Closed Bug 1678873 Opened 4 years ago Closed 4 years ago

Crash in [@ mozilla::PresShell::DoFlushPendingNotifications]

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Version:
Firefox 85
Platform:
Desktop
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
85 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox83 --- unaffected
firefox84 --- unaffected
firefox85 --- fixed

People

(Reporter: alice0775, Unassigned)

References

(Regression)

Details

(4 keywords)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/6f31d3db-d31c-4ad3-b974-8059a0201121

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(!mForbiddenToFlush) (This is bad!)

Top 10 frames of crashing thread:

0 xul.dll mozilla::PresShell::DoFlushPendingNotifications layout/base/PresShell.cpp:4075
1 xul.dll mozilla::dom::Document::FlushPendingNotifications dom/base/Document.cpp:10279
2 xul.dll mozilla::dom::XULTreeElement::GetTreeBodyFrame dom/xul/XULTreeElement.cpp:93
3 xul.dll mozilla::dom::XULTreeElement::GetView dom/xul/XULTreeElement.cpp:111
4 xul.dll mozilla::a11y::XULTreeColumAccessible::GetSiblingAtOffset const accessible/xul/XULTreeAccessible.cpp:984
5 xul.dll mozilla::a11y::AccHideEvent::AccHideEvent accessible/base/AccEvent.cpp:106
6 xul.dll mozilla::a11y::TreeMutation::BeforeRemoval accessible/base/EventTree.cpp:85
7 xul.dll mozilla::a11y::DocAccessible::ContentRemoved accessible/generic/DocAccessible.cpp:2125
8 xul.dll mozilla::a11y::DocAccessible::ContentRemoved accessible/generic/DocAccessible.cpp:2154
9 xul.dll mozilla::a11y::DocAccessible::PruneOrInsertSubtree accessible/generic/DocAccessible.cpp:1399

Reproducible: always

Steps to Reproduce:

  1. Start Nightly with new profile
  2. Ctrl+Shift+O to open Library
  3. Click Downloads on the left pane

Actual Results:
Browser crashes with crash reporter

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: General → Disability Access APIs

Alice0775, Thanks for finding this crash!

Unlikely, but bug 1678860 might help with this, though I can't tell for sure since I can't reproduce this on macOS.

I suspect the <tree> is not happy about dynamically getting display: none, since it's probably destroying the tree at the same time.
Possible workarounds would be:

  • Adding a wrapper around #placeContent and toggling that (would need to audit if nothing is relying on the current structure though)
  • Using collapsed instead of hidden (which I think was built for this use-case)

Emilio, do you think this correct? Does the crash reveal a bug elsewhere? (e.g. a11y code which appears in the trace)

Flags: needinfo?(emilio)
Component: Disability Access APIs → Layout

Additional info:
I can confirm that a11y is needed to reproduce the crash.

  • Nightly crashes if Windows Narrator is activated
  • Nightly crashes if ATOK Japanese IME is enabled

None of those are the right fix. The right fix is for the a11y code not to do reentrant flushes. I think the relevant code in here should not flush, and for that GetView should probably get a FlushType argument just like GetTreeBodyFrame has.

Component: Layout → Disability Access APIs
Flags: needinfo?(emilio)

Bug 1678523 has been backed out and the next Nightly (which should be available in ~3 hours) should be fixed.

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox85: affectedfixed
tracking-firefox85: ? → ---
Resolution: --- → FIXED
Target Milestone: --- → 85 Branch

James, please coordinate with Tim how to fix the code mentioned in comment 5 so bug 1678523 can land again.

Flags: needinfo?(jteh)

I've relanded bug 1678523 with the fix suggested in comment 5, hopefully it will work. It doesn't have a crash test, but probably should (I'm not too familiar with how to enable a11y features in tests).

Alice0775, could you please check if the crash is fixed by this build (available as target.zip in the Artifacts tab)? I unfortunately don't have Windows to test this. Thanks!

Flags: needinfo?(alice0775)

(In reply to Tim Nguyen :ntim from comment #9)

Alice0775, could you please check if the crash is fixed by this build (available as target.zip in the Artifacts tab)? I unfortunately don't have Windows to test this. Thanks!

The build works fine. No crash.

Flags: needinfo?(alice0775)

Thanks!

Flags: needinfo?(jteh)
You need to log in before you can comment on or make changes to this bug.