Closed Bug 1826688 Opened 2 years ago Closed 2 years ago

Crash in [@ servo_arc::impl$44::deref] with mozilla::a11y::StyleInfo::Display() on the stack

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
All
Windows
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
114 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox111 --- wontfix
firefox112 --- wontfix
firefox113 --- verified
firefox114 --- verified

People

(Reporter: RyanVM, Assigned: emilio)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Bug 1826688 - Shrink down StyleInfo. r=jamie,morgan
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review

Looks like this started in Fx111.

Crash report: https://crash-stats.mozilla.org/report/index/1eca3faa-c589-4087-abc1-46e020230405

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  servo_arc::impl$44::deref  servo/components/servo_arc/lib.rs:1118
0  xul.dll  style::gecko_bindings::structs::root::ServoComputedData::get_box  i686-pc-windows-msvc/release/build/style-2d9d766621675013/out/gecko_properties.rs:579
0  xul.dll  style::gecko_properties::ComputedValues::clone_display  i686-pc-windows-msvc/release/build/style-2d9d766621675013/out/properties.rs:65369
0  xul.dll  style::gecko_properties::ComputedValues::get_resolved_value  i686-pc-windows-msvc/release/build/style-2d9d766621675013/out/properties.rs:68956
1  xul.dll  geckoservo::glue::Servo_GetPropertyValue  servo/ports/geckolib/glue.rs:6804
2  xul.dll  mozilla::ComputedStyle::GetComputedPropertyValue const  layout/style/ComputedStyle.h:69
2  xul.dll  mozilla::a11y::StyleInfo::Display  accessible/base/StyleInfo.cpp:23
3  xul.dll  mozilla::a11y::LocalAccessible::DisplayStyle const  accessible/generic/LocalAccessible.cpp:3929
4  xul.dll  mozilla::a11y::BlockRule::Match  accessible/base/TextLeafRange.cpp:430
5  xul.dll  mozilla::a11y::Pivot::SearchBackward  accessible/base/Pivot.cpp:88
Severity: -- → S3

We might have some STR here, based on the accessibility review from Nathan for the new migration wizard:

With NVDA on, hovering the Cancel button in the Import Data dialog crashes Nightly.

Selecting the Cancel button with keyboard navigation doesn't crash the browser.
Hovering the Cancel button with NVDA off does not crash Nightly.
This only happens with NVDA running. Setting accessibility.force_disabled to -1 in about:config isn’t enough to trigger the problem.
crash report

Similar to the above: with NVDA on, hovering the Done button after a successful import crashes Nightly.

StyleInfo seems to expect its mComputedStyle member to be non-null, but I don't think that's guaranteed and in fact the A11y code already has some workarounds here.

Most of the methods have only one caller that guarantees it has a
primary frame (good!).

But others didn't quite guarantee that.

Assignee: nobody → emilio
Status: NEW → ASSIGNED

I always assumed a crash here was due to a11y using StyleInfo inappropriately; i.e. layout expects that mComputedStyle should not be null if you want to mess with StyleInfo. This does raise the question of why mComputedStyle is null in this case.

https://hg.mozilla.org/mozilla-central/rev/69a22f48b42d

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox114: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 114 Branch

The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox113 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(emilio)

Comment on attachment 9327777 [details]
Bug 1826688 - Shrink down StyleInfo. r=jamie,morgan

Beta/Release Uplift Approval Request

  • User impact if declined: crashes with a11y enabled
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: It seems there are some STR in comment 1
  • List of other uplifts needed: none
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Mostly adding null-checks in practice.
  • String changes made/needed: none
  • Is Android affected?: Yes
Flags: needinfo?(emilio)
Attachment #9327777 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Comment on attachment 9327777 [details]
Bug 1826688 - Shrink down StyleInfo. r=jamie,morgan

Approved for 113 beta 3, thanks.

Attachment #9327777 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [qa-triaged]

I can constantly reproduce the crash with the steps mentioned in comment 1, with browser.migrate.content-modal.enabled set on true on Nightly 113.0a1 (2023-03-31), but no crash report is generated.
There is no crash with the latest Nightly 114.0a1 (2023-04-18) and Beta 113.0b5 on Windows 10, therefore this issue looks fixed on my end, but without having an actually crash report maybe a second verification should be considered. If time permits maybe Nathan can confirm as well if this crash signature is no longer reproducible indeed. Thank you!

Flags: needinfo?(nlapre)

I can confirm Anca's report; the issue appears fixed for me, too. I can no longer reproduce the crash using the steps I originally posted. Thanks for fixing this!

Flags: needinfo?(nlapre)

Based on comments 11 and 12 I will mark this as verified fixed.

Status: RESOLVED → VERIFIED
status-firefox113: fixedverified
status-firefox114: fixedverified
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: