Crash in [@ $_31::__invoke]
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox86 | --- | unaffected |
firefox87 | --- | unaffected |
firefox88 | --- | fixed |
People
(Reporter: aryx, Assigned: Jamie)
References
(Regression)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
6 Nightly 88.0a1 crashes on 2+ devices, all on Linux.
Crash report: https://crash-stats.mozilla.org/report/index/bf52de44-8ee5-4f04-8e3b-5c54f0210310
Reason: SIGSEGV /SEGV_MAPERR
Top 10 frames of crashing thread:
0 libxul.so $_31::__invoke accessible/base/MarkupMap.h:524
1 libxul.so nsAccessibilityService::CreateAccessible accessible/base/nsAccessibilityService.cpp:1004
2 libxul.so mozilla::a11y::TreeWalker::Next accessible/base/TreeWalker.cpp:188
3 libxul.so mozilla::a11y::DocAccessible::CacheChildrenInSubtree accessible/generic/DocAccessible.cpp:2611
4 libxul.so mozilla::a11y::DocAccessible::CacheChildrenInSubtree accessible/generic/DocAccessible.cpp:2620
5 libxul.so mozilla::a11y::DocAccessible::CacheChildrenInSubtree accessible/generic/DocAccessible.cpp:2620
6 libxul.so mozilla::a11y::DocAccessible::CacheChildrenInSubtree accessible/generic/DocAccessible.cpp:2620
7 libxul.so mozilla::a11y::DocAccessible::CacheChildrenInSubtree accessible/generic/DocAccessible.cpp:2620
8 libxul.so mozilla::a11y::DocAccessible::CacheChildrenInSubtree accessible/generic/DocAccessible.cpp:2620
9 libxul.so mozilla::a11y::DocAccessible::CacheChildrenInSubtree accessible/generic/DocAccessible.cpp:2620
Reporter | ||
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
:evilpie noted in duplicate bug 1698148 that this can reliably be reproduced by going to https://bugs.chromium.org/p/chromium/issues/detail?id=608854.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 4•4 years ago
|
||
Aha! Distilled test case causing the crash:
data:text/html,
<div id="host" role="table"></div>
<script>
const shadow = host.attachShadow({mode: "open"});
const tr = document.createElement("tr");
tr.setAttribute("role", "row");
tr.innerHTML = "<th>1";
shadow.append(tr);
</script>
Working on a patch.
Assignee | ||
Comment 5•4 years ago
|
||
We assumed parent content wasn't null because we've already checked that there is a parent table accessible, suggesting there's also parent content.
However, if the tr is at the top level of a shadow root (but the table is not), parent content will be null, causing a crash.
Before the fix for bug 1686123, this was fine because the frame for a shadow root is null and we didn't continue for a null frame.
Now that we do continue for a null frame, we must null check parent content.
Comment 7•4 years ago
|
||
bugherder |
Updated•4 years ago
|
Description
•