Closed Bug 1606743 Opened 6 years ago Closed 6 years ago

Crash in [@ mozilla::dom::PBrowserBridgeChild::SendSetEmbedderAccessible]

Categories

(Core :: Disability Access APIs, defect, P2)

Product:
Core
Component:
Disability Access APIs
Version:
73 Branch
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla74
Project Flags:
Fission Milestone M5
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox72 --- unaffected
firefox73 --- disabled
firefox74 --- fixed

People

(Reporter: marcia, Assigned: Jamie)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1606743: Defer calling BrowserBridgeChild::SendSetEmbedderAccessible if a DocAccessibleChild hasn't sent its constructor to the parent process yet.
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-ed8aa89d-01d1-43d2-bbfa-815f40191220.

Seen while looking at nightly 73 crash stats - crashes started in 20191219095006: https://bit.ly/2SMZys4. 6 crashes/3 installs. Moz crash reason MOZ_RELEASE_ASSERT(aVar->CanSend()) (Actor must still be open when sending)

Possible regression range based on build ID: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e928d60013446484acd63757ac883626b722f85d&tochange=8e1b11b00157269f1f781753efc241e005efeaf1

Top 10 frames of crashing thread:

0 xul.dll static mozilla::ipc::IPDLParamTraits<mozilla::a11y::PDocAccessibleChild*>::Write ipc/ipdl/PDocAccessibleChild.cpp:826
1 xul.dll mozilla::dom::PBrowserBridgeChild::SendSetEmbedderAccessible ipc/ipdl/PBrowserBridgeChild.cpp:398
2 xul.dll mozilla::a11y::OuterDocAccessible::OuterDocAccessible accessible/generic/OuterDocAccessible.cpp:47
3 xul.dll nsAccessibilityService::CreateAccessibleByFrameType accessible/base/nsAccessibilityService.cpp:1434
4 xul.dll nsAccessibilityService::CreateAccessible accessible/base/nsAccessibilityService.cpp:1035
5 xul.dll mozilla::a11y::TreeWalker::Next accessible/base/TreeWalker.cpp:187
6 xul.dll mozilla::a11y::DocAccessible::CacheChildrenInSubtree accessible/generic/DocAccessible.cpp:2408
7 xul.dll mozilla::a11y::DocAccessible::DoInitialUpdate accessible/generic/DocAccessible.cpp:1589
8 xul.dll mozilla::a11y::DocAccessibleWrap::DoInitialUpdate accessible/windows/msaa/DocAccessibleWrap.cpp:133
9 xul.dll mozilla::a11y::NotificationController::WillRefresh accessible/base/NotificationController.cpp:636
status-firefox74: --- → affected
Assignee: nobody → jteh
Blocks: a11y-fission
Fission Milestone: --- → M5
Priority: -- → P2

Here's what I think is happening here:

  1. We have a top level document containing an in-process iframe containing an OOP iframe.
  2. The top level DocAccessibleChild requests construction in the parent process. We haven't yet received its parent COM proxy, so we defer all events and child doc constructions (DocAccessibleChild::mIsRemoteConstructed is false).
  3. The in-process iframe DocAccessibleChild gets created. Because mIsRemoteConstructed is still false on the top level DocAccessibleChild, we defer sending the parent constructor for the in-process iframe DocAccessibleChild.
  4. The OOP iframe OuterDocAccessible gets created. We try to call BrowserBridgeChild::SendSetEmbedderAccessible. However, because we haven't sent the parent constructor for the in-process iframe DocAccessibleChild yet (3), IPDL barfs.

We're going to need to somehow defer calling SendSetEmbedderAccessible in this case. The best place is probably in the embedder DocAccessibleChild using the DeferredEvent mechanism we already have there. That's a little bit ugly because the target is actually BrowserBridgeChild, not DocAccessibleChild, but adding a whole new deferred mechanism for this seems over-complicated. We can use CanSend() on the DocAccessibleChild to work out whether we need to defer. We don't want to use IsConstructedInParentProcess because this would pointlessly defer in the case where the OOP iframe is embedded by a top level remote document and that top level doc hasn't received its parent COM proxy yet.

If the top level document hasn't received its parent COM proxy yet, sending constructors for child documents will be deferred.
If an OuterDocAccessible for an OOP iframe is created inside a child document before its constructor is sent, we must also defer the call to BrowserBridgeChild::SendSetEmbedderAccessible.
previously, we tried to send the embedder before the document constructor was sent, causing a crash.

Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/33b332d97ee2 Defer calling BrowserBridgeChild::SendSetEmbedderAccessible if a DocAccessibleChild hasn't sent its constructor to the parent process yet. r=eeejay

https://hg.mozilla.org/mozilla-central/rev/33b332d97ee2

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox74: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla74
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: