Closed Bug 1840253 Opened 2 years ago Closed 2 years ago

Crash in [@ mozilla::a11y::DocAccessible::GetAccessible]

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
Unspecified
Windows 11
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
116 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- unaffected
firefox114 --- unaffected
firefox115 --- unaffected
firefox116 + fixed

People

(Reporter: diannaS, Assigned: nlapre)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1840253: Defend against NotifyOfAnchorJumpTo null pointer dereference, r?Jamie
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/57e0f09e-f0fd-4d81-8209-2d1300230624

Started with build 20230623092529

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  mozilla::a11y::DocAccessible::GetAccessible const  accessible/generic/DocAccessible.cpp:2741
1  xul.dll  nsAccessibilityService::NotifyOfAnchorJumpTo  accessible/base/nsAccessibilityService.cpp:501
2  xul.dll  mozilla::PresShell::GoToAnchor  layout/base/PresShell.cpp:3238
3  xul.dll  mozilla::dom::Document::ScrollToRef  dom/base/Document.cpp:13082
4  xul.dll  nsContentSink::ScrollToRef  dom/base/nsContentSink.cpp:496
5  xul.dll  nsXMLContentSink::DidBuildModel  dom/xml/nsXMLContentSink.cpp:312
6  xul.dll  nsParser::DidBuildModel  parser/htmlparser/nsParser.cpp:332
6  xul.dll  nsParser::ResumeParse  parser/htmlparser/nsParser.cpp:767
7  xul.dll  nsParser::OnStopRequest  parser/htmlparser/nsParser.cpp:1062
8  xul.dll  mozilla::image::SVGDocumentWrapper::OnStopRequest  image/SVGDocumentWrapper.cpp:220

The target's document doesn't have a DocAccessible. I guess that could happen if we haven't built it yet or if the document is hidden.

Keywords: regression
Regressed by: 1789235

Set release status flags based on info from the regressing bug 1789235

:nlapre, since you are the author of the regressor, bug 1789235, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox114: --- → unaffected
status-firefox115: --- → unaffected
status-firefox116: --- → affected
status-firefox-esr102: --- → unaffected
Flags: needinfo?(nlapre)

This revision adds a check for null to the document variable in order to avoid
dereferencing it if it's null. This defends us against a crash we can observe
when the document isn't built yet or is hidden, in which case we can't handle
an anchor jump anyway.

Assignee: nobody → nlapre
Status: NEW → ASSIGNED
Flags: needinfo?(nlapre)
tracking-firefox116: --- → +
Pushed by nlapre@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/474f4f45ae35 Defend against NotifyOfAnchorJumpTo null pointer dereference, r=Jamie

https://hg.mozilla.org/mozilla-central/rev/474f4f45ae35

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox116: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch

Set release status flags based on info from the regressing bug 1789235

status-firefox-esr115: --- → unaffected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: