Closed Bug 1801907 Opened 2 years ago Closed 2 years ago

Crash in [@ mozilla::a11y::Accessible::IsOuterDoc]

Categories

(Core :: Disability Access APIs, defect, P1)

defect

Tracking

()

RESOLVED FIXED
109 Branch
Tracking Status
firefox-esr102 --- unaffected
firefox107 --- unaffected
firefox108 --- unaffected
firefox109 --- fixed

People

(Reporter: aryx, Assigned: Jamie)

References

Details

(Keywords: crash, topcrash, Whiteboard: [ctw-m4])

Crash Data

Attachments

(1 file)

Crash signature existed before Firefox 109.0a1 but the crash volume with 15 crashes from 5 (Linux) installations for 109.0a1 already eclipsed previous versions.

Crash report: https://crash-stats.mozilla.org/report/index/39de5fa5-8d24-4b7e-85b8-39f2e0221122

Comment from one crash report: "Searched for a term on google. After typing search query into the text entry I haven't submitted the form but pressed alt+d to jump to the address bar. From there I have used tab and shift+tab in random order to quickly navigate inside and outside of the document. After several jumps Firefox has crashed"

Reason: SIGSEGV / SEGV_MAPERR

Top 10 frames of crashing thread:

0  libxul.so  mozilla::a11y::Accessible::IsOuterDoc const  accessible/basetypes/Accessible.h:528
0  libxul.so  mozilla::a11y::TextLeafPoint::TextLeafPoint  accessible/base/TextLeafRange.cpp:476
1  libxul.so  mozilla::a11y::TextLeafPoint::FindBoundary const  accessible/base/TextLeafRange.cpp:925
2  libxul.so  mozilla::a11y::HyperTextAccessibleBase::TextBounds  accessible/basetypes/HyperTextAccessibleBase.cpp:210
3  libxul.so  mozilla::a11y::RemoteAccessible::TextBounds  accessible/ipc/other/RemoteAccessible.cpp:276
4  libxul.so  getRangeExtentsCB  accessible/atk/nsMaiInterfaceText.cpp:387
5  libatk-bridge-2.0.so.0  impl_GetRangeExtents  /usr/src/debug/at-spi2-core/atk-adaptor/adaptors/text-adaptor.c:676
6  libatk-bridge-2.0.so.0  handle_other  /usr/src/debug/at-spi2-core/droute/droute.c:562
6  libatk-bridge-2.0.so.0  handle_message  /usr/src/debug/at-spi2-core/droute/droute.c:609
7  libdbus-1.so.3  _dbus_object_tree_dispatch_and_unlock  /build/dbus/src/dbus/dbus/dbus-object-tree.c:1021
Severity: -- → S3
Whiteboard: [ctw-m4]

From Peter Vágner on Matrix:

I have finally found clear steps to reproduce my @ mozilla::a11y::Accessible::IsOuterDoc crashes.

  • Launch orca and firefox
  • Open any github project page such as nvaccess/nvda
  • Press ctrl+a
  • Then press down arrow key
  • And observe the crash

Further thoughts on the steps to reproduce:

  • After selecting all the text on github orca is in browse mode
  • Pressing down arrow key instructs orca to read the next line in relation to the initial position.
  • When nothing is selected I can use orca features to read by line
  • When everything or more content than the single paragraph is selected before moving using orca features, I can trigger the crash.
Assignee: nobody → jteh

Peter, could you give this try build a spin and see if it fixes the issue for you? Thanks.

Flags: needinfo?(pvagner)

(In reply to James Teh [:Jamie] from comment #3)

Peter, could you give this try build a spin and see if it fixes the issue for you? Thanks.

Thank you.
With this build I can't make it crash with my clear steps nightly is crashing on.
I am keeping it running as my main browser window to see if I will be able to discover some crashes during my daily work.

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 desktop browser crashes on nightly

:Jamie, could you consider increasing the severity of this top-crash bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jteh)
Keywords: topcrash

Ouch.

Severity: S3 → S2
Flags: needinfo?(jteh)
Priority: -- → P1

No other crashes on my side so far and still running the try build from comment #3

Flags: needinfo?(pvagner)

Okay. Thanks. I have a working patch then, but I still need to write an automated test and get it reviewed. I'll do that tomorrow.

Pushed by jteh@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/449b1f4a0706
Fail gracefully (don't crash) if a caller passes an invalid end offset to HyperTextAccessibleBase::TextBounds. r=morgan
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 109 Branch

The patch landed in nightly and beta is affected.
:Jamie, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox108 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(jteh)

For some reason, I'm still experiencing this crash in the recent Firefox nightlies.

Tobias, are you on Mac? It looks like there are some crashes with this signature on Mac, though they have a different cause.

Eitan, there are crashes like this:
bp-884b2178-8bf7-4909-a442-3c34c0230309
It looks like the Mac text code might be trying to poke an invalid TextLeafPoint; i.e. mAcc is null?

Flags: needinfo?(eitan)

(In reply to James Teh [:Jamie] from comment #14)

Tobias, are you on Mac? It looks like there are some crashes with this signature on Mac, though they have a different cause.
Yes, I'm on a mac.

I filed bug 1822544 for the recent macOS crashes.

Flags: needinfo?(eitan)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: