Last Comment Bug 751623 - crash in nsRootAccessible::Name
: crash in nsRootAccessible::Name
Status: VERIFIED FIXED
: crash, regression, topcrash
Product: Core
Classification: Components
Component: Disability Access APIs (show other bugs)
: 15 Branch
: All Linux
: -- critical (vote)
: mozilla15
Assigned To: alexander :surkov
:
: alexander :surkov
Mentors:
Depends on:
Blocks: 752510 740747
  Show dependency treegraph
 
Reported: 2012-05-03 10:28 PDT by Scoobidiver (away)
Modified: 2012-08-13 06:58 PDT (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
verified


Attachments
Null check (634 bytes, patch)
2012-05-03 10:55 PDT, Marco Zehe (:MarcoZ)
surkov.alexander: review+
Details | Diff | Splinter Review

Description Scoobidiver (away) 2012-05-03 10:28:18 PDT
It first appeared in 15.0a1/20120503. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b13bfc70bc44&tochange=807403a04a6a
It's likely a regression from bug 740747.
Windows and Mac seem unaffected so far.

Signature 	nsRootAccessible::Name More Reports Search
UUID	f35900f5-ea68-4e98-88cb-e87562120503
Date Processed	2012-05-03 14:07:46
Uptime	2
Last Crash	1.6 minutes before submission
Install Age	1.7 minutes since version was first installed.
Install Time	2012-05-03 14:05:37
Product	Firefox
Version	15.0a1
Build ID	20120503030512
Release Channel	nightly
OS	Linux
OS Version	0.0.0 Linux 2.6.32-5-686 #1 SMP Mon Mar 26 05:20:33 UTC 2012 i686
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 37 stepping 2
Crash Reason	SIGSEGV
Crash Address	0x0
App Notes 	
OpenGL: NVIDIA Corporation -- GeForce 310M/PCI/SSE2 -- 3.2.0 NVIDIA 195.36.31 -- texture_from_pixmap
Processor Notes 	WARNING: JSON file missing Add-ons
EMCheckCompatibility	False

Frame 	Module 	Signature 	Source
0 	libxul.so 	nsRootAccessible::Name 	accessible/src/base/nsRootAccessible.cpp:127
1 	libxul.so 	getNameCB 	accessible/src/atk/nsAccessibleWrap.cpp:689
2 	libatk-1.0.so.0.3009.1 	libatk-1.0.so.0.3009.1@0xc135 	
3 	libatk-bridge.so 	libatk-bridge.so@0x4554 	
4 	libgobject-2.0.so.0.2400.2 	libgobject-2.0.so.0.2400.2@0x2102f 	
5 	libgobject-2.0.so.0.2400.2 	libgobject-2.0.so.0.2400.2@0x22bfb 	
6 	libgobject-2.0.so.0.2400.2 	libgobject-2.0.so.0.2400.2@0x23075 	
7 	libatk-1.0.so.0.3009.1 	libatk-1.0.so.0.3009.1@0xd0cc 	
8 	libgobject-2.0.so.0.2400.2 	libgobject-2.0.so.0.2400.2@0x183c7 	
9 	libgobject-2.0.so.0.2400.2 	libgobject-2.0.so.0.2400.2@0x97a8 	
10 	libgobject-2.0.so.0.2400.2 	libgobject-2.0.so.0.2400.2@0xb139 	
11 	libgobject-2.0.so.0.2400.2 	libgobject-2.0.so.0.2400.2@0x20eb9 	
12 	libgobject-2.0.so.0.2400.2 	libgobject-2.0.so.0.2400.2@0x22bfb 	
13 	libgobject-2.0.so.0.2400.2 	libgobject-2.0.so.0.2400.2@0x23075 	
14 	libgobject-2.0.so.0.2400.2 	libgobject-2.0.so.0.2400.2@0xf510 	
15 	libgobject-2.0.so.0.2400.2 	libgobject-2.0.so.0.2400.2@0xbe6e 	
16 	libgobject-2.0.so.0.2400.2 	libgobject-2.0.so.0.2400.2@0x11752 	
17 	libatk-1.0.so.0.3009.1 	libatk-1.0.so.0.3009.1@0xb8d4 	
18 	libxul.so 	ApplicationAccessibleWrap::RemoveChild 	accessible/src/atk/ApplicationAccessibleWrap.cpp:775
19 	libxul.so 	nsDocAccessible::Shutdown 	accessible/src/base/nsDocAccessible.cpp:659
20 	libxul.so 	nsAccDocManager::HandleEvent 	accessible/src/base/nsAccDocManager.cpp:303
21 	libxul.so 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:818
22 	libxul.so 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:875
23 	libxul.so 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventListenerManager.h:169
24 	libxul.so 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:684
25 	libxul.so 	nsEventDispatcher::DispatchDOMEvent 	content/events/src/nsEventDispatcher.cpp:747
26 	libxul.so 	nsDocument::DispatchPageTransition 	content/base/src/nsDocument.cpp:7337
27 	libxul.so 	nsDocument::OnPageHide 	content/base/src/nsDocument.cpp:7448
28 	libxul.so 	DocumentViewerImpl::PageHide 	layout/base/nsDocumentViewer.cpp:1288
29 	libxul.so 	nsDocShell::FirePageHideNotification 	docshell/base/nsDocShell.cpp:1615
30 	libxul.so 	nsDocShell::Destroy 	docshell/base/nsDocShell.cpp:4662
31 	libxul.so 	nsXULWindow::Destroy 	xpfe/appshell/src/nsXULWindow.cpp:529
32 	libxul.so 	nsWebShellWindow::Destroy 	xpfe/appshell/src/nsWebShellWindow.cpp:787
33 	libxul.so 	nsChromeTreeOwner::Destroy 	xpfe/appshell/src/nsChromeTreeOwner.cpp:388
34 	libxul.so 	nsGlobalWindow::ReallyCloseWindow 	dom/base/nsGlobalWindow.cpp:6438
35 	libxul.so 	nsCloseEvent::Run 	dom/base/nsGlobalWindow.cpp:6229
36 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:656
37 	libxul.so 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:245
38 	libxul.so 	nsXULWindow::ShowModal 	xpfe/appshell/src/nsXULWindow.cpp:420
39 	libxul.so 	nsContentTreeOwner::ShowAsModal 	xpfe/appshell/src/nsContentTreeOwner.cpp:564
40 	libxul.so 	nsWindowWatcher::OpenWindowJSInternal 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp:1023
41 	libxul.so 	nsWindowWatcher::OpenWindow 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp:414
42 	libxul.so 	ShowProfileManager 	toolkit/xre/nsAppRunner.cpp:1866
43 	libxul.so 	XREMain::XRE_mainStartup 	toolkit/xre/nsAppRunner.cpp:2291
44 	libxul.so 	XREMain::XRE_main 	toolkit/xre/nsAppRunner.cpp:3839
45 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3933
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsRootAccessible%3A%3AName
Comment 1 Marco Zehe (:MarcoZ) 2012-05-03 10:55:20 PDT
Created attachment 620775 [details] [diff] [review]
Null check
Comment 2 Trevor Saunders (:tbsaunde) 2012-05-03 12:37:33 PDT
Comment on attachment 620775 [details] [diff] [review]
Null check

that might well fix the crash, but it doesn't seem right.  First we didn't check the QI before, and it shouldn't fail and mDocument shouldn't be null anyways I think.

My guess would be mDOcument is null but it hasn't become defunct yet, surkov any ideas?
Comment 3 alexander :surkov 2012-05-03 20:23:55 PDT
I think it crashes on NativeRootAccessibleWrap, we mark it as defunct but getNameCB doesn't have IsDefunct check (technically it's not needed because defunct state means no gecko accessible for atk accessible.

perhaps I'd add Name() implementation on NativeRootAccessibleWrap.
Comment 4 Marco Zehe (:MarcoZ) 2012-05-03 20:39:58 PDT
OK, handing this back to you folks, then.
Comment 5 Scoobidiver (away) 2012-05-04 01:00:49 PDT
It's currently #1 top crasher in today's build.
Comment 6 alexander :surkov 2012-05-04 01:02:51 PDT
Comment on attachment 620775 [details] [diff] [review]
Null check

let's take Marco's patch (since it's topcrasher) and then figure out right solution
Comment 7 Marco Zehe (:MarcoZ) 2012-05-04 03:03:10 PDT
Pushed rebased patch to inbound: http://hg.mozilla.org/integration/mozilla-inbound/rev/1f576da2253d
Note that due to de-ns-ification, the signature will probably change to RootAccessible::...

Surkov, do you want to keep this open for finding the right solution, or do you want to work on it in a separate bug?
Comment 9 alexander :surkov 2012-05-04 16:55:02 PDT
(In reply to Marco Zehe (:MarcoZ) from comment #7)
> Surkov, do you want to keep this open for finding the right solution, or do
> you want to work on it in a separate bug?

yeah, please open
Comment 10 Mihaela Velimiroviciu (:mihaelav) 2012-08-13 06:58:00 PDT
There are no crash reports with this signature in the last 4 weeks.
Marking verified.

Note You need to log in before you can comment on or make changes to this bug.