Crash in [@ mozilla::a11y::HyperTextAccessibleBase::OffsetAtPoint]
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox-esr115 | --- | fixed |
| firefox114 | --- | unaffected |
| firefox115 | --- | unaffected |
| firefox116 | --- | fixed |
People
(Reporter: MarcoZ, Assigned: Jamie)
References
(Regression)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-esr115+
|
Details | Review |
Crash report: https://crash-stats.mozilla.org/report/index/fc535a6a-1859-4626-b3ab-80ad10230616
Reason: EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames of crashing thread:
0 xul.dll mozilla::a11y::HyperTextAccessibleBase::OffsetAtPoint accessible/basetypes/HyperTextAccessibleBase.cpp:303
1 xul.dll mozilla::a11y::ia2AccessibleText::get_offsetAtPoint accessible/windows/ia2/ia2AccessibleText.cpp:162
2 FSDomNodeFirefoxMP.DLL FSDomNodeFirefoxMP.DLL@0x394f8
3 FSDomNodeFirefoxMP.DLL FSDomNodeFirefoxMP.DLL@0x52a7f
4 FSDomNodeFirefoxMP.DLL FSDomNodeFirefoxMP.DLL@0xdc92
5 FSDomNodeFirefoxMP.DLL FSDomNodeFirefoxMP.DLL@0x35677
6 FSDomNodeFirefoxMP.DLL FSDomNodeFirefoxMP.DLL@0x353f4
7 msvcp140.dll <unknown in msvcp140.amd64.pdb>
8 FSDomNodeFirefoxMP.DLL FSDomNodeFirefoxMP.DLL@0x5a67
9 FSDomNodeFirefoxMP.DLL FSDomNodeFirefoxMP.DLL@0x3ba6
I got this crash on a site that requires a login. The scenario was a link from one page to another that also had an anchor target. When this page is loading, JAWS and Firefox together reliably crash.
If I do the same with NVDA NVDA version alpha-28430,3920fa58, it spews out this error in the log:
ERROR - speech.manager.SpeechManager._handleIndex (08:06:45.118) - MainThread (20684):
Error running speech callback
Traceback (most recent call last):
File "speech\manager.pyc", line 685, in _handleIndex
File "speech\commands.pyc", line 336, in run
File "speech\sayAll.pyc", line 280, in _onLineReached
File "speech\sayAll.pyc", line 324, in lineReached
File "documentBase.pyc", line 74, in makeTextInfo
File "virtualBuffers\__init__.pyc", line 210, in __init__
File "textInfos\offsets.pyc", line 484, in __init__
File "virtualBuffers\__init__.pyc", line 228, in _getStoryLength
OSError: [WinError 1775] a NULL-contexthandle was passed from the client to the server during a remote procedure call
Eventually, though, NVDA focuses on the anchor correctly.
Another crash report that reproduces this:
https://crash-stats.mozilla.org/report/index/57fa2672-89ed-44e7-beee-136200230616
i suspect this is fall-out from the fix for bug 1789235.
I sometimes notice, with NVDA, that anchor jumps don't work reliably, and when this happens, the original trick of simply forcing focus back to the document by opening and closing the menu bar doesn't work. So the event did get fired, but somehow NVDA misses it, or focus on the document gets fired after the scrolling start event or such. Anyway, JAWS seems to expose a bug here that NVDA somehow either doesn't trigger, or masks differently.
|
Assignee | |
Comment 1•1 year ago
|
||
This is caused by bug 1837030.
|
|
Assignee | |
Comment 2•1 year ago
|
||
In OffsetAtPoint, we call ChildAtPoint, but we don't handle the case that ChildAtPoint returns null. While we're here, we probably shouldn't assume that DocumentFor won't return null. Returning null there is rare, but it could happen if, for example, the Accessible was being moved and a client happened to poke it between the hide and show IPDL calls.
|
||
Comment 3•1 year ago
|
||
Set release status flags based on info from the regressing bug 1837030
:morgan, since you are the author of the regressor, bug 1837030, could you take a look?
For more information, please visit BugBot documentation.
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 4•1 year ago
|
||
Well, I have a patch ready to go, but Phabricator is barfing. Poo.
|
|
Assignee | |
Comment 5•1 year ago
|
||
- nsAccUtils::DocumentFor might return null if the Accessible is being moved and a client queried it during the move.
- ChildAtPoint might return null if the point can't be located at all.
Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8ff185f84377 Add null checks in HyperTextAccessibleBase::OffsetAtPoint. r=morgan
|
||
Comment 7•1 year ago
|
||
| bugherder | ||
|
|
||
Comment 8•11 months ago
|
||
Set release status flags based on info from the regressing bug 1837030
|
|
Assignee | |
Comment 9•8 months ago
|
||
Comment on attachment 9339503 [details]
Bug 1838782: Add null checks in HyperTextAccessibleBase::OffsetAtPoint.
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Needed to fix various accessibility regressions introduced by the Cache the World project which shipped in 115.
- User impact if declined: Potential crash introduced by bug 1837030.
- Fix Landed on Version: 116
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Simple null checks.
|
||
Comment 10•8 months ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-esr115/rev/d9a7db1ad09f
|
||
Comment 11•8 months ago
|
||
Comment on attachment 9339503 [details]
Bug 1838782: Add null checks in HyperTextAccessibleBase::OffsetAtPoint.
Approved for 115.4esr.
|
|
||
Updated•8 months ago
|
Description
•