Crash in [@ mozilla::a11y::Accessible::IsHTMLBr]
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr102 | --- | unaffected |
firefox107 | --- | wontfix |
firefox108 | --- | wontfix |
firefox109 | --- | fixed |
People
(Reporter: snegritas, Assigned: Jamie)
References
(Regressed 1 open bug)
Details
(Keywords: crash, Whiteboard: [ctw-m4])
Crash Data
Attachments
(1 file)
Crash report: https://crash-stats.mozilla.org/report/index/8b69f935-37e2-4c82-aa46-85a760221006
Reason: SIGSEGV / SEGV_MAPERR
Top 10 frames of crashing thread:
0 libxul.so mozilla::a11y::Accessible::IsHTMLBr const accessible/basetypes/Accessible.h:493
0 libxul.so mozilla::a11y::TextLeafPoint::IsEmptyLastLine const accessible/base/TextLeafRange.cpp:506
1 libxul.so mozilla::a11y::TextLeafPoint::FindBoundary const accessible/base/TextLeafRange.cpp:858
2 libxul.so mozilla::a11y::HyperTextAccessibleBase::TextAtOffset accessible/basetypes/HyperTextAccessibleBase.cpp:495
3 libxul.so mozilla::a11y::RemoteAccessible::TextAtOffset accessible/ipc/other/RemoteAccessible.cpp:226
4 libxul.so getTextAtOffsetCB accessible/atk/nsMaiInterfaceText.cpp:208
5 libatk-1.0.so.0 atk_text_get_text_at_offset atk/atktext.c:499
6 libatk-bridge-2.0.so.0 impl_GetTextAtOffset atk-adaptor/adaptors/text-adaptor.c:177
7 libatk-bridge-2.0.so.0 handle_message droute/droute.c:601
8 libdbus-1.so.3 dbus_connection_dispatch /build/dbus-IAhSsk/dbus-1.12.20/dbus/dbus-connection.c:4576
I have managed to reproduce the issue with firefox 107.0a1(2022-10-06) on Ubuntu 22.04 while browsing with keyboard navigation on Google Drive. This was a random crash and it happened only once. I don't have any steps on how to reproduce it I will keep an eye if it happens again and try for some steps.
Reporter | ||
Comment 1•2 years ago
|
||
Jamie can this crash be something related to the "Cache the World" feature?
Assignee | ||
Comment 2•2 years ago
|
||
This is related to CTW, yes. Thank you.
Assignee | ||
Comment 3•2 years ago
|
||
Morgan, if you have any ideas on this one, I'd be keen to hear them... but it looks like another weird "how on earth could this be null" bug.
Comment 4•2 years ago
|
||
Blah. Looked for a bit, but no ideas here. So, so odd.
Comment 5•1 year ago
|
||
I just have seen occurence of this.
I was responding to a ticket at our internal instance of Atlassian Jira cloud.
I have mentioned another user, selected the whole line and received the crash.
I can't find a real repro steps at the moment.
Assignee | ||
Comment 6•1 year ago
|
||
Oh. I think the client might be passing an invalid start offset here. It looks like the ATK code nor HyperTextAccessibleBase verifies this. That would result in an invalid TextLeafPoint for start
.
Comment 7•1 year ago
|
||
Playing with this more I think it must have something to do with embedded objects such as links or user mentions on the Jira cloud.
I have got two more crashes this morning.
I have put some comments what I think was happening at the time.
However when trying to reproduce this on github or with a CK Editor demo I can't.
Thus I am still unable to find a proper steps to reproduce.
Assignee | ||
Comment 8•1 year ago
|
||
An invalid aOffset results in an invalid TextLeafPoint, so just return early if that happens.
Updated•1 year ago
|
Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/aec61c34aca0 Fail gracefully (instead of crashing) when an invalid offset is given to HyperTextAccessibleBase::TextAt/Before/AfterOffset. r=morgan
Comment 10•1 year ago
|
||
bugherder |
Updated•1 year ago
|
Comment 11•1 year ago
|
||
Well, I guess this does actually affect Fenix outside of Nightly, but the volume is low enough that it can ride the trains.
Description
•