Closed Bug 1783549 Opened 2 months ago Closed 2 months ago

Crash in [@ mozilla::a11y::IDRefsIterator::IDRefsIterator]

Categories

(Core :: Disability Access APIs, defect, P1)

Unspecified
Android
defect

Tracking

()

RESOLVED FIXED
105 Branch
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox103 --- unaffected
firefox104 --- unaffected
firefox105 + fixed

People

(Reporter: gsvelto, Assigned: morgan)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Crash report: https://crash-stats.mozilla.org/report/index/f26b3fc8-9597-4556-8f36-37e7f0220807

Reason: SIGSEGV / SEGV_MAPERR

Top 10 frames of crashing thread:

0 libxul.so mozilla::a11y::IDRefsIterator::IDRefsIterator accessible/base/AccIterator.cpp:215
1 libxul.so mozilla::a11y::LocalAccessible::BundleFieldsForCache accessible/generic/LocalAccessible.cpp:3591
2 libxul.so mozilla::a11y::LocalAccessible::SendCache accessible/generic/LocalAccessible.cpp:3119
3 libxul.so mozilla::a11y::DocAccessible::DoInitialUpdate accessible/generic/DocAccessible.cpp:1608
4 libxul.so mozilla::a11y::DocAccessibleWrap::DoInitialUpdate accessible/android/DocAccessibleWrap.cpp:66
5 libxul.so mozilla::a11y::NotificationController::WillRefresh accessible/base/NotificationController.cpp:678
6 libxul.so nsRefreshDriver::Tick layout/base/nsRefreshDriver.cpp:2498
7 libxul.so mozilla::RefreshDriverTimer::TickRefreshDrivers layout/base/nsRefreshDriver.cpp:353
8 libxul.so mozilla::RefreshDriverTimer::Tick layout/base/nsRefreshDriver.cpp:369
9 libxul.so mozilla::VsyncRefreshDriverTimer::TickRefreshDriver layout/base/nsRefreshDriver.cpp:810

This is a NULL-pointer dereference and at the moment seems to happen only on Fenix.

Jamie, do you think this IDRefsIterator crash could be a regression from your fix for CachedTableAccessible bug 1772476?

The first crash report is from build ID 20220803094413 and your fix for bug 1772476 is in that build ID's changelog:

https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3d354d73dc2a2c1f5c8251959560dcceba172f33&tochange=2b0355f2d9f2fdf3b8dfb61e275eeb6e878f734b

Flags: needinfo?(jteh)
See Also: → 1772476

No. It's a regression from bug 1774043. The relations cache push needs to null check mContent, probably as part of this if check.

Flags: needinfo?(jteh) → needinfo?(mreschenberg)
Priority: -- → P1
Regressed by: 1774043
See Also: 1772476

Set release status flags based on info from the regressing bug 1774043

Assignee: nobody → mreschenberg
Status: NEW → ASSIGNED
Flags: needinfo?(mreschenberg)

:morgan is there currently anything blocking getting this patch reviewed and landed?

Flags: needinfo?(mreschenberg)

Just waiting on review. I'll shift this to someone else if eitan isn't able to get to it today.

Flags: needinfo?(mreschenberg)
Attachment #9289143 - Attachment description: Bug 1783549: Null check mContent before attempting to process CacheDomain::Relations r?eeejay → Bug 1783549: Null check mContent before attempting to process CacheDomain::Relations r?eeejay,Jamie
Pushed by mreschenberg@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2f885b06f626
Null check mContent before attempting to process CacheDomain::Relations r=eeejay
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch
You need to log in before you can comment on or make changes to this bug.