Closed Bug 1801986 Opened 2 years ago Closed 2 years ago

Crash in [@ NS_CycleCollectorSuspect3 | nsCycleCollectingAutoRefCnt::incr<T>] inside of mozilla::a11y::SessionAccessibility::CachedPivot

Categories

(Core :: Disability Access APIs, defect)

Unspecified
Android
defect

Tracking

()

RESOLVED FIXED
109 Branch
Tracking Status
firefox-esr102 --- unaffected
firefox107 --- unaffected
firefox108 --- wontfix
firefox109 --- fixed

People

(Reporter: Jamie, Assigned: eeejay)

References

Details

(Keywords: crash, topcrash)

Crash Data

Attachments

(1 file)

Crash report: https://crash-stats.mozilla.org/report/index/21cc0c5c-1e2c-4550-9c8c-50c130220915

Reason: SIGSEGV / SEGV_MAPERR

Top 10 frames of crashing thread:

0  libxul.so  NS_CycleCollectorSuspect3  xpcom/base/nsCycleCollector.cpp:3769
1  libxul.so  unsigned int nsCycleCollectingAutoRefCnt::incr<&NS_CycleCollectorSuspect3>  xpcom/base/nsISupportsImpl.h:248
1  libxul.so  unsigned int nsCycleCollectingAutoRefCnt::incr<&NS_CycleCollectorSuspect3>  xpcom/base/nsISupportsImpl.h:234
1  libxul.so  nsFrameLoader::AddRef  dom/base/nsFrameLoader.cpp:169
1  libxul.so  mozilla::RefPtrTraits<nsFrameLoader>::AddRef  mfbt/RefPtr.h:49
1  libxul.so  RefPtr<nsFrameLoader>::ConstRemovingRefPtrTraits<nsFrameLoader>::AddRef  mfbt/RefPtr.h:380
1  libxul.so  RefPtr<nsFrameLoader>::RefPtr  mfbt/RefPtr.h:97
1  libxul.so  already_AddRefed<nsFrameLoader> do_AddRef<nsFrameLoader>  mfbt/RefPtr.h:562
1  libxul.so  nsFrameLoaderOwner::GetFrameLoader  dom/base/nsFrameLoaderOwner.cpp:35
2  libxul.so  mozilla::dom::BrowserParent::GetFrom  dom/ipc/BrowserParent.cpp:291

I guess the Pivot started on a RemoteAccessible, since it's running in the UI thread and not the Gecko thread. Then it seems to end up at a local OuterDocAccessible, which is problematic. But why? As I understand it, there should only be one local OuterDocAccessible at a time. The Pivot should have walked up the ancestors, then across to the next sibling (there is none) and then up the ancestors of the OuterDocAccessible. I guess walking up the ancestors of the OuterDocAccessible would itself be problematic, though.

We need to prevent these Pivots from walking outside of remote documents if they're called on the Android UI thread.

See Also: → 1801879

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 AArch64 and ARM crashes on beta

For more information, please visit auto_nag documentation.

Keywords: topcrash
Assignee: nobody → eitan

The pivot should never cross from remote into parent process local
containers. We need to explicitly set the root for the pivot, and
assert for this in the pivot traversal methods.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 109 Branch

:eeejay Since this is an S2 and a top crasher, did you want to nominate this for an uplift for 108?

Flags: needinfo?(eitan)

Since the crash volume is low, and since the patch is not 100% straightforward, I think we should let this one ride the trains.

Flags: needinfo?(eitan)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: