1825500 - Crash in [@ mozilla::a11y::AccAttributes::GetAttribute]

Status: RESOLVED FIXED

(Core :: Disability Access APIs, defect)

Description

[Gabriele Svelto [:gsvelto]]

Crash report: https://crash-stats.mozilla.org/report/index/36c9edcc-411d-41da-967c-8039d0230330

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  PLDHashTable::EntryStore::IsAllocated const  xpcom/ds/PLDHashTable.h:325
0  xul.dll  PLDHashTable::Search const  xpcom/ds/PLDHashTable.cpp:496
1  xul.dll  nsTHashtable<nsBaseHashtableET<nsRefPtrHashKey<nsAtom>, mozilla::Variant<bool, float, double, int, RefPtr<nsAtom>, nsTArray<int>, mozilla::gfx::CoordTyped<mozilla::CSSPixel, float>, mozilla::a11y::FontSize, mozilla::a11y::Color, mozilla::a11y::DeleteEntry, mozilla::UniquePtr<nsTString<char16_t>, mozilla::DefaultDelete<nsTString<char16_t> > >, RefPtr<mozilla::a11y::AccAttributes>, unsigned long long, mozilla::UniquePtr<mozilla::a11y::AccGroupInfo, mozilla::DefaultDelete<mozilla::a11y::AccGroupInfo> >, mozilla::UniquePtr<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float>, mozilla::DefaultDelete<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> > >, nsTArray<unsigned long long> > > >::GetEntry const  xpcom/ds/nsTHashtable.h:288
1  xul.dll  nsBaseHashtable<nsRefPtrHashKey<nsAtom>, mozilla::Variant<bool, float, double, int, RefPtr<nsAtom>, nsTArray<int>, mozilla::gfx::CoordTyped<mozilla::CSSPixel, float>, mozilla::a11y::FontSize, mozilla::a11y::Color, mozilla::a11y::DeleteEntry, mozilla::UniquePtr<nsTString<char16_t>, mozilla::DefaultDelete<nsTString<char16_t> > >, RefPtr<mozilla::a11y::AccAttributes>, unsigned long long, mozilla::UniquePtr<mozilla::a11y::AccGroupInfo, mozilla::DefaultDelete<mozilla::a11y::AccGroupInfo> >, mozilla::UniquePtr<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float>, mozilla::DefaultDelete<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> > >, nsTArray<unsigned long long> >, mozilla::Variant<bool, float, double, int, RefPtr<nsAtom>, nsTArray<int>, mozilla::gfx::CoordTyped<mozilla::CSSPixel, float>, mozilla::a11y::FontSize, mozilla::a11y::Color, mozilla::a11y::DeleteEntry, mozilla::UniquePtr<nsTString<char16_t>, mozilla::DefaultDelete<nsTString<char16_t> > >, RefPtr<mozilla::a11y::AccAttributes>, unsigned long long, mozilla::UniquePtr<mozilla::a11y::AccGroupInfo, mozilla::DefaultDelete<mozilla::a11y::AccGroupInfo> >, mozilla::UniquePtr<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float>, mozilla::DefaultDelete<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> > >, nsTArray<unsigned long long> >, nsDefaultConverter<mozilla::Variant<bool, float, double, int, RefPtr<nsAtom>, nsTArray<int>, mozilla::gfx::CoordTyped<mozilla::CSSPixel, float>, mozilla::a11y::FontSize, mozilla::a11y::Color, mozilla::a11y::DeleteEntry, mozilla::UniquePtr<nsTString<char16_t>, mozilla::DefaultDelete<nsTString<char16_t> > >, RefPtr<mozilla::a11y::AccAttributes>, unsigned long long, mozilla::UniquePtr<mozilla::a11y::AccGroupInfo, mozilla::DefaultDelete<mozilla::a11y::AccGroupInfo> >, mozilla::UniquePtr<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float>, mozilla::DefaultDelete<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> > >, nsTArray<unsigned long long> >, mozilla::Variant<bool, float, double, int, RefPtr<nsAtom>, nsTArray<int>, mozilla::gfx::CoordTyped<mozilla::CSSPixel, float>, mozilla::a11y::FontSize, mozilla::a11y::Color, mozilla::a11y::DeleteEntry, mozilla::UniquePtr<nsTString<char16_t>, mozilla::DefaultDelete<nsTString<char16_t> > >, RefPtr<mozilla::a11y::AccAttributes>, unsigned long long, mozilla::UniquePtr<mozilla::a11y::AccGroupInfo, mozilla::DefaultDelete<mozilla::a11y::AccGroupInfo> >, mozilla::UniquePtr<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float>, mozilla::DefaultDelete<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> > >, nsTArray<unsigned long long> > > >::Lookup const  xpcom/ds/nsBaseHashtable.h:641
1  xul.dll  mozilla::a11y::AccAttributes::GetAttribute const  accessible/base/AccAttributes.h:116
1  xul.dll  mozilla::a11y::RemoteAccessibleBase<mozilla::a11y::RemoteAccessible>::ApplyCrossDocOffset const  accessible/ipc/RemoteAccessibleBase.cpp:478
2  xul.dll  mozilla::a11y::RemoteAccessibleBase<mozilla::a11y::RemoteAccessible>::BoundsWithOffset const  accessible/ipc/RemoteAccessibleBase.cpp:619
3  xul.dll  mozilla::a11y::RemoteAccessibleBase<mozilla::a11y::RemoteAccessible>::Bounds const  accessible/ipc/RemoteAccessibleBase.cpp:700
4  xul.dll  mozilla::a11y::RemoteAccessible::Bounds const  accessible/ipc/win/RemoteAccessible.cpp:245
5  xul.dll  mozilla::a11y::MsaaAccessible::accLocation  accessible/windows/msaa/MsaaAccessible.cpp:1552

This appears to be some form of NULL pointer access. The bug appears new but is not, the signature appeared because we deployed bug 1795651. Glancing around it seems that this might be related to bug 1793423 but I'm not sure given my limited knowledge of the a11y code.

Comment 1

[James Teh [:Jamie]]

I think this should be fixed by bug 1818726. That landed on 112 and I don't see any crashes for 112 or above.

Implementation note: Before bug 1818726, mCachedFields could be null because the tree (show event) and the cache were sent in separate IPDL calls. After bug 1818726, the initial cache push is part of the show event IPDL call, so these two things are atomic.