Closed Bug 1578416 Opened 6 years ago Closed 6 years ago

Crash in [@ mozilla::a11y::HyperTextAccessible::FindOffset]

Categories

(Core :: Disability Access APIs, defect, P1)

Product:
Core
Component:
Disability Access APIs
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox69 --- unaffected
firefox70 --- unaffected
firefox71 --- fixed

People

(Reporter: marcia, Assigned: eeejay)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1578416 - Don't allow children of list item to move before bullet. r?Jamie!
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-38b40d29-e35d-4b7f-987f-0051d0190902.

Seen while looking at nightly crash stats - crashes started in 20190902094857: https://bit.ly/2lYiFRB. Another similiar signature is https://bit.ly/2lWjVEO

Possible regression range based on build ID: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=8867e44d49793d8af6b514089cf4b5ebea446985&tochange=4cd56624e723867b1e508d73bd8ee82c899f5670

Top 10 frames of crashing thread:

0 xul.dll unsigned int mozilla::a11y::HyperTextAccessible::FindOffset accessible/generic/HyperTextAccessible.cpp:448
1 xul.dll unsigned int mozilla::a11y::HyperTextAccessible::FindOffset accessible/generic/HyperTextAccessible.cpp:481
2 xul.dll unsigned int mozilla::a11y::HyperTextAccessible::FindOffset accessible/generic/HyperTextAccessible.cpp:481
3 xul.dll unsigned int mozilla::a11y::HyperTextAccessible::FindOffset accessible/generic/HyperTextAccessible.cpp:481
4 xul.dll unsigned int mozilla::a11y::HyperTextAccessible::FindOffset accessible/generic/HyperTextAccessible.cpp:481
5 xul.dll unsigned int mozilla::a11y::HyperTextAccessible::FindOffset accessible/generic/HyperTextAccessible.cpp:481
6 xul.dll unsigned int mozilla::a11y::HyperTextAccessible::FindOffset accessible/generic/HyperTextAccessible.cpp:481
7 xul.dll unsigned int mozilla::a11y::HyperTextAccessible::FindOffset accessible/generic/HyperTextAccessible.cpp:481
8 xul.dll unsigned int mozilla::a11y::HyperTextAccessible::FindOffset accessible/generic/HyperTextAccessible.cpp:481
9 xul.dll unsigned int mozilla::a11y::HyperTextAccessible::FindOffset accessible/generic/HyperTextAccessible.cpp:481
Crash Signature: [@ mozilla::a11y::HyperTextAccessible::FindOffset] → [@ mozilla::a11y::HyperTextAccessible::FindOffset] [@ mozilla::a11y::HyperTextAccessible::GetChildIndexAtOffset]
Priority: -- → P1

Thanks for reporting this, Marcia. I was going to report it but couldn't find a testcase that wasn't behind Mozilla's firewall and got stalled.

Jamie, this is the crash I told you about that I was getting over the weekend (the reports may mostly be mine :) and I can share with you how to reproduce it reliably but my testcase is behind Mozilla auth and the URL contains bits of confidential information so I'll have to share that out of band.

Crash Signature: [@ mozilla::a11y::HyperTextAccessible::FindOffset] [@ mozilla::a11y::HyperTextAccessible::GetChildIndexAtOffset] → [@ mozilla::a11y::HyperTextAccessible::FindOffset] [@ mozilla::a11y::HyperTextAccessible::GetChildIndexAtOffset] [@ InvalidArrayIndex_CRASH | nsTArray_Impl<T>::RemoveElementsAt | mozilla::a11y::HyperTextAccessible::RemoveChild ]

Not sure if the signature I added is the same issue as Asa's crash, but this is one of the top crashes in 70.0b3 with over 720 crashes.

This crash seems to have been introduced on 8/29. The am build works and the pm build fails. https://hg.mozilla.org/mozilla-central/rev/23824765c6aa026ccc3e3aea1c851c07ab8937ee

This is the top overall crash on the 70.0b3 at the moment, 2467 crashes/213 installs.

Keywords: topcrash

Hello Jamie - Can you please have someone take a look at this top crash? Comment 5 might have the regression range. Thanks!

Flags: needinfo?(jteh)

this is instantly reproducible for me on 32bit builds on windows 7 with a11y on when visiting the site https://vsagent.bet9ja.com/live/#/player/1/0

mozrgression only comes this far: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=23824765c6aa026ccc3e3aea1c851c07ab8937ee&tochange=bafad3cf557bab4f7f42ee4818bc711128785cbe - out of this range the changes from bug 1522383 and bug 1357071 would have been obviously related to accessibility.

Marcia, why did you believe the [@ InvalidArrayIndex_CRASH | nsTArray_Impl<T>::RemoveElementsAt | mozilla::a11y::HyperTextAccessible::RemoveChild ] signature to be related to the other two? I think that one (which has far more crashes) is a different issue. Among other things, the other two are stack overflows, but this one is not. I just wanted to check if you had a specific reason before I went and split this into a separate bug. Thanks.

Flags: needinfo?(jteh) → needinfo?(mozillamarcia.knous)

Eitan, I'm guessing the RemoveChild crash is related to bug 1576690. Do you think that might be fixed by bug 1578282?

Comment 10

Flags: needinfo?(eitan)

The FindOffset stack overflow crashes are related to list bullets. One thing I've discovered is that messing with list-style-position can cause the bullet to end up after the list item text instead of before. With this test case:

data:text/html,<ul><li id="li">Test</li></ul><script>setTimeout(() => li.style.listStylePosition = "inside", 300);</script>

the bullet ends up after the text. I think FindOffset does make some assumptions about the bullet being first, so this might cause some obscure problems. The regression range seems to point at bug 1576690.

(In reply to James Teh [:Jamie] from comment #9)

Marcia, why did you believe the [@ InvalidArrayIndex_CRASH | nsTArray_Impl<T>::RemoveElementsAt | mozilla::a11y::HyperTextAccessible::RemoveChild ] signature to be related to the other two? I think that one (which has far more crashes) is a different issue. Among other things, the other two are stack overflows, but this one is not. I just wanted to check if you had a specific reason before I went and split this into a separate bug. Thanks.

James - See Comment 2 - I wasn't sure. Sorry - if you want I can file a new bug.

Flags: needinfo?(mozillamarcia.knous)

Bug 1579394 is the new bug for the signature noted in Comment 13. I have removed that signature from this bug as well as the top crash keyword.

Crash Signature: [@ mozilla::a11y::HyperTextAccessible::FindOffset] [@ mozilla::a11y::HyperTextAccessible::GetChildIndexAtOffset] [@ InvalidArrayIndex_CRASH | nsTArray_Impl<T>::RemoveElementsAt | mozilla::a11y::HyperTextAccessible::RemoveChild ] → [@ mozilla::a11y::HyperTextAccessible::FindOffset] [@ mozilla::a11y::HyperTextAccessible::GetChildIndexAtOffset]
Keywords: topcrash

I reproduced this. Seems like the patch from bug 1578282 fixes this. Lets land that and see if its a dup.

Flags: needinfo?(eitan)

Excuse me, I got confused. The patch in bug 1578282 fixes the signature in bug 1579394.

Assignee: nobody → eitan
Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9aab8ce7d9f1 Don't allow children of list item to move before bullet. r=Jamie

https://hg.mozilla.org/mozilla-central/rev/9aab8ce7d9f1

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox71: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: