Crash in [@ mozilla::a11y::LocalAccessible::IndexOfEmbeddedChild]
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr91 | --- | unaffected |
firefox98 | --- | wontfix |
firefox99 | --- | fixed |
firefox100 | --- | fixed |
People
(Reporter: emilio, Assigned: Jamie)
References
(Regression)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
|
Details | Review |
Maybe Fission related. (DOMFissionEnabled=1)
Crash report: https://crash-stats.mozilla.org/report/index/9778accd-050b-4389-967b-621250220314
Reason: SIGSEGV / SEGV_MAPERR
Top 10 frames of crashing thread:
0 libxul.so mozilla::a11y::LocalAccessible::IndexOfEmbeddedChild accessible/generic/LocalAccessible.cpp:2731
1 libatk-bridge-2.0.so.0 spi_atk_add_client
2 libatk-bridge-2.0.so.0 str_pair_equal
3 libdbus-1.so.3 dbus_connection_dispatch
4 libatspi.so.0 atspi_point_copy
5 libglib-2.0.so.0 g_main_context_dispatch
6 libglib-2.0.so.0 g_io_channel_new_file
7 libglib-2.0.so.0 g_main_context_iteration
8 libxul.so NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:467
9 libxul.so mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:85
Looks like a null deref.
Assignee | ||
Comment 1•2 years ago
|
||
Bizarre. Given the null checks on both parent and child and the fact that we check whether the child is a document, the only way I can think this could happen is if the parent was a LocalAccessible, the child was a RemoteAccessible but (for some reason) the child was not a document. Normally, that should be impossible; a RemoteAccessible always has to be a document or a child of a document.
That said, one recently introduced case where a RemoteAccessible could have a null parent temporarily is when it is being moved. In that case, we don't kill off the Accessible, but we do null out its parent while we move it. I wouldn't have thought a client call would arrive while that is happening, but perhaps it can; I guess there's no reason a client call couldn't arrive between two IPDL calls. That change was introduced in bug 1748450, which landed in Firefox 98. That fits the timeline pvagner noted on Matrix.
Assignee | ||
Comment 2•2 years ago
|
||
Implementation note: RemoteAccessibleBase::Parent should only return OuterDocOfRemoteBrowser() if IsDoc(). Otherwise, it should return null.
Comment 3•2 years ago
|
||
Set release status flags based on info from the regressing bug 1748450
Assignee | ||
Comment 4•2 years ago
|
||
RemoteAccessible's can have a null parent temporarily while they're being moved.
Updated•2 years ago
|
Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/22c19fae57a0 Don't return a local OuterDoc as the parent of a RemoteAccessible if the RemoteAccessible isn't a document. r=eeejay
Updated•2 years ago
|
Comment 6•2 years ago
|
||
bugherder |
Updated•2 years ago
|
Updated•2 years ago
|
Assignee | ||
Comment 7•2 years ago
|
||
Peter, would you mind testing the latest Nightly and reporting whether this is fixed for you? Thanks.
Comment 8•2 years ago
|
||
I am running nightly dated 2022-03-23, I am not sure I have got this fix already. However I can no longer observe the crash while editing sharepoint lists within sharepoint online what prompted me to bring this up.
I'll be using this version of Firefox all the time and I'll add a comment if I find it's crashing again.
Assignee | ||
Comment 9•2 years ago
|
||
Comment on attachment 9267794 [details]
Bug 1759600: Don't return a local OuterDoc as the parent of a RemoteAccessible if the RemoteAccessible isn't a document.
Beta/Release Uplift Approval Request
- User impact if declined: Crashes for Linux screen reader users.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Straightforward patch which prevents a null dereference.
- String changes made/needed:
Comment 10•2 years ago
|
||
bugherder uplift |
Comment 11•2 years ago
|
||
Comment on attachment 9267794 [details]
Bug 1759600: Don't return a local OuterDoc as the parent of a RemoteAccessible if the RemoteAccessible isn't a document.
Approved for beta uplift, available on the beta channel with 99RC1. Thanks.
Description
•