Closed Bug 1705542 Opened 1 month ago Closed 6 days ago

Crash in [@ InvalidArrayIndex_CRASH | mozilla::a11y::RemoteAccessible::ChildAtPoint]


(Core :: Disability Access APIs, defect)




90 Branch
Fission Milestone M8
Tracking Status
firefox-esr78 --- unaffected
firefox88 --- wontfix
firefox89 --- wontfix
firefox90 --- fixed


(Reporter: mccr8, Assigned: Jamie)


(Blocks 1 open bug)


(Keywords: crash)

Crash Data


(1 file)

Maybe Fission related. (DOMFissionEnabled=1)

Crash report:

MOZ_CRASH Reason: ElementAt(aIndex = 0, aLength = 0)

Top 10 frames of crashing thread:

0 XUL InvalidArrayIndex_CRASH xpcom/ds/nsTArray.cpp:28
1 XUL mozilla::a11y::RemoteAccessible::ChildAtPoint accessible/ipc/other/RemoteAccessible.cpp:817
2 XUL mozilla::a11y::OuterDocAccessible::ChildAtPoint accessible/generic/OuterDocAccessible.cpp:272
3 libobjc.A.dylib cache_getImp 
4 XUL mozilla::a11y::AccessibleOrProxy::ChildAtPoint accessible/base/AccessibleOrProxy.cpp:59
5 XUL -[mozAccessible moxHitTest:] accessible/mac/
6 XUL -[MOXAccessibleBase accessibilityHitTest:] accessible/mac/
7 AppKit -[NSWindow accessibilityHitTest:] 
8 AppKit -[NSApplication accessibilityHitTest:] 
9 AppKit _NSAccessibilityGetScreenHeightForElement 

Only a couple of these crashes, but they all have index and length of 0, so I guess some code is trying to access an empty array.

mOuterDoc is true even though it has no child document. I guess this could happen if the embedded doc is changed and a client call comes in after the old doc is removed but before the new one is added.

The simplest fix would be to set mOuterDoc = false in ClearChildDoc. This feels kinda wrong, though; it's still an OuterDoc even if it doesn't currently have a document attached. Also, we probably eventually want to get rid of mOuterDoc and just use Accessible::IsOuterDoc (which uses mType).

The other fix is to change anything that checks mOuterDoc so that it doesn't assume there will be a child. Note that ChildAtPoint isn't the only method making this assumption.

Severity: -- → S3

5 out of 6 of these crash reports have Fission enabled. So this is not a Fission-specific crash, but maybe Fission is making this crash more likely?

Tracking for Fission M8 to see if the crash volume increases as we increase our Beta experiment.

Fission Milestone: --- → M8
Assignee: nobody → jteh
Blocks: a11y-fission

An OuterDoc RemoteAccessible can have no child document for a short time if the embedded doc is changed.
As part of this, get rid of the mOuterDoc variable, since it is now redundant and somewhat misleading.
Instead, use IsOuterDoc(), since RemoteAccessible now has acc types.

Pushed by
Don't assume an OuterDoc RemoteAccessible has a child document. r=eeejay
Closed: 6 days ago
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch
You need to log in before you can comment on or make changes to this bug.