Closed Bug 1832260 Opened 1 year ago Closed 11 months ago

Crash in [@ nsIFrame::IsTextFrame] when reaching New Import Modal with Narrator active

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Version:
Firefox 115
Platform:
Desktop
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
115 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox113 --- disabled
firefox114 --- disabled
firefox115 --- verified

People

(Reporter: vsangerean, Assigned: morgan)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(2 files)

Narrator.gif
2.64 MB, image/gif
Details
Bug 1832260: Fallback to LocalAccessible::Bounds if we can't find a frame in ComputeBoundsFromFrame. r?Jamie
48 bytes, text/x-phabricator-request
Details | Review
Attached image Narrator.gif

Found in
115.0a1 (2023-05-09)

Affected versions
115.0a1 (2023-05-09)

Tested platforms

Affected platforms: Windows10x64, Windows11x64
Unaffected platforms: MacOS12 ARM, Ubuntu 20.04

Preconditions
have some bookmarks and history saved in another profile
browser.migrate.content-modal.enabled:true
have Narrator available on the machine

Steps to reproduce

  1. Start the Narrator (CTRL + Windows Key + Enter)
  2. Go to about:preferences and click on Import Data
  3. Select one of the available browsers/profiles to import

Expected result
The profiles should be available for selection and importing can proceed

Actual result
The browser crashes when the Narrator screen reader reaches the new import modal.

Regression range
Most likely this started with the new implementation of the New import wizard to bug 1803445.

Additional notes
Issue does not reproduce with NVDA or other screen readers.
Please see attached GIF and crash report.

Crash report: https://crash-stats.mozilla.org/report/index/9f3de94a-62bd-4802-8afb-445130230510

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  nsIFrame::IsTextFrame const  layout/generic/FrameTypeList.h:10
0  xul.dll  mozilla::a11y::TextLeafPoint::ComputeBoundsFromFrame const  accessible/base/TextLeafRange.cpp:1472
1  xul.dll  mozilla::a11y::TextLeafPoint::CharBounds  accessible/base/TextLeafRange.cpp:1730
2  xul.dll  mozilla::a11y::HyperTextAccessibleBase::CharBounds  accessible/basetypes/HyperTextAccessibleBase.cpp:222
3  xul.dll  mozilla::a11y::HyperTextAccessible::CharBounds  accessible/generic/HyperTextAccessible.cpp:1572
4  xul.dll  mozilla::a11y::ia2AccessibleText::get_characterExtents  accessible/windows/ia2/ia2AccessibleText.cpp:120
5  UIAutomationCore.DLL  static long AccUtils::get_characterExtents  
6  UIAutomationCore.DLL  <lambda_efd8f902d39a9d9b79a18de7aad93e3e>::operator  
7  UIAutomationCore.DLL  bool std::_Func_class<bool, class IA2ProxyTextRange*>::operator const  
8  UIAutomationCore.DLL  bool IA2ProxyTextRange::IterateOverSubRanges
Regressed by: 1821744
No longer regressed by: 1803445

Set release status flags based on info from the regressing bug 1821744

:mconley, since you are the author of the regressor, bug 1821744, could you take a look?

For more information, please visit BugBot documentation.

status-firefox113: --- → affected
status-firefox114: --- → affected
status-firefox-esr102: --- → unaffected
Flags: needinfo?(mconley)

Hm, interesting. This stack is originating from an external DLL and calling into our a11y code, which reaches into some of our layout stuff. Morgan, do you know if this is something that the a11y or the layout team should look at? Putting into Core :: Disability Accesse APIs in the meantime.

Component: Migration → Disability Access APIs
Flags: needinfo?(mconley) → needinfo?(mreschenberg)
Product: Firefox → Core
Assignee: nobody → mreschenberg
Flags: needinfo?(mreschenberg)

I can see this crash happening on my Ubuntu 20.04 machine with Firefox 114.0b3, but the crash happens after pressing the Import button from the Import Browser Data window. Crash report: https://crash-stats.mozilla.org/report/index/790fa3c5-e7ff-4464-8d7b-f3b180230512
Strangely this happens only with Variant 1 (browser.migrate.content-modal.enabled:true/ browser.migrate.content-modal.import-all.enabled:false)

OS: Windows → All

Reproducing this on my Ubuntu 22.0.4 station with both variants with Firefox 114.0b5. The crash happens after clicking the Import button. Crash: https://crash-stats.mozilla.org/report/index/c09efb4b-8bc3-4e1c-84a2-c80d40230518#tab-bugzilla

Pushed by mreschenberg@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/932a3bd5afb0
Fallback to LocalAccessible::Bounds if we can't find a frame in ComputeBoundsFromFrame. r=Jamie

https://hg.mozilla.org/mozilla-central/rev/932a3bd5afb0

Status: NEW → RESOLVED
Closed: 11 months ago
status-firefox115: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 115 Branch
Flags: qe-verify+

Issue is Verified-fixed in 115.0 Firefox.

Status: RESOLVED → VERIFIED
status-firefox115: fixedverified
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: