Closed
Bug 1434315
Opened 7 years ago
Closed 7 years ago
Crash in mozilla::a11y::Accessible::NativeAttributes
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1434273
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox58 | --- | unaffected |
| firefox59 | --- | unaffected |
| firefox60 | --- | affected |
People
(Reporter: calixte, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression)
Crash Data
This bug was filed from the Socorro interface and is
report bp-14c0e7b7-3ceb-4e2c-a721-381390180130.
=============================================================
Top 10 frames of crashing thread:
0 xul.dll mozilla::a11y::Accessible::NativeAttributes accessible/generic/Accessible.cpp:1076
1 xul.dll mozilla::a11y::ImageAccessible::NativeAttributes accessible/generic/ImageAccessible.cpp:167
2 xul.dll mozilla::a11y::Accessible::Attributes accessible/generic/Accessible.cpp:933
3 xul.dll mozilla::a11y::ia2Accessible::get_attributes accessible/windows/ia2/ia2Accessible.cpp:489
4 xul.dll mozilla::a11y::HandlerProvider::BuildDynamicIA2Data accessible/ipc/win/HandlerProvider.cpp:342
5 xul.dll mozilla::a11y::HandlerProvider::BuildInitialIA2Data accessible/ipc/win/HandlerProvider.cpp:416
6 xul.dll mozilla::detail::RunnableMethodImpl<mozilla::a11y::HandlerProvider*, void xpcom/threads/nsThreadUtils.h:1193
7 xul.dll `anonymous namespace'::SyncRunnable::Run ipc/mscom/MainThreadInvoker.cpp:48
8 xul.dll mozilla::SchedulerGroup::Runnable::Run xpcom/threads/SchedulerGroup.cpp:395
9 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1040
=============================================================
There are 18 crashes (from are 6 installations) in nightly 60 with buildid 20180130102929. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1432977.
[1] https://hg.mozilla.org/mozilla-central/rev?node=e0759dfa715e
Flags: needinfo?(bzbarsky)
|
||
Comment 1•7 years ago
|
||
I'm a bit confused by this. The code now looks like this:
mContent->NodeInfo()->GetName(tagName);
nsAccUtils::SetAccAttr(attributes, nsGkAtoms::tag, tagName);
// Expose draggable object attribute.
if (auto htmlElement = nsGenericHTMLElement::FromContent(mContent)) {
if (htmlElement->Draggable()) {
and the crash is on the Draggable() line. We just did mContent->NodeInfo(), so presumably mContent is not null. nsAccUtils::SetAccAttr should not affect mContent. We're testing whether nsGenericHTMLElement::FromContent returned null or not.
All the crashes seem to be EXCEPTION_ACCESS_VIOLATION_READ at 0xffffffffffffffff, which means the address is not really known on Win64, iirc.
Alex, any idea what might be going on here?
|
|
||
Updated•7 years ago
|
Flags: needinfo?(surkov.alexander)
|
|
||
Comment 2•7 years ago
|
||
Oh, and at crash point we have:
"rcx": "0x0000026c6f48c6a0",
which is not implausible as a value for "htmlElement".... I'd think it's in rcx, since that's where the Microsoft x64 calling convention puts the first arg. But if we're still reading the vtable or whatnot, who knows what's in what registers.
|
|
||
Comment 3•7 years ago
|
||
Bug 1434273 has more info.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(surkov.alexander)
Resolution: --- → DUPLICATE
|
||
Comment 4•7 years ago
|
||
(In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment #3)
> Bug 1434273 has more info.
Boris, is there anything a11y specific there? I don't have access to the bug.
|
|
||
Comment 5•7 years ago
|
||
> Boris, is there anything a11y specific there?
No. Just nsGenericHTMLElement::FromContent problems.
|
Assignee | |
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•