Closed Bug 1814538 Opened 2 years ago Closed 2 years ago

Crash in [@ PLDHashTable::EntryStore::IsAllocated | PLDHashTable::Search | nsTHashtable<T>::GetEntry | nsBaseHashtable<T>::Lookup | mozilla::a11y::AccAttributes::GetAttribute<T>]

Categories

(Core :: Disability Access APIs, defect, P1)

Product:
Core
Component:
Disability Access APIs
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
111 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox109 --- unaffected
firefox110 --- unaffected
firefox111 + fixed

People

(Reporter: mccr8, Assigned: Jamie)

References

(Regression)

Details

(Keywords: crash, regression, Whiteboard: [ctw-m5])

Crash Data

Attachments

(1 file)

Bug 1814538: Don't call RemoteAccessibleBase::IsFixedPos if mCachedFields is null.
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/3ca9d2ef-5e8c-4195-8f92-464110230201

Reason: SIGSEGV / SEGV_MAPERR

Top 10 frames of crashing thread:

0  libxul.so  PLDHashTable::EntryStore::IsAllocated const  xpcom/ds/PLDHashTable.h:325
0  libxul.so  PLDHashTable::Search const  xpcom/ds/PLDHashTable.cpp:496
1  libxul.so  nsTHashtable<nsBaseHashtableET<nsRefPtrHashKey<nsAtom>, mozilla::Variant<bool, float, double, int, RefPtr<nsAtom>, nsTArray<int>, mozilla::gfx::CoordTyped<mozilla::CSSPixel, float>, mozilla::a11y::FontSize, mozilla::a11y::Color, mozilla::a11y::DeleteEntry, mozilla::UniquePtr<nsTString<char16_t>, mozilla::DefaultDelete<nsTString<char16_t> > >, RefPtr<mozilla::a11y::AccAttributes>, unsigned long, mozilla::UniquePtr<mozilla::a11y::AccGroupInfo, mozilla::DefaultDelete<mozilla::a11y::AccGroupInfo> >, mozilla::UniquePtr<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float>, mozilla::DefaultDelete<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> > >, nsTArray<unsigned long> > > >::GetEntry const  xpcom/ds/nsTHashtable.h:289
1  libxul.so  nsBaseHashtable<nsRefPtrHashKey<nsAtom>, mozilla::Variant<bool, float, double, int, RefPtr<nsAtom>, nsTArray<int>, mozilla::gfx::CoordTyped<mozilla::CSSPixel, float>, mozilla::a11y::FontSize, mozilla::a11y::Color, mozilla::a11y::DeleteEntry, mozilla::UniquePtr<nsTString<char16_t>, mozilla::DefaultDelete<nsTString<char16_t> > >, RefPtr<mozilla::a11y::AccAttributes>, unsigned long, mozilla::UniquePtr<mozilla::a11y::AccGroupInfo, mozilla::DefaultDelete<mozilla::a11y::AccGroupInfo> >, mozilla::UniquePtr<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float>, mozilla::DefaultDelete<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> > >, nsTArray<unsigned long> >, mozilla::Variant<bool, float, double, int, RefPtr<nsAtom>, nsTArray<int>, mozilla::gfx::CoordTyped<mozilla::CSSPixel, float>, mozilla::a11y::FontSize, mozilla::a11y::Color, mozilla::a11y::DeleteEntry, mozilla::UniquePtr<nsTString<char16_t>, mozilla::DefaultDelete<nsTString<char16_t> > >, RefPtr<mozilla::a11y::AccAttributes>, unsigned long, mozilla::UniquePtr<mozilla::a11y::AccGroupInfo, mozilla::DefaultDelete<mozilla::a11y::AccGroupInfo> >, mozilla::UniquePtr<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float>, mozilla::DefaultDelete<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> > >, nsTArray<unsigned long> >, nsDefaultConverter<mozilla::Variant<bool, float, double, int, RefPtr<nsAtom>, nsTArray<int>, mozilla::gfx::CoordTyped<mozilla::CSSPixel, float>, mozilla::a11y::FontSize, mozilla::a11y::Color, mozilla::a11y::DeleteEntry, mozilla::UniquePtr<nsTString<char16_t>, mozilla::DefaultDelete<nsTString<char16_t> > >, RefPtr<mozilla::a11y::AccAttributes>, unsigned long, mozilla::UniquePtr<mozilla::a11y::AccGroupInfo, mozilla::DefaultDelete<mozilla::a11y::AccGroupInfo> >, mozilla::UniquePtr<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float>, mozilla::DefaultDelete<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> > >, nsTArray<unsigned long> >, mozilla::Variant<bool, float, double, int, RefPtr<nsAtom>, nsTArray<int>, mozilla::gfx::CoordTyped<mozilla::CSSPixel, float>, mozilla::a11y::FontSize, mozilla::a11y::Color, mozilla::a11y::DeleteEntry, mozilla::UniquePtr<nsTString<char16_t>, mozilla::DefaultDelete<nsTString<char16_t> > >, RefPtr<mozilla::a11y::AccAttributes>, unsigned long, mozilla::UniquePtr<mozilla::a11y::AccGroupInfo, mozilla::DefaultDelete<mozilla::a11y::AccGroupInfo> >, mozilla::UniquePtr<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float>, mozilla::DefaultDelete<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> > >, nsTArray<unsigned long> > > >::Lookup const  xpcom/ds/nsBaseHashtable.h:641
1  libxul.so  mozilla::a11y::AccAttributes::GetAttribute<RefPtr<nsAtom> > const  accessible/base/AccAttributes.h:116
1  libxul.so  mozilla::a11y::RemoteAccessibleBase<mozilla::a11y::RemoteAccessible>::IsFixedPos const  accessible/ipc/RemoteAccessibleBase.cpp:561
1  libxul.so  mozilla::a11y::RemoteAccessibleBase<mozilla::a11y::RemoteAccessible>::BoundsWithOffset const  accessible/ipc/RemoteAccessibleBase.cpp:644
2  libxul.so  mozilla::a11y::RemoteAccessibleBase<mozilla::a11y::RemoteAccessible>::Bounds const  accessible/ipc/RemoteAccessibleBase.cpp:696
3  libxul.so  mozilla::a11y::RemoteAccessible::Bounds const  accessible/ipc/other/RemoteAccessible.cpp:938
4  libxul.so  mozilla::a11y::SessionAccessibility::PopulateNodeInfo  accessible/android/SessionAccessibility.cpp:875

Possible new crash on Fenix Nightly. It might be a dupe of something, but I poked around a bit and didn't see anything.

I guess we need an mCachedFields check?

Blocks: a11y-ctw
Severity: -- → S2
Keywords: regression
Priority: -- → P1
Regressed by: 1809836
Whiteboard: [ctw-m5]

Set release status flags based on info from the regressing bug 1809836

:morgan, since you are the author of the regressor, bug 1809836, could you take a look?

For more information, please visit auto_nag documentation.

status-firefox109: --- → unaffected
status-firefox110: --- → unaffected
status-firefox111: --- → affected
status-firefox-esr102: --- → unaffected
Flags: needinfo?(mreschenberg)

RetrieveCachedBounds returns Nothing() if mCachedFields is null.
Since we already have a large block which is only executed if RetrieveCachedBounds returned something, just move the call to IsFixedPos inside that block.

Assignee: nobody → jteh
Status: NEW → ASSIGNED
Flags: needinfo?(mreschenberg)
Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/020cd9851fea Don't call RemoteAccessibleBase::IsFixedPos if mCachedFields is null. r=nlapre

https://hg.mozilla.org/mozilla-central/rev/020cd9851fea

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox111: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: