Closed Bug 1897333 Opened 1 year ago Closed 1 year ago

Crash in [@ mozilla::a11y::LazyInstantiator::GetPatternProvider]

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
Unspecified
Windows 11
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
139 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox137 --- wontfix
firefox138 --- wontfix
firefox139 --- fixed

People

(Reporter: dholbert, Assigned: Jamie)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: [uiaShipBlocker])

Crash Data

Attachments

(1 file)

Bug 1897333: Get the UIA pointer if LazyInstantiator::MaybeResolveRoot is first called when UIA is disabled but is subsequently called after UIA is enabled.
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/da603063-8df5-4bf5-9fcc-6fb4f0240517

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames:

0  xul.dll  mozilla::a11y::LazyInstantiator::GetPatternProvider(int, IUnknown**)  accessible/windows/msaa/LazyInstantiator.cpp:817
1  uiautomationcore.dll  ProviderCallouts::GetPatternProvider(IRawElementProviderSimple*, int, IUnknow...
2  uiautomationcore.dll  UiaNode::ProviderGetPatternProvider(int, int, PatternInfo const*, IUnknown**)
3  uiautomationcore.dll  UiaNode::ProviderGetPropertyValue(int, int, IRawElementProviderSimple*, int, ...
4  uiautomationcore.dll  InProcClientAPIStub::UiaNode_GetPropertyValues(char*)
5  uiautomationcore.dll  ComInvoker::CallTarget(long (*)(void*), void*, unsigned int)
6  uiautomationcore.dll  InProcClientAPIStub::InvokeInProcAPI(ITargetContextInvoker*, Protocol_MethodI...
7  uiautomationcore.dll  UiaNode::CrossProcess_GetPropertyValues(int, unsigned int, int const*, int, t...
8  uiautomationcore.dll  RemoteUiaNodeStub::Incoming_GetPropertyValues(UiaNode*, ITargetContextInvoker...
9  uiautomationcore.dll  InvokeElementMethodOnCorrectContext_Callback(void*)

I hit this when running with accessibility.uia.enable set to true as part of testing bug 1876192.

Looks like this was a null-deref on the last line of this code block:
https://searchfox.org/mozilla-central/rev/a18a7c526cf3c531f2fc24db4f0dffbc16290a7e/accessible/windows/msaa/LazyInstantiator.cpp#813-817

STDMETHODIMP
LazyInstantiator::GetPatternProvider(
    PATTERNID aPatternId, __RPC__deref_out_opt IUnknown** aPatternProvider) {
  RESOLVE_ROOT;
  return mWeakUia->GetPatternProvider(aPatternId, aPatternProvider);

So probably we're getting here with mWeakUia being nullptr.

This should only be possible if accessibility.uia.enable is set to false when LazyInstantiator resolves the root and then set to true later. I did think about this case when I wrote the code, but I expected that GetRootUia() would bypass LazyInstantiator in that case and so we'd never hit this code path. Clearly, I was wrong, but I don't know how yet.

Severity: -- → S3

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME

This bug still exists. It just isn't being hit because most people aren't flipping this pref.

Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Whiteboard: [uiaShipBlocker]
Assignee: nobody → jteh
Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ee36cdea401e Get the UIA pointer if LazyInstantiator::MaybeResolveRoot is first called when UIA is disabled but is subsequently called after UIA is enabled. r=morgan

https://hg.mozilla.org/mozilla-central/rev/ee36cdea401e

Status: REOPENED → RESOLVED
Closed: 1 year ago1 year ago
status-firefox139: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 139 Branch
QA Whiteboard: [qa-triage-done-c140/b139]
See Also: → 1963625
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: