Closed Bug 1819415 Opened 1 year ago Closed 1 year ago

Crash in [@ mozilla::a11y::MsaaIdGenerator::GetContentProcessIDFor::<T>::operator]

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
Unspecified
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox110 --- wontfix
firefox111 --- wontfix
firefox112 --- wontfix
firefox113 --- fixed
firefox114 --- fixed
firefox115 --- fixed

People

(Reporter: aryx, Unassigned)

References

Details

(Keywords: crash)

Crash Data

Not a new signature but more crashes for 110.0b6 than before: 20 crashes from 12 installations. Firefox 109 release branch had 105 crashes from 81 installations in the database.

Crash report: https://crash-stats.mozilla.org/report/index/d135fd1c-a802-41bf-9f81-380bc0230228

MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(index < ArrayLength(sContentProcessIdBitmap))

Top 10 frames of crashing thread:

0  xul.dll  mozilla::a11y::MsaaIdGenerator::GetContentProcessIDFor::<lambda_8>::operator const  accessible/windows/msaa/MsaaIdGenerator.cpp:264
0  xul.dll  nsBaseHashtable<nsIntegralHashKey<unsigned long long, 0>, unsigned int, unsigned int, nsDefaultConverter<unsigned int, unsigned int> >::EntryHandle::OrInsertWith  xpcom/ds/nsBaseHashtable.h:726
0  xul.dll  nsBaseHashtable<nsIntegralHashKey<unsigned long long, 0>, unsigned int, unsigned int, nsDefaultConverter<unsigned int, unsigned int> >::LookupOrInsertWith<`lambda at /builds/worker/checkouts/gecko/accessible/windows/msaa/MsaaIdGenerator.cpp:247:72'>::<lambda_1>::operator const  xpcom/ds/nsBaseHashtable.h:423
0  xul.dll  nsBaseHashtable<nsIntegralHashKey<unsigned long long, 0>, unsigned int, unsigned int, nsDefaultConverter<unsigned int, unsigned int> >::WithEntryHandle<`lambda at /builds/worker/workspace/obj-build/dist/include/nsBaseHashtable.h:422:34'>::<lambda_1>::operator const  xpcom/ds/nsBaseHashtable.h:836
0  xul.dll  nsTHashtable<nsBaseHashtableET<nsIntegralHashKey<unsigned long long, 0>, unsigned int> >::WithEntryHandle<`lambda at /builds/worker/workspace/obj-build/dist/include/nsBaseHashtable.h:835:15'>::<lambda_1>::operator const  xpcom/ds/nsTHashtable.h:437
0  xul.dll  PLDHashTable::WithEntryHandle  xpcom/ds/PLDHashTable.h:603
0  xul.dll  nsTHashtable<nsBaseHashtableET<nsIntegralHashKey<unsigned long long, 0>, unsigned int> >::WithEntryHandle  xpcom/ds/nsTHashtable.h:434
0  xul.dll  nsBaseHashtable<nsIntegralHashKey<unsigned long long, 0>, unsigned int, unsigned int, nsDefaultConverter<unsigned int, unsigned int> >::WithEntryHandle  xpcom/ds/nsBaseHashtable.h:834
0  xul.dll  nsBaseHashtable<nsIntegralHashKey<unsigned long long, 0>, unsigned int, unsigned int, nsDefaultConverter<unsigned int, unsigned int> >::LookupOrInsertWith  xpcom/ds/nsBaseHashtable.h:422
0  xul.dll  mozilla::a11y::MsaaIdGenerator::GetContentProcessIDFor  accessible/windows/msaa/MsaaIdGenerator.cpp:243

This means someone had more than 255 content processes, which accessibility can't handle. Fixing that is extremely difficult with the current architecture without trading for another potential crash when a given process runs out of ids. However, this is fixed by Cache the World.

Severity: -- → S2
Depends on: 1737193

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 20 desktop browser crashes on beta

For more information, please visit auto_nag documentation.

Keywords: topcrash
Crash Signature: [@ mozilla::a11y::MsaaIdGenerator::GetContentProcessIDFor::<T>::operator()] → [@ mozilla::a11y::MsaaIdGenerator::GetContentProcessIDFor::<T>::operator]
Summary: Crash in [@ mozilla::a11y::MsaaIdGenerator::GetContentProcessIDFor::<T>::operator()] → Crash in [@ mozilla::a11y::MsaaIdGenerator::GetContentProcessIDFor::<T>::operator]

Adding signature generated by 111.0.

Crash Signature: [@ mozilla::a11y::MsaaIdGenerator::GetContentProcessIDFor::<T>::operator] → [@ mozilla::a11y::MsaaIdGenerator::GetContentProcessIDFor::<T>::operator] [@ mozilla::a11y::MsaaIdGenerator::GetContentProcessIDFor::<T>::operator()]
Duplicate of this bug: 1826615

(In reply to James Teh [:Jamie] from comment #1)

This means someone had more than 255 content processes, which accessibility can't handle. Fixing that is extremely difficult with the current architecture without trading for another potential crash when a given process runs out of ids. However, this is fixed by Cache the World.

It seems we are still getting crashes in 112 release. Did we ship CTW to all users as planned? (Also, the graph suggests that something happened with the 111 release that made this crash spike.)

Flags: needinfo?(jteh)

After some discussion with release management, it was decided that we would not uplift the pref flip to 112. Instead, to mitigate risk, we will convert the 111 experiment to a 100% rollout via Nimbus, which will allow us to reverse course if anything critically bad happens (unlikely as that may be at this point). We're currently in the process of getting that rollout reviewed and launched.

Flags: needinfo?(jteh)

No crashes in Beta 113 where CtW is enabled by default.

status-firefox111: affectedwontfix
status-firefox112: affectedwontfix
status-firefox113: affectedfix-optional

Based on the topcrash criteria, the crash signatures linked to this bug are not in the topcrash signatures anymore.

For more information, please visit BugBot documentation.

Keywords: topcrash

This is resolved by Cache the World, which is enabled by default in Firefox 113.

Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox113: fix-optionalfixed
status-firefox114: --- → fixed
status-firefox115: --- → fixed
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.