Crash in [@ mozilla::a11y::LazyInstantiator::GetPropertyValue]
Categories
(Core :: Disability Access APIs, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox138 | --- | unaffected |
| firefox139 | --- | disabled |
| firefox140 | --- | fixed |
People
(Reporter: mccr8, Assigned: Jamie)
References
(Regression)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
Crash report: https://crash-stats.mozilla.org/report/index/8370440c-3d2e-461d-8061-3a7ed0250429
Reason:
EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames:
0 xul.dll mozilla::a11y::LazyInstantiator::GetPropertyValue(int, tagVARIANT*) accessible/windows/msaa/LazyInstantiator.cpp:820
1 UIAutomationCore.dll ProviderCallouts::GetPropertyValue(IRawElementProviderSimple*, unsigned short...
2 UIAutomationCore.dll EventManager::GetFocusedNodeFromProviderOnServerSide(IRawElementProviderSimpl...
3 UIAutomationCore.dll EventManager::GetFocusedNodeOnServerSide(IUiaNode*, IUiaNode**)
4 UIAutomationCore.dll EventManager::DoCalldowns(bool, IUiaNode*, EventRecord&, bool, std::vector<Mi...
5 UIAutomationCore.dll EventManager::IncomingAddEvent(UiaNode*, AddEventDataItem&, int*, std::vector...
6 UIAutomationCore.dll InProcClientAPIStub::UiaNode_AddEvent(char*)
7 UIAutomationCore.dll ComInvoker::CallTarget(long (*)(void*), void*)
8 UIAutomationCore.dll InProcClientAPIStub::InvokeInProcAPI(ITargetContextInvoker*, Protocol_MethodI...
9 UIAutomationCore.dll UiaNode::CrossProcess_AddEvent(AddEventDataItem&, int*, std::vector<Microsoft...
I see a single crash on 137, but there's 6 crashes on 139a1, then around 20 on 140a1. Maybe there are a few different stacks.
This method was added last year, so probably not a signature change.
First 139 Nightly with this is 20250428093632, which fortunately has a very small set of new changes. Bug 1957314 seems like the most likely candidate. Sounds like that is Nightly only so perhaps 139 can be set to disabled.
|
Assignee | |
Comment 1•11 months ago
|
||
Hmm. I thought I'd fixed this in bug 1897333, but apparently not. Also, the number of crashes would suggest this likely isn't due to users flipping the pref at runtime, which is puzzling because that's the only reason I can currently fathom for this crash.
|
Reporter | |
Updated•11 months ago
|
|
|
Assignee | |
Comment 2•11 months ago
|
||
Aha. These crashes all seem to be startup crashes with NVDA running. What's unique about this case is that we disable UIA if we detect NVDA. But maybe we don't detect NVDA early enough, so UIA is enabled briefly, long enough for UIA to QI to IRawElementProviderSimple, but then it gets disabled afterwards.
|
|
Assignee | |
Updated•11 months ago
|
|
|
Assignee | |
Comment 3•11 months ago
|
||
When a UIA client first queries us, the accessibility engine hasn't yet been initialised.
Previously, this also meant that we hadn't yet called InitConsumers() to figure out which Windows clients were present.
This in turn meant that we would initially believe UIA should be enabled, even if we later realised NVDA/a Vispero product was present and then believed it should be disabled.
To fix this, call InitConsumers() appropriately if it hasn't been called yet.
Even with the above fix, the following scenario might still be possible:
- UIA is enabled.
- A client QueryInterfaces to IRawElementProviderSimple.
- UIA gets disabled.
- Only then does the client try to call a method on IRawElementProviderSimple.
In this scenario, LazyInstantiator::MaybeResolveRoot won't set mWeakUia, but the IRawElementProviderSimple method will try to use mWeakUia, causing a crash.
To fix this, add a new RESOLVE_ROOT_UIA macro used by IRawElementProviderSimple methods.
In addition to calling RESOLVE_ROOT, this also checks mWeakUia and fails gracefully if that is null.
|
||
Comment 5•11 months ago
|
||
| bugherder | ||
|
||
Comment 6•11 months ago
|
||
The patch landed in nightly and beta is affected.
:Jamie, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
- If no, please set
status-firefox139towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Updated•11 months ago
|
|
||
Updated•10 months ago
|
Description
•