Open Bug 1897333 Opened 5 months ago Updated 1 month ago

Crash in [@ mozilla::a11y::LazyInstantiator::GetPatternProvider]

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
Unspecified
Windows 11
Type:
defect

Tracking

()

Status:
REOPENED

People

(Reporter: dholbert, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/da603063-8df5-4bf5-9fcc-6fb4f0240517

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames:

0  xul.dll  mozilla::a11y::LazyInstantiator::GetPatternProvider(int, IUnknown**)  accessible/windows/msaa/LazyInstantiator.cpp:817
1  uiautomationcore.dll  ProviderCallouts::GetPatternProvider(IRawElementProviderSimple*, int, IUnknow...
2  uiautomationcore.dll  UiaNode::ProviderGetPatternProvider(int, int, PatternInfo const*, IUnknown**)
3  uiautomationcore.dll  UiaNode::ProviderGetPropertyValue(int, int, IRawElementProviderSimple*, int, ...
4  uiautomationcore.dll  InProcClientAPIStub::UiaNode_GetPropertyValues(char*)
5  uiautomationcore.dll  ComInvoker::CallTarget(long (*)(void*), void*, unsigned int)
6  uiautomationcore.dll  InProcClientAPIStub::InvokeInProcAPI(ITargetContextInvoker*, Protocol_MethodI...
7  uiautomationcore.dll  UiaNode::CrossProcess_GetPropertyValues(int, unsigned int, int const*, int, t...
8  uiautomationcore.dll  RemoteUiaNodeStub::Incoming_GetPropertyValues(UiaNode*, ITargetContextInvoker...
9  uiautomationcore.dll  InvokeElementMethodOnCorrectContext_Callback(void*)

I hit this when running with accessibility.uia.enable set to true as part of testing bug 1876192.

Looks like this was a null-deref on the last line of this code block:
https://searchfox.org/mozilla-central/rev/a18a7c526cf3c531f2fc24db4f0dffbc16290a7e/accessible/windows/msaa/LazyInstantiator.cpp#813-817

STDMETHODIMP
LazyInstantiator::GetPatternProvider(
    PATTERNID aPatternId, __RPC__deref_out_opt IUnknown** aPatternProvider) {
  RESOLVE_ROOT;
  return mWeakUia->GetPatternProvider(aPatternId, aPatternProvider);

So probably we're getting here with mWeakUia being nullptr.

This should only be possible if accessibility.uia.enable is set to false when LazyInstantiator resolves the root and then set to true later. I did think about this case when I wrote the code, but I expected that GetRootUia() would bypass LazyInstantiator in that case and so we'd never hit this code path. Clearly, I was wrong, but I don't know how yet.

Severity: -- → S3
Blocks: uia

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 2 months ago
Resolution: --- → WORKSFORME

This bug still exists. It just isn't being hit because most people aren't flipping this pref.

Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
You need to log in before you can comment on or make changes to this bug.