Crash in [@ mozilla::a11y::Accessible::IsHTMLBr]
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox107 | --- | wontfix |
| firefox108 | --- | wontfix |
| firefox109 | --- | fixed |
People
(Reporter: snegritas, Assigned: Jamie)
References
(Regressed 1 open bug)
Details
(Keywords: crash, Whiteboard: [ctw-m4])
Crash Data
Attachments
(1 file)
Crash report: https://crash-stats.mozilla.org/report/index/8b69f935-37e2-4c82-aa46-85a760221006
Reason: SIGSEGV / SEGV_MAPERR
Top 10 frames of crashing thread:
0 libxul.so mozilla::a11y::Accessible::IsHTMLBr const accessible/basetypes/Accessible.h:493
0 libxul.so mozilla::a11y::TextLeafPoint::IsEmptyLastLine const accessible/base/TextLeafRange.cpp:506
1 libxul.so mozilla::a11y::TextLeafPoint::FindBoundary const accessible/base/TextLeafRange.cpp:858
2 libxul.so mozilla::a11y::HyperTextAccessibleBase::TextAtOffset accessible/basetypes/HyperTextAccessibleBase.cpp:495
3 libxul.so mozilla::a11y::RemoteAccessible::TextAtOffset accessible/ipc/other/RemoteAccessible.cpp:226
4 libxul.so getTextAtOffsetCB accessible/atk/nsMaiInterfaceText.cpp:208
5 libatk-1.0.so.0 atk_text_get_text_at_offset atk/atktext.c:499
6 libatk-bridge-2.0.so.0 impl_GetTextAtOffset atk-adaptor/adaptors/text-adaptor.c:177
7 libatk-bridge-2.0.so.0 handle_message droute/droute.c:601
8 libdbus-1.so.3 dbus_connection_dispatch /build/dbus-IAhSsk/dbus-1.12.20/dbus/dbus-connection.c:4576
I have managed to reproduce the issue with firefox 107.0a1(2022-10-06) on Ubuntu 22.04 while browsing with keyboard navigation on Google Drive. This was a random crash and it happened only once. I don't have any steps on how to reproduce it I will keep an eye if it happens again and try for some steps.
|
Reporter | |
Comment 1•2 years ago
|
||
Jamie can this crash be something related to the "Cache the World" feature?
|
Assignee | |
Comment 2•2 years ago
|
||
This is related to CTW, yes. Thank you.
|
|
Assignee | |
Comment 3•2 years ago
|
||
Morgan, if you have any ideas on this one, I'd be keen to hear them... but it looks like another weird "how on earth could this be null" bug.
|
||
Comment 4•2 years ago
|
||
Blah. Looked for a bit, but no ideas here. So, so odd.
|
||
Comment 5•1 year ago
|
||
I just have seen occurence of this.
I was responding to a ticket at our internal instance of Atlassian Jira cloud.
I have mentioned another user, selected the whole line and received the crash.
I can't find a real repro steps at the moment.
|
|
Assignee | |
Comment 6•1 year ago
|
||
Oh. I think the client might be passing an invalid start offset here. It looks like the ATK code nor HyperTextAccessibleBase verifies this. That would result in an invalid TextLeafPoint for start.
|
|
||
Comment 7•1 year ago
|
||
Playing with this more I think it must have something to do with embedded objects such as links or user mentions on the Jira cloud.
I have got two more crashes this morning.
I have put some comments what I think was happening at the time.
However when trying to reproduce this on github or with a CK Editor demo I can't.
Thus I am still unable to find a proper steps to reproduce.
|
|
Assignee | |
Comment 8•1 year ago
|
||
An invalid aOffset results in an invalid TextLeafPoint, so just return early if that happens.
|
||
Updated•1 year ago
|
Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/aec61c34aca0 Fail gracefully (instead of crashing) when an invalid offset is given to HyperTextAccessibleBase::TextAt/Before/AfterOffset. r=morgan
|
||
Comment 10•1 year ago
|
||
| bugherder | ||
|
||
Updated•1 year ago
|
|
|
||
Comment 11•1 year ago
|
||
Well, I guess this does actually affect Fenix outside of Nightly, but the volume is low enough that it can ride the trains.
Description
•