Closed Bug 1761200 Opened 2 years ago Closed 2 years ago

Crash in [@ mozilla::a11y::TextAttrsMgr::GetAttributes]

Categories

(Core :: Disability Access APIs, defect)

Firefox 100
Unspecified
Android
defect

Tracking

()

RESOLVED FIXED
100 Branch
Tracking Status
firefox-esr91 --- unaffected
firefox98 --- unaffected
firefox99 --- unaffected
firefox100 + fixed

People

(Reporter: calixte, Assigned: eeejay)

References

(Regression)

Details

(Keywords: regression)

Crash Data

Attachments

(1 file)

Crash report: https://crash-stats.mozilla.org/report/index/ce4b09ef-3b7d-40a7-be5e-906d50220324

Reason: SIGSEGV / SEGV_MAPERR

Top 10 frames of crashing thread:

0 libxul.so mozilla::a11y::TextAttrsMgr::GetAttributes accessible/base/TextAttrs.cpp:71
1 libxul.so mozilla::a11y::TextLeafPoint::GetTextAttributesLocalAcc const accessible/base/TextLeafRange.cpp:1004
2 libxul.so mozilla::a11y::LocalAccessible::BundleFieldsForCache accessible/generic/LocalAccessible.cpp:3215
3 libxul.so mozilla::a11y::DocAccessibleChildBase::InsertIntoIpcTree accessible/ipc/DocAccessibleChildBase.cpp:92
4 libxul.so mozilla::a11y::LocalAccessible::HandleAccEvent accessible/generic/LocalAccessible.cpp:915
5 libxul.so mozilla::a11y::AccessibleWrap::HandleAccEvent accessible/android/AccessibleWrap.cpp:124
6 libxul.so nsEventShell::FireEvent accessible/base/nsEventShell.cpp:54
7 libxul.so mozilla::a11y::NotificationController::WillRefresh accessible/base/NotificationController.cpp:897
8 libxul.so nsRefreshDriver::Tick layout/base/nsRefreshDriver.cpp:2448
9 libxul.so mozilla::detail::RunnableFunction<nsRefreshDriver::EnsureTimerStarted xpcom/threads/nsThreadUtils.h:531

There are 176 crashes starting with buildid 20220322065927, the pushlog for this build is:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c15abadbc3c7&tochange=badee72fcbf1
and this patch:
https://hg.mozilla.org/mozilla-central/rev/f4f7fa5023f336afc32e8f8a5820b6ba4a698bdb
could be the culprit.

Flags: needinfo?(eitan)
Crash Signature: [@ mozilla::a11y::TextAttrsMgr::GetAttributes ] → [@ mozilla::a11y::TextAttrsMgr::GetAttributes ] [@ PLDHashTable::Search | mozilla::a11y::RemoteAccessibleBase<T>::RetrieveCachedBounds ]

The [@ PLDHashTable::Search | mozilla::a11y::RemoteAccessibleBase<T>::RetrieveCachedBounds ] is a different crash entirely, I think.

The text attributes crash suggests we have a text leaf which has a non-HyperText parent. That's not ever supposed to happen now, especially after bug 1747164.

Eitan, any idea what case we could have missed here? If we can't figure it out, I guess we should just wallpaper it and fail gracefully in TextLeafPoint::GetTextAttributesLocalAcc if we can't get a HyperText parent.

Has Regression Range: --- → yes

Bug 1758540 has been backed out for causing this crash spike and the UI test failures tracked in bug 1760880.

Assignee: nobody → eitan
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 100 Branch

(In reply to James Teh [:Jamie] from comment #1)

The [@ PLDHashTable::Search | mozilla::a11y::RemoteAccessibleBase<T>::RetrieveCachedBounds ] is a different crash entirely, I think.
The text attributes crash suggests we have a text leaf which has a non-HyperText parent. That's not ever supposed to happen now, especially after bug 1747164.

That bug solved that specific case, I don't know if we covered all cases. For example maybe an img can have children via aria-owns? I forgot if broken images get an image frame or not, but if they do that would also result in text leafs being children of images.

I think we should leave the assert to keep finding these cases but obvs not allow a null dereference here.

Flags: needinfo?(eitan)
Attachment #9269288 - Attachment description: Bug 1761200 - Check that parent has hypertext before getting attributes. r?Jamie → Bug 1761200 - Check that parent is hypertext before getting attributes. r?Jamie
Pushed by eisaacson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b9e8cfb352a9
Check that parent is hypertext before getting attributes. r=Jamie
See Also: → 1771933
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: