Last Comment Bug 751623 - crash in nsRootAccessible::Name
: crash in nsRootAccessible::Name
: crash, regression, topcrash
Product: Core
Classification: Components
Component: Disability Access APIs (show other bugs)
: 15 Branch
: All Linux
-- critical (vote)
: mozilla15
Assigned To: alexander :surkov
: alexander :surkov
Depends on:
Blocks: 752510 740747
  Show dependency treegraph
Reported: 2012-05-03 10:28 PDT by Scoobidiver (away)
Modified: 2012-08-13 06:58 PDT (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Null check (634 bytes, patch)
2012-05-03 10:55 PDT, Marco Zehe (:MarcoZ)
surkov.alexander: review+
Details | Diff | Splinter Review

Description User image Scoobidiver (away) 2012-05-03 10:28:18 PDT
It first appeared in 15.0a1/20120503. The regression range is:
It's likely a regression from bug 740747.
Windows and Mac seem unaffected so far.

Signature 	nsRootAccessible::Name More Reports Search
UUID	f35900f5-ea68-4e98-88cb-e87562120503
Date Processed	2012-05-03 14:07:46
Uptime	2
Last Crash	1.6 minutes before submission
Install Age	1.7 minutes since version was first installed.
Install Time	2012-05-03 14:05:37
Product	Firefox
Version	15.0a1
Build ID	20120503030512
Release Channel	nightly
OS	Linux
OS Version	0.0.0 Linux 2.6.32-5-686 #1 SMP Mon Mar 26 05:20:33 UTC 2012 i686
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 37 stepping 2
Crash Reason	SIGSEGV
Crash Address	0x0
App Notes 	
OpenGL: NVIDIA Corporation -- GeForce 310M/PCI/SSE2 -- 3.2.0 NVIDIA 195.36.31 -- texture_from_pixmap
Processor Notes 	WARNING: JSON file missing Add-ons
EMCheckCompatibility	False

Frame 	Module 	Signature 	Source
0 	nsRootAccessible::Name 	accessible/src/base/nsRootAccessible.cpp:127
1 	getNameCB 	accessible/src/atk/nsAccessibleWrap.cpp:689
18 	ApplicationAccessibleWrap::RemoveChild 	accessible/src/atk/ApplicationAccessibleWrap.cpp:775
19 	nsDocAccessible::Shutdown 	accessible/src/base/nsDocAccessible.cpp:659
20 	nsAccDocManager::HandleEvent 	accessible/src/base/nsAccDocManager.cpp:303
21 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:818
22 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:875
23 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventListenerManager.h:169
24 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:684
25 	nsEventDispatcher::DispatchDOMEvent 	content/events/src/nsEventDispatcher.cpp:747
26 	nsDocument::DispatchPageTransition 	content/base/src/nsDocument.cpp:7337
27 	nsDocument::OnPageHide 	content/base/src/nsDocument.cpp:7448
28 	DocumentViewerImpl::PageHide 	layout/base/nsDocumentViewer.cpp:1288
29 	nsDocShell::FirePageHideNotification 	docshell/base/nsDocShell.cpp:1615
30 	nsDocShell::Destroy 	docshell/base/nsDocShell.cpp:4662
31 	nsXULWindow::Destroy 	xpfe/appshell/src/nsXULWindow.cpp:529
32 	nsWebShellWindow::Destroy 	xpfe/appshell/src/nsWebShellWindow.cpp:787
33 	nsChromeTreeOwner::Destroy 	xpfe/appshell/src/nsChromeTreeOwner.cpp:388
34 	nsGlobalWindow::ReallyCloseWindow 	dom/base/nsGlobalWindow.cpp:6438
35 	nsCloseEvent::Run 	dom/base/nsGlobalWindow.cpp:6229
36 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:656
37 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:245
38 	nsXULWindow::ShowModal 	xpfe/appshell/src/nsXULWindow.cpp:420
39 	nsContentTreeOwner::ShowAsModal 	xpfe/appshell/src/nsContentTreeOwner.cpp:564
40 	nsWindowWatcher::OpenWindowJSInternal 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp:1023
41 	nsWindowWatcher::OpenWindow 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp:414
42 	ShowProfileManager 	toolkit/xre/nsAppRunner.cpp:1866
43 	XREMain::XRE_mainStartup 	toolkit/xre/nsAppRunner.cpp:2291
44 	XREMain::XRE_main 	toolkit/xre/nsAppRunner.cpp:3839
45 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3933

More reports at:
Comment 1 User image Marco Zehe (:MarcoZ) 2012-05-03 10:55:20 PDT
Created attachment 620775 [details] [diff] [review]
Null check
Comment 2 User image Trevor Saunders (:tbsaunde) 2012-05-03 12:37:33 PDT
Comment on attachment 620775 [details] [diff] [review]
Null check

that might well fix the crash, but it doesn't seem right.  First we didn't check the QI before, and it shouldn't fail and mDocument shouldn't be null anyways I think.

My guess would be mDOcument is null but it hasn't become defunct yet, surkov any ideas?
Comment 3 User image alexander :surkov 2012-05-03 20:23:55 PDT
I think it crashes on NativeRootAccessibleWrap, we mark it as defunct but getNameCB doesn't have IsDefunct check (technically it's not needed because defunct state means no gecko accessible for atk accessible.

perhaps I'd add Name() implementation on NativeRootAccessibleWrap.
Comment 4 User image Marco Zehe (:MarcoZ) 2012-05-03 20:39:58 PDT
OK, handing this back to you folks, then.
Comment 5 User image Scoobidiver (away) 2012-05-04 01:00:49 PDT
It's currently #1 top crasher in today's build.
Comment 6 User image alexander :surkov 2012-05-04 01:02:51 PDT
Comment on attachment 620775 [details] [diff] [review]
Null check

let's take Marco's patch (since it's topcrasher) and then figure out right solution
Comment 7 User image Marco Zehe (:MarcoZ) 2012-05-04 03:03:10 PDT
Pushed rebased patch to inbound:
Note that due to de-ns-ification, the signature will probably change to RootAccessible::...

Surkov, do you want to keep this open for finding the right solution, or do you want to work on it in a separate bug?
Comment 9 User image alexander :surkov 2012-05-04 16:55:02 PDT
(In reply to Marco Zehe (:MarcoZ) from comment #7)
> Surkov, do you want to keep this open for finding the right solution, or do
> you want to work on it in a separate bug?

yeah, please open
Comment 10 User image Mihaela Velimiroviciu (:mihaelav) 2012-08-13 06:58:00 PDT
There are no crash reports with this signature in the last 4 weeks.
Marking verified.

Note You need to log in before you can comment on or make changes to this bug.