Closed Bug 630828 Opened 9 years ago Closed 9 years ago

Crash [@ nsAccessible::UpdateChildren() ]

Categories

(Core :: Disability Access APIs, defect, critical)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla5
Tracking Status
blocking2.0 --- .x+

People

(Reporter: scoobidiver, Assigned: surkov)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file, 2 obsolete files)

It is a new crash signature. Crashes first appeared in 4.0b11pre/20110201.
It is #23 top crasher in today's build.

Signature	nsAccessible::UpdateChildren()
UUID	68d0c0d8-de33-41b3-9df0-7ff5c2110201
Time 	2011-02-01 10:18:12.614802
Uptime	44
Last Crash	48 seconds before submission
Install Age	9704 seconds (2.7 hours) since version was first installed.
Product	Firefox
Version	4.0b11pre
Build ID	20110201030339
Branch	2.0
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
CPU	x86
CPU Info	GenuineIntel family 15 model 6 stepping 2
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x0
App Notes 	AdapterVendorID: 1002, AdapterDeviceID: 5b65, AdapterDriverVersion: 8.401.0.0

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsAccessible::UpdateChildren 	accessible/src/base/nsAccessible.h:235
1 	xul.dll 	nsDocAccessible::NotifyOfCachingEnd 	accessible/src/base/nsDocAccessible.cpp:1470
2 	xul.dll 	nsAccessible::EnsureChildren 	accessible/src/base/nsAccessible.cpp:3194
3 	xul.dll 	nsDocAccessible::ProcessContentInserted 	accessible/src/base/nsDocAccessible.cpp:1763
4 	xul.dll 	NotificationController::ContentInsertion::Process 	accessible/src/base/NotificationController.cpp:1022
5 	xul.dll 	NotificationController::WillRefresh 	accessible/src/base/NotificationController.cpp:241
6 	xul.dll 	nsRefreshDriver::Notify 	layout/base/nsRefreshDriver.cpp:254
7 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:428
8 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:517
9 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
10 	nspr4.dll 	PR_AssertCurrentThreadOwnsLock 	nsprpub/pr/src/threads/combined/prulock.c:404
11 	nspr4.dll 	PR_AssertCurrentThreadOwnsLock 	nsprpub/pr/src/threads/combined/prulock.c:404
12 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
13 	xul.dll 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:219
14 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:202
15 	mozcrt19.dll 	mozcrt19.dll@0x1804a 	
16 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:176
17 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:192
18 	xul.dll 	xul.dll@0xb2ca5b 	
19 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:218
20 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3775
21 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:128
22 	firefox.exe 	__tmainCRTStartup 	obj-firefox/memory/jemalloc/crtsrc/crtexe.c:591
23 	kernel32.dll 	BaseProcessStart 	

The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ba3fe7ee56b9&tochange=8b5cb26bbb10

More reports at:
https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=nsAccessible%3A%3AUpdateChildren%28%29
blocking2.0: --- → ?
Attached patch patch fixing the crash (obsolete) — Splinter Review
508     nsAccessible* child = GetChildAt(startChildIdx);
509     child->AppendTextTo(aText, aStartOffset - childOffset,
510                         aEndOffset - aStartOffset);

child is NULL because GetChildAt returns an wrong result (that child has been removed, but mOffsets has not been updated).
Attachment #509089 - Flags: review?(surkov.alexander)
Comment on attachment 509089 [details] [diff] [review]
patch fixing the crash

wrong bug, sorry, forget patch and last comment
Attachment #509089 - Flags: review?(surkov.alexander)
Assignee: nobody → fherrera
Status: NEW → ASSIGNED
Attachment #509089 - Attachment is obsolete: true
I can only find 3 stacks all with build id: 20110201030339

Let's not block FF4 on this one.
blocking2.0: ? → -
We have got more crashes, but none with builds after 20110222.
(In reply to comment #4)
> We have got more crashes, but none with builds after 20110222.

ok, let's keep it open for a while then. I don't have clever idea why it can crash.
Attached patch patch (obsolete) — Splinter Review
no idea still how it may happen but let's add assertion and null-check
Assignee: fherrera → surkov.alexander
Attachment #518659 - Flags: review?(bolterbugz)
Got two new crashes from 03/03/2011 builds.
Comment on attachment 518659 [details] [diff] [review]
patch

OK. I still want to know why it happens though :(
Attachment #518659 - Flags: review?(bolterbugz) → review+
4.x wanted, trivial fix - null check, zero risk.
blocking2.0: - → ?
Agreed.
blocking2.0: ? → .x+
Whiteboard: [safe nullcheck]
Attached patch patch to landSplinter Review
Attachment #518659 - Attachment is obsolete: true
Whiteboard: [safe nullcheck] → [safe nullcheck][fx4-rc-ridealong][has reviewed patch]
landed - http://hg.mozilla.org/mozilla-central/rev/7fe72ffbb780
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: [safe nullcheck][fx4-rc-ridealong][has reviewed patch]
Target Milestone: --- → mozilla2.2
Crash Signature: [@ nsAccessible::UpdateChildren() ]
You need to log in before you can comment on or make changes to this bug.