Closed Bug 1977292 Opened 8 months ago Closed 8 months ago

Crash in [@ mozilla::a11y::Accessible::IsHyperText] [@ mozilla::a11y::Accessible::ARIARoleMap] via mozilla::a11y::TextLeafPoint::GetTextAttributesLocalAcc

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
Other
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
142 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox-esr140 --- unaffected
firefox140 --- unaffected
firefox141 --- disabled
firefox142 --- fixed

People

(Reporter: Jamie, Assigned: Jamie)

References

(Blocks 2 open bugs)

Details

(Keywords: crash)

Attachments

(1 file)

Bug 1977292: GetTextAttributesLocalAcc: Handle the rare case that a client query arrives after the Accessible has been detached from the document but before it is shut down.
48 bytes, text/x-phabricator-request
Details | Review

Spun off bug 1977012. The top crash there, involving mozilla::a11y::IsCaretValid, was due to patches in bug 1950748. That has now been fixed. However, there are still crashes with this signature involving mozilla::a11y::TextLeafPoint::GetTextAttributesLocalAcc. This bug is to track those.

Crash report: https://crash-stats.mozilla.org/report/index/a230baff-9a0a-4c35-a59e-44e750250705

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  mozilla::a11y::Accessible::IsHyperText const  accessible/basetypes/Accessible.h:565
0  xul.dll  mozilla::a11y::LocalAccessible::AsHyperText  accessible/generic/HyperTextAccessible.h:233
0  xul.dll  mozilla::a11y::TextLeafPoint::GetTextAttributesLocalAcc const  accessible/base/TextLeafRange.cpp:1863
1  xul.dll  mozilla::a11y::TextLeafPoint::FindTextAttrsStart const  accessible/base/TextLeafRange.cpp:1907
2  xul.dll  mozilla::a11y::GetAttribute<40015>  accessible/windows/uia/UiaTextRange.cpp:604
3  xul.dll  mozilla::a11y::UiaTextRange::GetAttributeValue  accessible/windows/uia/UiaTextRange.cpp:691
4  UIAutomationCore.DLL  ProviderCallouts::GetAttributeValue  
5  UIAutomationCore.DLL  RemotePatternStub::TextRange_GetAttributeValue  
6  UIAutomationCore.DLL  InvokePatternMethodOnCorrectContext_Callback  
7  OneCoreCommonProxyStub.dll  OneCoreCommonProxyStub.dll@0x10be

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2025-05-31
  • Process type: Parent
  • Is startup crash: No
  • Has user comments: Yes
  • Is null crash: Yes - all crashes happened on null or near null memory address
Severity: -- → S3

Other relevant crash reports (i.e. before the topcrash with a different cause): ARIARoleMap, IsHyperText

Set release status flags based on info from the regressing bug 1950748

status-firefox140: --- → unaffected
status-firefox141: --- → unaffected
status-firefox142: --- → affected
status-firefox-esr128: --- → unaffected
status-firefox-esr140: --- → unaffected
Keywords: regression
No longer regressed by: 1950748

Looking more closely at a crash dump, this is being called on a LocalAccessible for which a hide event was queued, but the event hasn't yet been fired and thus the LocalAccessible hasn't been shut down yet. That is, mParent is null and mStateFlags contains eIsNotInDocument.

Assignee: nobody → jteh
Status: NEW → ASSIGNED
Pushed by jteh@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/fce9be89e646 https://hg.mozilla.org/integration/autoland/rev/f9f14c97fc90 GetTextAttributesLocalAcc: Handle the rare case that a client query arrives after the Accessible has been detached from the document but before it is shut down. r=morgan

https://hg.mozilla.org/mozilla-central/rev/f9f14c97fc90

Status: ASSIGNED → RESOLVED
Closed: 8 months ago
status-firefox142: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 142 Branch
QA Whiteboard: [qa-triage-done-c143/b142]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: