Crash in [@ mozilla::StaticPrefs::accessibility_uia_enable] caused by JAWS access from wrong thread
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr115 | --- | unaffected |
firefox126 | --- | fixed |
firefox127 | --- | fixed |
firefox128 | --- | fixed |
People
(Reporter: Jamie, Assigned: Jamie)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(3 files)
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-beta+
|
Details | Review |
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-release+
|
Details | Review |
Spun off bug 1871989 comment 9 onwards.
Crash report: https://crash-stats.mozilla.org/report/index/e3d014c6-4960-4b7d-905f-4fb810240429
MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(IsAtomic<bool>::value || NS_IsMainThread()) (Non-atomic static pref 'accessibility.uia.enable' being accessed on background thread by getter)
Top 10 frames:
0 xul.dll mozilla::StaticPrefs::accessibility_uia_enable() modules/libpref/init/StaticPrefList_accessibility.h:45
1 xul.dll mozilla::a11y::MsaaAccessible::QueryInterface(_GUID const&, void**) accessible/windows/msaa/MsaaAccessible.cpp:526
2 oleacc.dll oleacc.dll@0x68ab
3 oleacc.dll oleacc.dll@0xadf1
4 oleacc.dll oleacc.dll@0xae7e
5 oleacc.dll oleacc.dll@0x5992
6 xul.dll mozilla::a11y::MsaaAccessible::QueryInterface(_GUID const&, void**) accessible/windows/msaa/MsaaAccessible.cpp:522
7 oleacc.dll oleacc.dll@0xa7b5
8 FSDomNodeIAText.DLL FSDomNodeIAText.DLL@0x24176
9 oleacc.dll oleacc.dll@0x664f
A client is never supposed to access Gecko UI from any thread other than the main thread. However, it looks like we bring up file picker dialogs in a background thread, and then JAWS (for some strange and unknown reason) tries to traverse into the (disabled) Gecko UI. Even if we make the UIA pref work on a background thread, we're going to hit all sorts of other problems if this happens.
Even if it traversed the tree, JAWS shouldn't be directly calling methods on Gecko objects from this thread. It should have used WM_GETOBJECT and ObjectFromLresult one way or another, which means they should be marshaled across threads by the COM marshaler. I can't be absolutely certain but this smells very much like a JAWS bug.
I could try asking Vispero to fix this, but I don't love our chances of a quick fix. In addition, because of the cost of updates, many JAWS users tend to be running old versions, so we'd still be dealing with that problem.
Assignee | ||
Updated•18 days ago
|
Assignee | ||
Comment 1•18 days ago
|
||
JAWS apparently does this sometimes.
In particular, this was causing a crash when we tried to check the UIA pref because that pref can only be accessed from the main thread.
Comment 2•18 days ago
|
||
Set release status flags based on info from the regressing bug 1881190
Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/84c756f39b46 Fail gracefully if a naughty client tries to QueryInterface on an MsaaAccessible from the wrong thread. r=eeejay
Comment 4•17 days ago
|
||
bugherder |
Comment 5•17 days ago
|
||
The patch landed in nightly and beta is affected.
:Jamie, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox127
towontfix
.
For more information, please visit BugBot documentation.
Comment 6•17 days ago
•
|
||
:jamie, to add to Comment 11.
I'm wondering about a release uplift too? Though it doesn't seem like this is being hit by users in Fx126 release.
Assignee | ||
Comment 7•16 days ago
|
||
Hmm. I thought this was only being hit by Thunderbird users, but the crash stats show Firefox users are hitting it as well. It probably wouldn't hurt to uplift to release if we spin a dot release for other reasons.
Assignee | ||
Comment 8•16 days ago
|
||
JAWS apparently does this sometimes.
In particular, this was causing a crash when we tried to check the UIA pref because that pref can only be accessed from the main thread.
Original Revision: https://phabricator.services.mozilla.com/D210417
Updated•16 days ago
|
Assignee | ||
Comment 9•16 days ago
|
||
Oh, I guess we aren't hitting it on release because it's a MOZ_DIAGNOSTIC_ASSERT, which don't trigger on release. However, that could be hiding problems further down the line... though even with this patch, there might be problems further down the line. It's probably still worth an uplift though.
Comment 10•16 days ago
|
||
beta Uplift Approval Request
- User impact if declined: Crashes in some cases when JAWS screen reader users open file picker dialogs.
- Code covered by automated testing: no
- Fix verified in Nightly: no
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: not applicable
- Risk associated with taking this patch: low
- Explanation of risk level: Simply adds an early return for a failure case that would otherwise cause a crash.
- String changes made/needed: none
- Is Android affected?: no
Assignee | ||
Comment 11•16 days ago
|
||
JAWS apparently does this sometimes.
In particular, this was causing a crash when we tried to check the UIA pref because that pref can only be accessed from the main thread.
Original Revision: https://phabricator.services.mozilla.com/D210417
Updated•16 days ago
|
Comment 12•16 days ago
|
||
release Uplift Approval Request
- User impact if declined: Crashes in some cases when JAWS screen reader users open file picker dialogs.
- Code covered by automated testing: no
- Fix verified in Nightly: no
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: not applicable
- Risk associated with taking this patch: low
- Explanation of risk level: Simply adds an early return for a failure case that would otherwise cause a crash.
- String changes made/needed: none
- Is Android affected?: no
Updated•16 days ago
|
Updated•16 days ago
|
Comment 13•16 days ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/4d0175594418
Updated•9 days ago
|
Updated•9 days ago
|
Comment 14•9 days ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-release/rev/acddfd908c81
Description
•