Crash in [@ nsIFrame::GetScreenRectInAppUnits]
Categories
(Core :: Disability Access APIs, defect, P2)
Tracking
()
People
(Reporter: gsvelto, Assigned: Jamie)
References
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
|
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
This bug is for crash report bp-835d5c40-b652-42dd-b407-794770190428.
Top 10 frames of crashing thread:
0 libxul.so nsIFrame::GetScreenRectInAppUnits const layout/generic/nsFrame.cpp:6641
1 libxul.so mozilla::a11y::HyperTextAccessible::TextBounds accessible/generic/HyperTextAccessible.cpp:1167
2 libxul.so mozilla::a11y::DocAccessibleChild::RecvCharBounds accessible/ipc/other/DocAccessibleChild.cpp:424
3 libxul.so mozilla::a11y::PDocAccessibleChild::OnMessageReceived ipc/ipdl/PDocAccessibleChild.cpp:2340
4 libxul.so mozilla::dom::ContentChild::OnMessageReceived dom/ipc/ContentChild.cpp:3714
5 libxul.so mozilla::ipc::MessageChannel::DispatchSyncMessage ipc/glue/MessageChannel.cpp:2121
6 libxul.so mozilla::ipc::MessageChannel::DispatchMessage ipc/glue/MessageChannel.cpp:2074
7 libxul.so mozilla::ipc::MessageChannel::MessageTask::Run ipc/glue/MessageChannel.cpp:1968
8 libxul.so mozilla::SchedulerGroup::Runnable::Run xpcom/threads/SchedulerGroup.cpp:295
9 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1180
Crashes with this signature all appear to have accessibility enabled; the crashes are either on Linux or Windows.
|
Assignee | |
Comment 1•6 years ago
|
||
I'm not sure exactly what is triggering this in the wild, but this will certainly do it:
- Open this URL:
data:text/html,<section style="display: contents;"></section> - Retrieve the section accessible.
- Call HyperTextAccessible::CharBounds(0, COORDTYPE_SCREEN_RELATIVE). This can be done with IA2 via IAccessibleText::characterExtents or with XPCOM via nsIAccessibleText::GetCharacterExtents.
- Crash!
In HyperTextAccessible::TextBounds, we call GetFrame() without null checking. For display: contents (and maybe other cases?), this can certainly be null. We should just return an empty rect when this happens.
|
Reporter | |
Comment 2•5 years ago
|
||
FYI I found a potential set of STR in the comments of recent crashes:
This keeps happening, I've started to think this might be an issue with hardware somehow, but cannot reproduce it with anything else... Let me know if there is a way to send more info. Reproduction is as simple as: - open a new e-mail in gmail - quickly add 3 or more people from your contact list (gmail will auto-complete them) I get this tab crash then. Adding them slowly does not produce it. The crash does not happen in other browsers. I think it started happening few versions back.
|
|
Assignee | |
Comment 3•5 years ago
|
||
|
||
Updated•5 years ago
|
|
||
Comment 5•5 years ago
|
||
| bugherder | ||
|
||
Updated•5 years ago
|
|
||
Comment 6•5 years ago
|
||
The patch landed in nightly and beta is affected.
:Jamie, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 7•5 years ago
|
||
Comment on attachment 9154837 [details]
Bug 1547657: Null check frame in HyperTextAccessible::TextBounds.
Beta/Release Uplift Approval Request
- User impact if declined: Crashes.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Simple null check.
- String changes made/needed:
|
|
||
Comment 8•5 years ago
|
||
Comment on attachment 9154837 [details]
Bug 1547657: Null check frame in HyperTextAccessible::TextBounds.
Adds a null check to fix a crash. Approved for 78.0b6.
|
|
||
Comment 9•5 years ago
|
||
| bugherder uplift | ||
Description
•