fffe42206f0, aMayWait=aMayWait@entry=true) at /var/tmp/firefox-55.0.3/xpcom/threads/nsThreadUtils.cpp:475
#17 0x00007fffe8b449d8 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7fffe424d640, aDelegate=0x7ffff6baf840) at /var/tmp/firefox-55.0.3/ipc/glue/MessagePump.cpp:124
#18 0x00007fffe8b1f7a0 in MessageLoop::RunInternal() (this=<optimized out>)
    at /var/tmp/firefox-55.0.3/ipc/chromium/src/base/message_loop.cc:238
#19 0x00007fffe8b1f7a0 in MessageLoop::RunHandler() (this=<optimized out>)
    at /var/tmp/firefox-55.0.3/ipc/chromium/src/base/message_loop.cc:231
#20 0x00007fffe8b1f7a0 in MessageLoop::Run() (this=<optimized out>)
    at /var/tmp/firefox-55.0.3/ipc/chromium/src/base/message_loop.cc:211
#21 0x00007fffea4d45c8 in nsBaseAppShell::Run() (this=0x7fffe037a160) at /var/tmp/firefox-55.0.3/widget/nsBaseAppShell.cpp:156
#22 0x00007fffeb39748e in nsAppStartup::Run() (this=0x7fffde5ba880)
    at /var/tmp/firefox-55.0.3/toolkit/components/startup/nsAppStartup.cpp:283
#23 0x00007fffeb4285c4 in XREMain::XRE_mainRun() (this=this@entry=0x7fffffffd000)


    at /var/tmp/firefox-55.0.3/toolkit/xre/nsAppRunner.cpp:4567
#24 0x00007fffeb429646 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) (this=this@entry=0x7fffffffd000, argc=argc@entry=2, argv=argv@entry=0x7fffffffe338, aConfig=...) at /var/tmp/firefox-55.0.3/toolkit/xre/nsAppRunner.cpp:4747
#25 0x00007fffeb429992 in XRE_main(int, char**, mozilla::BootstrapConfig const&) (argc=2, argv=0x7fffffffe338, aConfig=...)
    at /var/tmp/firefox-55.0.3/toolkit/xre/nsAppRunner.cpp:4842
#26 0x0000555555559d3c in do_main(int, char**, char**) (argc=2, argv=0x7fffffffe338, envp=<optimized out>)
    at /var/tmp/firefox-55.0.3/browser/app/nsBrowserApp.cpp:236
#27 0x00005555555593cc in main(int, char**, char**) (argc=2, argv=0x7fffffffe338, envp=0x7fffffffe350)
    at /var/tmp/firefox-55.0.3/browser/app/nsBrowserApp.cpp:309

What happens is that

- Orca calls SetCaretOffset for an object which has disappeared.
- Normally, at-spi2-atk's impl_SetCaretOffset would in such case just not find the object,
- but there is a window between Accessible::Shutdown() (which resets the SelectionManager cache) and HyperTextAccessible::~HyperTextAccessible() during which the Accessible still exists.
- If the SetCaretOffset request comes during the window, when SetCaretOffset calls SelectionManager::UpdateCaretOffset, the object gets referenced in the SelectionManager cache. This can be seen in this backtrace: I have put a pause() call there under if (aItem->GetContent() == NULL || aItem->Document() == NULL), i.e. aItem got shutdown, but it is not destroyed yet, thus atk found it.

#0  0x00007ffff7bcc89d in pause () at ../sysdeps/unix/syscall-template.S:84
#1  0x00007fffeb16c6fd in mozilla::a11y::SelectionManager::UpdateCaretOffset(mozilla::a11y::HyperTextAccessible*, int) (this=<optimized out>, this=<optimized out>, aOffset=0, aItem=0x7fffb8820a20)
    at /var/tmp/firefox-55.0.3/build-browser/dist/include/mozilla/a11y/SelectionManager.h:107
#2  0x00007fffeb16c6fd in mozilla::a11y::HyperTextAccessible::SetCaretOffset(int) (aOffset=0, this=0x7fffb8820a20)
    at /var/tmp/firefox-55.0.3/accessible/generic/HyperTextAccessible-inl.h:44
#3  0x00007fffeb16c6fd in setCaretOffsetCB(AtkText*, gint) (aText=<optimized out>, aOffset=0)
    at /var/tmp/firefox-55.0.3/accessible/atk/nsMaiInterfaceText.cpp:588
#4  0x00007ffff3b5d446 in impl_SetCaretOffset (bus=<optimized out>, message=0x7fffadaaad00, user_data=0x7fffb9b14f10)
    at text-adaptor.c:109
#5  0x00007ffff3b5241d in handle_other (pathstr=0x7fffb2bcfc98 "/org/a11y/atspi/accessible/899", member=<optimized out>, iface=<optimized out>, path=0x7fffd2ea7e20, message=0x7fffadaaad00, bus=0x7fffc4a66ce0) at droute.c:553
#6  0x00007ffff3b5241d in handle_message (bus=0x7fffc4a66ce0, message=message@entry=0x7fffadaaad00, user_data=user_data@entry=0x7fffd2ea7e20) at droute.c:600
#7  0x00007fffeffd31e0 in _dbus_object_tree_dispatch_and_unlock (tree=0x7fffd20cba60, message=message@entry=0x7fffadaaad00, found_object=found_object@entry=0x7fffffffca48) at ../../../dbus/dbus-object-tree.c:1020
#8  0x00007fffeffc49fa in dbus_connection_dispatch (connection=0x7fffc4a66ce0) at ../../../dbus/dbus-connection.c:4746
#9  0x00007ffff0213835 in  () at /usr/lib/x86_64-linux-gnu/libatspi.so.0
#10 0x00007ffff1dddf67 in g_main_dispatch (context=0x7ffff6b5fb30) at ../../../../glib/gmain.c:3148
#11 0x00007ffff1dddf67 in g_main_context_dispatch (context=context@entry=0x7ffff6b5fb30) at ../../../../glib/gmain.c:3813
#12 0x00007ffff1dde1a0 in g_main_context_iterate (context=context@entry=0x7ffff6b5fb30, block=block@entry=0, dispatch=dispatch@entry=1, self=<optimized out>) at ../../../../glib/gmain.c:3886
#13 0x00007ffff1dde22c in g_main_context_iteration (context=0x7ffff6b5fb30, context@entry=0x0, may_block=0)
    at ../../../../glib/gmain.c:3947
#14 0x00007fffea50db5f in nsAppShell::ProcessNextNativeEvent(bool) (this=<optimized out>, mayWait=<optimized out>)
    at /var/tmp/firefox-55.0.3/widget/gtk/nsAppShell.cpp:278
#15 0x00007fffea4d9162 in nsBaseAppShell::DoProcessNextNativeEvent(bool) (this=this@entry=0x7fffe037a160, mayWait=mayWait@entry=false) at /var/tmp/firefox-55.0.3/widget/nsBaseAppShell.cpp:138
#16 0x00007fffea4d939c in nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool) (this=0x7fffe037a160, thr=0x7fffe42206f0, mayWait=<optimized out>) at /var/tmp/firefox-55.0.3/widget/nsBaseAppShell.cpp:271
#17 0x00007fffe873877e in nsThread::ProcessNextEvent(bool, bool*) (this=0x7fffe42206f0, aMayWait=<optimized out>, aResult=0x7fffffffcd47) at /var/tmp/firefox-55.0.3/xpcom/threads/nsThread.cpp:1356
#18 0x00007fffe873b1aa in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, 
    aThread@entry=0x7fffe42206f0, aMayWait=aMayWait@entry=false) at /var/tmp/firefox-55.0.3/xpcom/threads/nsThreadUtils.cpp:475
#19 0x00007fffe8b44992 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7fffe424d640, aDelegate=0x7ffff6baf840) at /var/tmp/firefox-55.0.3/ipc/glue/MessagePump.cpp:96
#20 0x00007fffe8b1f7a0 in MessageLoop::RunInternal() (this=<optimized out>)
    at /var/tmp/firefox-55.0.3/ipc/chromium/src/base/message_loop.cc:238
#21 0x00007fffe8b1f7a0 in MessageLoop::RunHandler() (this=<optimized out>)
    at /var/tmp/firefox-55.0.3/ipc/chromium/src/base/message_loop.cc:231
#22 0x00007fffe8b1f7a0 in MessageLoop::Run() (this=<optimized out>)
    at /var/tmp/firefox-55.0.3/ipc/chromium/src/base/message_loop.cc:211
#23 0x00007fffea4d45c8 in nsBaseAppShell::Run() (this=0x7fffe037a160) at /var/tmp/firefox-55.0.3/widget/nsBaseAppShell.cpp:156
#24 0x00007fffeb397b2e in nsAppStartup::Run() (this=0x7fffde5ba880)
    at /var/tmp/firefox-55.0.3/toolkit/components/startup/nsAppStartup.cpp:283
#25 0x00007fffeb428c64 in XREMain::XRE_mainRun() (this=this@entry=0x7fffffffd000)
    at /var/tmp/firefox-55.0.3/toolkit/xre/nsAppRunner.cpp:4567
#26 0x00007fffeb429ce6 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) (this=this@entry=0x7fffffffd000, argc=argc@entry=2, argv=argv@entry=0x7fffffffe338, aConfig=...) at /var/tmp/firefox-55.0.3/toolkit/xre/nsAppRunner.cpp:4747
#27 0x00007fffeb42a032 in XRE_main(int, char**, mozilla::BootstrapConfig const&) (argc=2, argv=0x7fffffffe338, aConfig=...)
    at /var/tmp/firefox-55.0.3/toolkit/xre/nsAppRunner.cpp:4842
#28 0x0000555555559d3c in do_main(int, char**, char**) (argc=2, argv=0x7fffffffe338, envp=<optimized out>)
    at /var/tmp/firefox-55.0.3/browser/app/nsBrowserApp.cpp:236
#29 0x00005555555593cc in main(int, char**, char**) (argc=2, argv=0x7fffffffe338, envp=0x7fffffffe350)
    at /var/tmp/firefox-55.0.3/browser/app/nsBrowserApp.cpp:309


- When the object actually gets destroyed from nsCycleCollector_doDeferredDeletion, ~HyperTextAccessible() is called but does nothing, so the object remains referenced from the SelectionManager cache. This shows up in this backtrace (I have put a pause() call under if SelectionMgr()->AccessibleWithCaret(nullptr) == this, i.e. the object being destroyed is actually referenced by the SelectionMgr cache)

#0  0x00007ffff7bcc89d in pause () at ../sysdeps/unix/syscall-template.S:84
#1  0x00007fffeb1b5d45 in mozilla::a11y::HyperTextAccessible::~HyperTextAccessible() (this=
    0x7fffd21ad2e0, __in_chrg=<optimized out>) at /var/tmp/firefox-55.0.3/accessible/generic/HyperTextAccessible.h:441
#2  0x00007fffeb1b5d45 in mozilla::a11y::HTMLLinkAccessible::~HTMLLinkAccessible() (this=0x7fffd21ad2e0, __in_chrg=<optimized out>) at /var/tmp/firefox-55.0.3/accessible/html/HTMLLinkAccessible.h:38
#3  0x00007fffeb1b5d45 in mozilla::a11y::HTMLLinkAccessible::~HTMLLinkAccessible() (this=0x7fffd21ad2e0, __in_chrg=<optimized out>) at /var/tmp/firefox-55.0.3/accessible/html/HTMLLinkAccessible.h:38
#4  0x00007fffe86dc3e7 in SnowWhiteKiller::~SnowWhiteKiller() (this=0x7fffffffcbc0, __in_chrg=<optimized out>)
    at /var/tmp/firefox-55.0.3/xpcom/base/nsCycleCollector.cpp:2651
#5  0x00007fffe86dc3e7 in nsCycleCollector::FreeSnowWhite(bool) (this=0x7ffff6b738c0, aUntilNoSWInPurpleBuffer=aUntilNoSWInPurpleBuffer@entry=false) at /var/tmp/firefox-55.0.3/xpcom/base/nsCycleCollector.cpp:2819
#6  0x00007fffe86dd34b in nsCycleCollector::FreeSnowWhite(bool) (aUntilNoSWInPurpleBuffer=false, this=<optimized out>)
    at /var/tmp/firefox-55.0.3/xpcom/base/nsCycleCollector.cpp:4165
#7  0x00007fffe86dd34b in nsCycleCollector_doDeferredDeletion() ()
    at /var/tmp/firefox-55.0.3/xpcom/base/nsCycleCollector.cpp:4164
#8  0x00007fffe8ea5bdd in AsyncFreeSnowWhite::Run() (this=0x7fffe1d74de0)
    at /var/tmp/firefox-55.0.3/js/xpconnect/src/XPCJSRuntime.cpp:142
#9  0x00007fffe873d504 in IdleRunnableWrapper::Run() (this=0x7fffb7bee440, this=<optimized out>)
    at /var/tmp/firefox-55.0.3/xpcom/threads/nsThreadUtils.cpp:328
#10 0x00007fffe8738829 in nsThread::ProcessNextEvent(bool, bool*) (this=0x7fffe42206f0, aMayWait=<optimized out>, aResult=0x7fffffffcd47) at /var/tmp/firefox-55.0.3/xpcom/threads/nsThread.cpp:1418
#11 0x00007fffe873b1aa in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, 
    aThread@entry=0x7fffe42206f0, aMayWait=aMayWait@entry=false) at /var/tmp/firefox-55.0.3/xpcom/threads/nsThreadUtils.cpp:475
#12 0x00007fffe8b44992 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7fffe424d640, aDelegate=0x7ffff6baf840) at /var/tmp/firefox-55.0.3/ipc/glue/MessagePump.cpp:96
#13 0x00007fffe8b1f7a0 in MessageLoop::RunInternal() (this=<optimized out>)
    at /var/tmp/firefox-55.0.3/ipc/chromium/src/base/message_loop.cc:238
#14 0x00007fffe8b1f7a0 in MessageLoop::RunHandler() (this=<optimized out>)
    at /var/tmp/firefox-55.0.3/ipc/chromium/src/base/message_loop.cc:231
#15 0x00007fffe8b1f7a0 in MessageLoop::Run() (this=<optimized out>)
    at /var/tmp/firefox-55.0.3/ipc/chromium/src/base/message_loop.cc:211
#16 0x00007fffea4d45c8 in nsBaseAppShell::Run() (this=0x7fffe037a160) at /var/tmp/firefox-55.0.3/widget/nsBaseAppShell.cpp:156
#17 0x00007fffeb397aae in nsAppStartup::Run() (this=0x7fffde5ba880)
    at /var/tmp/firefox-55.0.3/toolkit/components/startup/nsAppStartup.cpp:283
#18 0x00007fffeb428be4 in XREMain::XRE_mainRun() (this=this@entry=0x7fffffffd000)
    at /var/tmp/firefox-55.0.3/toolkit/xre/nsAppRunner.cpp:4567
#19 0x00007fffeb429c66 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) (this=this@entry=0x7fffffffd000, argc=argc@entry=2, argv=argv@entry=0x7fffffffe338, aConfig=...) at /var/tmp/firefox-55.0.3/toolkit/xre/nsAppRunner.cpp:4747
#20 0x00007fffeb429fb2 in XRE_main(int, char**, mozilla::BootstrapConfig const&) (argc=2, argv=0x7fffffffe338, aConfig=...)
    at /var/tmp/firefox-55.0.3/toolkit/xre/nsAppRunner.cpp:4842
#21 0x0000555555559d3c in do_main(int, char**, char**) (argc=2, argv=0x7fffffffe338, envp=<optimized out>)
    at /var/tmp/firefox-55.0.3/browser/app/nsBrowserApp.cpp:236
#22 0x00005555555593cc in main(int, char**, char**) (argc=2, argv=0x7fffffffe338, envp=0x7fffffffe350)
    at /var/tmp/firefox-55.0.3/browser/app/nsBrowserApp.cpp:309


- From then on, if Orca requests get CaretOffset, HyperTextAccessible::CaretOffset gets the object from the cache, and tries to call GetNode on it, which crashes (first backtrace shown above).



Expected results:

It should not crash :)

The proposed patch modifies HyperTextAccessible::SetCaretOffset to avoid forcing the cache refresh when the object has been shut down, just not collected yet. I guess other strategies could be to remove the object from the SelectionManager cache, or to make Accessible::Shutdown() remove the object from sight of at-spi2-atk's.
Severity: normal → critical
Component: Untriaged → Disability Access
Keywords: access, crash
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
Attachment #8915569 - Flags: a11y-review?(surkov.alexander)
Component: Disability Access → Disability Access APIs
Product: Firefox → Core
Another strategy could also be to move the check into the UpdateCaretOffset() method itself, to be defensive against other potential calls instead of being preventive. Your call :)
Attachment #8915569 - Flags: review?(surkov.alexander)
Attachment #8915569 - Attachment is patch: true
Attachment #8915569 - Attachment mime type: text/x-patch → text/plain
Attached patch proposed fixSplinter Review 
This is the same proposed fix, only the formatting changes
Attachment #8915569 - Attachment is obsolete: true
Attachment #8915569 - Flags: review?(surkov.alexander)
Attachment #8915569 - Flags: a11y-review?(surkov.alexander)
Attachment #8917323 - Flags: review?(surkov.alexander)
(In reply to Samuel Thibault from comment #0)

> After applying patch proposed to bug #1260598 , running firefox on Linux
> with Orca, going to

just curious, why this is not part of patch of bug 1260598? It'd be unfair to r+ that patch since we know that it regresses us.
Well, I believe that it's just by luck that this bug #1406043 doesn't happen often (one don't often set and get caret offset of an object being shut down), and bug #1260598 just happens to trigger it more often.
(In reply to Samuel Thibault from comment #4)
> Well, I believe that it's just by luck that this bug #1406043 doesn't happen
> often (one don't often set and get caret offset of an object being shut
> down), and bug #1260598 just happens to trigger it more often.

fair enough.

I'm not clear though how do we happen to call a method on a shutdown object? If HyperTextAccessible is destroyed, then this chain should be run: HyperTextAccessible::Shutdown() -> AccessibleWrap::Shutdown() -> MaiAtkObject::Shutdown() -> accWrap.SetBits(0);

So setCaretOffsetCB should get null when it calls GetAccessibleWrap(ATK_OBJECT(aText)), no?
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to Samuel Thibault from comment #4)
> Well, I believe that it's just by luck that this bug #1406043 doesn't happen
> often (one don't often set and get caret offset of an object being shut
> down), and bug #1260598 just happens to trigger it more often.

the patch from bug 1260598 changes the layout refresh timing, and thus affect on when we update the a11y tree, so it could be that this bug doesn't happen without bug 1260598 patch. At least I'm not sure I see how.
Hello,

Indeed, this is the backtrace of the Shutdown call which triggers the issue:

#0  0x00007fffeb159ba7 in MaiAtkObject::Shutdown() (this=0x7fffadb3c0b0 [MaiAtkType13b]) at /var/tmp/firefox-55.0.3/accessible/atk/AccessibleWrap.cpp:155
#1  0x00007fffeb15a03c in mozilla::a11y::AccessibleWrap::ShutdownAtkObject() (this=0x7fffae391270)
    at /var/tmp/firefox-55.0.3/accessible/atk/AccessibleWrap.cpp:279
#2  0x00007fffeb15d069 in mozilla::a11y::AccessibleWrap::Shutdown() (this=0x7fffae391270) at /var/tmp/firefox-55.0.3/accessible/atk/AccessibleWrap.cpp:288
#3  0x00007fffeb19731e in mozilla::a11y::DocAccessible::UnbindFromDocument(mozilla::a11y::Accessible*) (this=0x7fffb87ae720, aAccessible=0x7fffae391270)
    at /var/tmp/firefox-55.0.3/accessible/generic/DocAccessible.cpp:1341
#4  0x00007fffeb197829 in mozilla::a11y::DocAccessible::ShutdownChildrenInSubtree(mozilla::a11y::Accessible*) (this=<optimized out>, aAccessible=<optimized out>) at /var/tmp/firefox-55.0.3/accessible/generic/DocAccessible.cpp:2365
#5  0x00007fffeb172409 in mozilla::a11y::NotificationController::ProcessMutationEvents() (this=this@entry=0x7fffcf017340)
    at /var/tmp/firefox-55.0.3/accessible/base/NotificationController.cpp:520
#6  0x00007fffeb175f38 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) (this=0x7fffcf017340, aTime=...)
    at /var/tmp/firefox-55.0.3/accessible/base/NotificationController.cpp:832
#7  0x00007fffea6d48ec in nsRefreshDriver::Tick(long, mozilla::TimeStamp) (this=0x7fffb1619c00, aNowEpoch=<optimized out>, aNowTime=...)
    at /var/tmp/firefox-55.0.3/layout/base/nsRefreshDriver.cpp:1831
#8  0x00007fffe948d103 in nsFocusManager::CheckIfFocusable(nsIContent*, unsigned int) (this=this@entry=0x7fffde5906d0, aContent=aContent@entry=
    0x7fffadfeba80, aFlags=aFlags@entry=0) at /var/tmp/firefox-55.0.3/dom/base/nsFocusManager.cpp:1596
#9  0x00007fffe94b75be in nsFocusManager::SetFocusInner(nsIContent*, int, bool, bool) (this=this@entry=0x7fffde5906d0, aNewContent=0x7fffadfeba80, aFlags=aFlags@entry=0, aFocusChanged=aFocusChanged@entry=true, aAdjustWidget=aAdjustWidget@entry=true) at /var/tmp/firefox-55.0.3/dom/base/nsFocusManager.cpp:1207
#10 0x00007fffe94b8765 in nsFocusManager::SetFocus(nsIDOMElement*, unsigned int) (this=0x7fffde5906d0, aElement=<optimized out>, aFlags=aFlags@entry=0)
    at /var/tmp/firefox-55.0.3/dom/base/nsFocusManager.cpp:491
#11 0x00007fffeb1a5e21 in mozilla::a11y::Accessible::TakeFocus() (this=0x7fffae391270) at /var/tmp/firefox-55.0.3/accessible/generic/Accessible.cpp:758
#12 0x00007fffeb1a794a in mozilla::a11y::HyperTextAccessible::SetSelectionRange(int, int) (this=this@entry=0x7fffae391270, aStartPos=aStartPos@entry=0, aEndPos=aEndPos@entry=0) at /var/tmp/firefox-55.0.3/accessible/generic/HyperTextAccessible.cpp:1351
#13 0x00007fffeb16515b in mozilla::a11y::HyperTextAccessible::SetCaretOffset(int) (aOffset=0, this=0x7fffae391270)
    at /var/tmp/firefox-55.0.3/accessible/generic/HyperTextAccessible-inl.h:41
#14 0x00007fffeb16515b in setCaretOffsetCB(AtkText*, gint) (aText=<optimized out>, aOffset=0)
    at /var/tmp/firefox-55.0.3/accessible/atk/nsMaiInterfaceText.cpp:593
#15 0x00007ffff3b5c446 in impl_SetCaretOffset (bus=<optimized out>, message=0x7fffada6bd40, user_data=0x7fffadb3c0b0) at text-adaptor.c:109
#16 0x00007ffff3b5141d in handle_other (pathstr=0x7fffb8b67e98 "/org/a11y/atspi/accessible/1618", member=<optimized out>, iface=<optimized out>, path=0x7fffd2da7f40, message=0x7fffada6bd40, bus=0x7fffc54f8ce0) at droute.c:553
#17 0x00007ffff3b5141d in handle_message (bus=0x7fffc54f8ce0, message=message@entry=0x7fffada6bd40, user_data=user_data@entry=0x7fffd2da7f40) at droute.c:600
#18 0x00007fffeffd13e0 in _dbus_object_tree_dispatch_and_unlock (tree=0x7fffdafdf0a0, message=message@entry=0x7fffada6bd40, found_object=found_object@entry=0x7fffffffca88) at ../../../dbus/dbus-object-tree.c:1020
#19 0x00007fffeffc220a in dbus_connection_dispatch (connection=0x7fffc54f8ce0) at ../../../dbus/dbus-connection.c:4744
#20 0x00007ffff0212835 in  () at /usr/lib/x86_64-linux-gnu/libatspi.so.0
#21 0x00007ffff1ddcf67 in g_main_dispatch (context=0x7ffff6b5fb30) at ../../../../glib/gmain.c:3148
#22 0x00007ffff1ddcf67 in g_main_context_dispatch (context=context@entry=0x7ffff6b5fb30) at ../../../../glib/gmain.c:3813
#23 0x00007ffff1ddd1a0 in g_main_context_iterate (context=context@entry=0x7ffff6b5fb30, block=block@entry=0, dispatch=dispatch@entry=1, self=<optimized out>)
    at ../../../../glib/gmain.c:3886
#24 0x00007ffff1ddd22c in g_main_context_iteration (context=0x7ffff6b5fb30, context@entry=0x0, may_block=0) at ../../../../glib/gmain.c:3947
#25 0x00007fffea505b5f in nsAppShell::ProcessNextNativeEvent(bool) (this=<optimized out>, mayWait=<optimized out>)
    at /var/tmp/firefox-55.0.3/widget/gtk/nsAppShell.cpp:278
#26 0x00007fffea4d1162 in nsBaseAppShell::DoProcessNextNativeEvent(bool) (this=this@entry=0x7fffde683160, mayWait=mayWait@entry=false)
    at /var/tmp/firefox-55.0.3/widget/nsBaseAppShell.cpp:138
#27 0x00007fffea4d139c in nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool) (this=0x7fffde683160, thr=0x7fffe42206f0, mayWait=<optimized out>)
    at /var/tmp/firefox-55.0.3/widget/nsBaseAppShell.cpp:271
#28 0x00007fffe873077e in nsThread::ProcessNextEvent(bool, bool*) (this=0x7fffe42206f0, aMayWait=<optimized out>, aResult=0x7fffffffcd87)
    at /var/tmp/firefox-55.0.3/xpcom/threads/nsThread.cpp:1356
---Type <return> to continue, or q <return> to quit---
#29 0x00007fffe87331aa in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, aThread@entry=0x7fffe42206f0, aMayWait=aMayWait@entry=false)
    at /var/tmp/firefox-55.0.3/xpcom/threads/nsThreadUtils.cpp:475
#30 0x00007fffe8b3c992 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7fffe424d680, aDelegate=0x7ffff6baf840)
    at /var/tmp/firefox-55.0.3/ipc/glue/MessagePump.cpp:96
#31 0x00007fffe8b177a0 in MessageLoop::RunInternal() (this=<optimized out>) at /var/tmp/firefox-55.0.3/ipc/chromium/src/base/message_loop.cc:238
#32 0x00007fffe8b177a0 in MessageLoop::RunHandler() (this=<optimized out>) at /var/tmp/firefox-55.0.3/ipc/chromium/src/base/message_loop.cc:231
#33 0x00007fffe8b177a0 in MessageLoop::Run() (this=<optimized out>) at /var/tmp/firefox-55.0.3/ipc/chromium/src/base/message_loop.cc:211
#34 0x00007fffea4cc5c8 in nsBaseAppShell::Run() (this=0x7fffde683160) at /var/tmp/firefox-55.0.3/widget/nsBaseAppShell.cpp:156
#35 0x00007fffeb38fcde in nsAppStartup::Run() (this=0x7fffde5ba880) at /var/tmp/firefox-55.0.3/toolkit/components/startup/nsAppStartup.cpp:283
#36 0x00007fffeb420e14 in XREMain::XRE_mainRun() (this=this@entry=0x7fffffffd040) at /var/tmp/firefox-55.0.3/toolkit/xre/nsAppRunner.cpp:4567
#37 0x00007fffeb421e96 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) (this=this@entry=0x7fffffffd040, argc=argc@entry=2, argv=argv@entry=0x7fffffffe378, aConfig=...) at /var/tmp/firefox-55.0.3/toolkit/xre/nsAppRunner.cpp:4747
#38 0x00007fffeb4221e2 in XRE_main(int, char**, mozilla::BootstrapConfig const&) (argc=2, argv=0x7fffffffe378, aConfig=...)
    at /var/tmp/firefox-55.0.3/toolkit/xre/nsAppRunner.cpp:4842
#39 0x0000555555559d3c in do_main(int, char**, char**) (argc=2, argv=0x7fffffffe378, envp=<optimized out>)
    at /var/tmp/firefox-55.0.3/browser/app/nsBrowserApp.cpp:236
#40 0x00005555555593cc in main(int, char**, char**) (argc=2, argv=0x7fffffffe378, envp=0x7fffffffe390)
    at /var/tmp/firefox-55.0.3/browser/app/nsBrowserApp.cpp:309


So that's between the GetAccessibleWrap() call and the UpdateCaretOffset call, the Tick() call in CheckIfFocusable() happens to shutdown the object being worked on.
so, let's close this bug then, since it was caused by bug 1260598, which takes a different approach now?
Flags: needinfo?(samuel.thibault)
Right.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(samuel.thibault)
Resolution: --- → INVALID
Attachment #8917323 - Flags: review?(surkov.alexander)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: