Crash in [@ NS_CycleCollectorSuspect3 | nsCycleCollectingAutoRefCnt::incr<T>] inside of mozilla::a11y::SessionAccessibility::CachedPivot
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr102 | --- | unaffected |
firefox107 | --- | unaffected |
firefox108 | --- | wontfix |
firefox109 | --- | fixed |
People
(Reporter: Jamie, Assigned: eeejay)
References
Details
(Keywords: crash, topcrash)
Crash Data
Attachments
(1 file)
Crash report: https://crash-stats.mozilla.org/report/index/21cc0c5c-1e2c-4550-9c8c-50c130220915
Reason: SIGSEGV / SEGV_MAPERR
Top 10 frames of crashing thread:
0 libxul.so NS_CycleCollectorSuspect3 xpcom/base/nsCycleCollector.cpp:3769
1 libxul.so unsigned int nsCycleCollectingAutoRefCnt::incr<&NS_CycleCollectorSuspect3> xpcom/base/nsISupportsImpl.h:248
1 libxul.so unsigned int nsCycleCollectingAutoRefCnt::incr<&NS_CycleCollectorSuspect3> xpcom/base/nsISupportsImpl.h:234
1 libxul.so nsFrameLoader::AddRef dom/base/nsFrameLoader.cpp:169
1 libxul.so mozilla::RefPtrTraits<nsFrameLoader>::AddRef mfbt/RefPtr.h:49
1 libxul.so RefPtr<nsFrameLoader>::ConstRemovingRefPtrTraits<nsFrameLoader>::AddRef mfbt/RefPtr.h:380
1 libxul.so RefPtr<nsFrameLoader>::RefPtr mfbt/RefPtr.h:97
1 libxul.so already_AddRefed<nsFrameLoader> do_AddRef<nsFrameLoader> mfbt/RefPtr.h:562
1 libxul.so nsFrameLoaderOwner::GetFrameLoader dom/base/nsFrameLoaderOwner.cpp:35
2 libxul.so mozilla::dom::BrowserParent::GetFrom dom/ipc/BrowserParent.cpp:291
I guess the Pivot started on a RemoteAccessible, since it's running in the UI thread and not the Gecko thread. Then it seems to end up at a local OuterDocAccessible, which is problematic. But why? As I understand it, there should only be one local OuterDocAccessible at a time. The Pivot should have walked up the ancestors, then across to the next sibling (there is none) and then up the ancestors of the OuterDocAccessible. I guess walking up the ancestors of the OuterDocAccessible would itself be problematic, though.
We need to prevent these Pivots from walking outside of remote documents if they're called on the Android UI thread.
Updated•2 years ago
|
Comment 1•2 years ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 AArch64 and ARM crashes on beta
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Comment 2•2 years ago
|
||
The pivot should never cross from remote into parent process local
containers. We need to explicitly set the root for the pivot, and
assert for this in the pivot traversal methods.
Comment 3•2 years ago
|
||
bugherder |
Comment 4•2 years ago
|
||
:eeejay Since this is an S2 and a top crasher, did you want to nominate this for an uplift for 108?
Assignee | ||
Comment 5•2 years ago
|
||
Since the crash volume is low, and since the patch is not 100% straightforward, I think we should let this one ride the trains.
Assignee | ||
Updated•2 years ago
|
Description
•