Crash in [@ mozilla::a11y::LazyInstantiator::GetPatternProvider]
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
People
(Reporter: dholbert, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/da603063-8df5-4bf5-9fcc-6fb4f0240517
Reason: EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames:
0 xul.dll mozilla::a11y::LazyInstantiator::GetPatternProvider(int, IUnknown**) accessible/windows/msaa/LazyInstantiator.cpp:817
1 uiautomationcore.dll ProviderCallouts::GetPatternProvider(IRawElementProviderSimple*, int, IUnknow...
2 uiautomationcore.dll UiaNode::ProviderGetPatternProvider(int, int, PatternInfo const*, IUnknown**)
3 uiautomationcore.dll UiaNode::ProviderGetPropertyValue(int, int, IRawElementProviderSimple*, int, ...
4 uiautomationcore.dll InProcClientAPIStub::UiaNode_GetPropertyValues(char*)
5 uiautomationcore.dll ComInvoker::CallTarget(long (*)(void*), void*, unsigned int)
6 uiautomationcore.dll InProcClientAPIStub::InvokeInProcAPI(ITargetContextInvoker*, Protocol_MethodI...
7 uiautomationcore.dll UiaNode::CrossProcess_GetPropertyValues(int, unsigned int, int const*, int, t...
8 uiautomationcore.dll RemoteUiaNodeStub::Incoming_GetPropertyValues(UiaNode*, ITargetContextInvoker...
9 uiautomationcore.dll InvokeElementMethodOnCorrectContext_Callback(void*)
I hit this when running with accessibility.uia.enable
set to true
as part of testing bug 1876192.
Reporter | ||
Comment 1•5 months ago
|
||
Looks like this was a null-deref on the last line of this code block:
https://searchfox.org/mozilla-central/rev/a18a7c526cf3c531f2fc24db4f0dffbc16290a7e/accessible/windows/msaa/LazyInstantiator.cpp#813-817
STDMETHODIMP
LazyInstantiator::GetPatternProvider(
PATTERNID aPatternId, __RPC__deref_out_opt IUnknown** aPatternProvider) {
RESOLVE_ROOT;
return mWeakUia->GetPatternProvider(aPatternId, aPatternProvider);
So probably we're getting here with mWeakUia
being nullptr.
Comment 2•5 months ago
|
||
This should only be possible if accessibility.uia.enable is set to false when LazyInstantiator resolves the root and then set to true later. I did think about this case when I wrote the code, but I expected that GetRootUia() would bypass LazyInstantiator in that case and so we'd never hit this code path. Clearly, I was wrong, but I don't know how yet.
Comment 3•2 months ago
|
||
Closing because no crashes reported for 12 weeks.
Comment 4•2 months ago
|
||
This bug still exists. It just isn't being hit because most people aren't flipping this pref.
Description
•