Closed Bug 1965216 Opened 7 months ago Closed 7 months ago

Crash in [@ mozilla::StaticPrefs::accessibility_uia_enable_DoNotUseDirectly]

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
Unspecified
Windows 11
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
140 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox138 --- unaffected
firefox139 + fixed
firefox140 + fixed

People

(Reporter: aryx, Assigned: Jamie)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: [uiaShipBlocker])

Crash Data

Attachments

(2 files)

Bug 1965216: Fail gracefully for calls to LazyInstantiator::get_accChild on the wrong thread.
48 bytes, text/x-phabricator-request
Details | Review
Bug 1965216: Fail gracefully for calls to LazyInstantiator::get_accChild on the wrong thread.
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review

26 crashes from 3+ installs of Firefox 139.0 betas and 139.0a1 on Windows 11. First reported build ID is 20250401212749.

Crash report: https://crash-stats.mozilla.org/report/index/38a6c350-d025-4b96-b06c-655780250508

MOZ_CRASH Reason:

MOZ_DIAGNOSTIC_ASSERT(IsAtomic<uint32_t>::value || NS_IsMainThread()) (Non-atomic static pref 'accessibility.uia.enable' being accessed on background thread by getter)

Top 10 frames:

0  xul.dll  mozilla::StaticPrefs::accessibility_uia_enable_DoNotUseDirectly()  modules/libpref/init/StaticPrefList_accessibility.h:66
0  xul.dll  mozilla::a11y::Compatibility::IsUiaEnabled()  accessible/windows/msaa/Compatibility.cpp:221
1  xul.dll  mozilla::a11y::LazyInstantiator::MaybeResolveRoot()  accessible/windows/msaa/LazyInstantiator.cpp:392
2  xul.dll  mozilla::a11y::LazyInstantiator::get_accChild(tagVARIANT, IDispatch**)  accessible/windows/msaa/LazyInstantiator.cpp:584
3  rpcrt4.dll  Invoke
4  rpcrt4.dll  ?Ndr64StubWorker@@YAJPEAX0PEAU_RPC_MESSAGE@@PEAU_MIDL_SERVER_INFO_@@PEBQ6AJXZ...
5  rpcrt4.dll  NdrStubCall3
6  combase.dll  CStdStubBuffer_Invoke(IRpcStubBuffer*, tagRPCOLEMESSAGE*, IRpcChannelBuffer*)  onecore\com\combase\ndr\ndrole\stub.cxx:1395
7  combase.dll  InvokeStubWithExceptionPolicyAndTracing::__l6::<lambda_c9f3956a20c9da92a64aff...  onecore\com\combase\dcomrem\channelb.cxx:1152
7  combase.dll  ObjectMethodExceptionHandlingAction<<lambda_c9f3956a20c9da92a64affc24fdd69ec>...  onecore\com\combase\dcomrem\excepn.hxx:94
Flags: needinfo?(jteh)

The Windows COM runtime is calling us on the wrong thread, but I don't understand why. I can maybe understand the marshaler making QueryInterface calls on the wrong thread, but calling an IAccessible method just doesn't make sense and is a clear violation of COM rules. WM_GETOBJECT is received in our main thread. It calls LResultFromObject, which should associate that COM reference with our main thread from which it was called. Thus, COM should always marshal any calls to our main thread.

Blocks: uia
Whiteboard: [uiaShipBlocker]

This shouldn't happen, but the COM runtime seems to do this sometimes.
I can't reproduce it and I haven't been able to fathom what causes it.
I suspect a Windows bug or a bug in some third party software.
This leads to trying to check the UIA pref from the wrong thread, which is not allowd and causes a crash.

Assignee: nobody → jteh
Status: NEW → ASSIGNED
Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0520421f5eb6 Fail gracefully for calls to LazyInstantiator::get_accChild on the wrong thread. r=morgan
Severity: -- → S2
Flags: needinfo?(jteh)

https://hg.mozilla.org/mozilla-central/rev/0520421f5eb6

Status: ASSIGNED → RESOLVED
Closed: 7 months ago
status-firefox140: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 140 Branch

The patch landed in nightly and beta is affected.
:Jamie, is this bug important enough to require an uplift?

For more information, please visit BugBot documentation.

Flags: needinfo?(jteh)

This shouldn't happen, but the COM runtime seems to do this sometimes.
I can't reproduce it and I haven't been able to fathom what causes it.
I suspect a Windows bug or a bug in some third party software.
This leads to trying to check the UIA pref from the wrong thread, which is not allowd and causes a crash.

Original Revision: https://phabricator.services.mozilla.com/D248558

Attachment #9487505 - Flags: approval-mozilla-beta?

firefox-beta Uplift Approval Request

  • User impact if declined: Crashes.
  • Code covered by automated testing: no
  • Fix verified in Nightly: no
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: not applicable
  • Risk associated with taking this patch: low
  • Explanation of risk level: Simple main thread check which fails gracefully instead of crashing.
  • String changes made/needed: none
  • Is Android affected?: no
Attachment #9487505 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: needinfo?(jteh)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: