Closed Bug 757739 Opened 13 years ago Closed 13 years ago

crash in nsAccUtils::MustPrune

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla15
Tracking Flags:
Tracking Status
firefox15 + verified

People

(Reporter: scoobidiver, Assigned: surkov)

References

Details

(Keywords: crash, regression, topcrash, Whiteboard: [native-crash])

Crash Data

Attachments

(1 file)

patch
1006 bytes, patch
tbsaunde
: review+
davidb
: review+
Details | Diff | Splinter Review
There are three crashes from two different users. Signature nsAccUtils::MustPrune More Reports Search UUID 1eef3c8e-0e2a-4296-9813-bd9952120522 Date Processed 2012-05-22 18:42:07 Uptime 2219 Last Crash 2.3 days before submission Install Age 37.0 minutes since version was first installed. Install Time 2012-05-22 18:04:53 Product Firefox Version 15.0a1 Build ID 20120522080220 Release Channel nightly OS Mac OS X OS Version 10.7.4 11E53 Build Architecture amd64 Build Architecture Info family 6 model 23 stepping 10 Crash Reason EXC_BAD_ACCESS / KERN_INVALID_ADDRESS Crash Address 0x70 App Notes AdapterVendorID: 0x10de, AdapterDeviceID: 0x 8a0GL Context? GL Context+ GL Layers? GL Layers+ EMCheckCompatibility True Frame Module Signature Source 0 XUL nsAccUtils::MustPrune Accessible-inl.h:16 1 XUL nsAccessible::AppendTextTo nsAccessible.cpp:2486 2 XUL NotificationController::CreateTextChangeEventFor NotificationController.cpp:667 3 XUL NotificationController::QueueEvent NotificationController.cpp:117 4 XUL nsDocAccessible::UpdateTreeInternal nsDocAccessible.cpp:1717 5 XUL nsDocAccessible::UpdateTree nsDocAccessible.cpp:1810 6 XUL nsCSSFrameConstructor::ContentRemoved nsCSSFrameConstructor.cpp:7390 7 XUL nsCSSFrameConstructor::RecreateFramesForContent nsCSSFrameConstructor.cpp:9099 8 XUL nsCSSFrameConstructor::ProcessRestyledFrames nsCSSFrameConstructor.cpp:7906 9 XUL nsCSSFrameConstructor::RestyleElement nsCSSFrameConstructor.cpp:8052 10 XUL mozilla::css::RestyleTracker::DoProcessRestyles RestyleTracker.cpp:124 11 XUL nsCSSFrameConstructor::ProcessPendingRestyles RestyleTracker.h:68 12 XUL PresShell::FlushPendingNotifications nsPresShell.cpp:3800 13 XUL nsDocument::FlushPendingNotifications nsDocument.cpp:6336 14 XUL nsComputedDOMStyle::GetPropertyCSSValue nsComputedDOMStyle.cpp:460 15 XUL nsComputedDOMStyle::GetPropertyValue nsComputedDOMStyle.cpp:283 16 XUL nsIDOMCSSStyleDeclaration_GetPropertyValue dom_quickstubs.cpp:9949 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=nsAccUtils%3A%3AMustPrune
Sounds like a regression from bug 754869, but this landed only very recently.
Blocks: 754869
Keywords: regression
Version: Trunk → 15 Branch
since we process nsCSSFrameConstructor::ContentRemoved then we fire hide event (note, we do that before we unattach it from tree) so it must have a parent but it doesn't since MustPrune(Parent()) crashes. So if no other ideas then I'd suggest to null check Parent() and assert.
Version: 15 Branch → Trunk
I added another related signature. More reports at: https://crash-stats.mozilla.com/report/list?signature=nsAccessible%3A%3ARole
Crash Signature: [@ nsAccUtils::MustPrune] → [@ nsAccUtils::MustPrune] [@ nsAccessible::Role]
Here are Windows crashes: https://crash-stats.mozilla.com/report/list?signature=nsAccessible%3A%3ARole%28%29
Crash Signature: [@ nsAccUtils::MustPrune] [@ nsAccessible::Role] → [@ nsAccUtils::MustPrune] [@ nsAccessible::Role] [@ nsAccessible::Role()]
OS: Mac OS X → All
Hardware: x86_64 → All
Attached patch patch — — Splinter Review
Assignee: nobody → surkov.alexander
Status: NEW → ASSIGNED
Attachment #626373 - Flags: review?(trev.saunders)
Whiteboard: [native-crash]
Comment on attachment 626373 [details] [diff] [review] patch Review of attachment 626373 [details] [diff] [review]: ----------------------------------------------------------------- r=me. I'd prefer no assert.
Attachment #626373 - Flags: review+
(In reply to David Bolter [:davidb] from comment #6) > Comment on attachment 626373 [details] [diff] [review] > patch > > Review of attachment 626373 [details] [diff] [review]: > ----------------------------------------------------------------- > > r=me. I'd prefer no assert. why no assert? this really should never happen, ideally I'd rather not take this, if we can figure out what's going on here. However the stacks really don't give me any ideas either, do we have any urls or ideas how to reproduce? I suspect somehow we operate on bd tree, but I'm not sure how it got that wy off hand. crash-stats.m.o is just giving me 500s so I'm not really sure what all we know. I'm pretty sure I could cause the same crash if I removed nsAccessible::GetIndexOf() and replaced it with a direct call to IndexInParent() which seems like something we should do.
I should have explicitly added to file a follow up bug. I assumed we wouldn't be happy just null checking.
(In reply to Trevor Saunders (:tbsaunde) from comment #7) > crash-stats.m.o is just giving me 500s so I'm not > really sure what all we know. Should be temporary, work is being done on that. Try those for now: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=nsAccUtils%3A%3AMustPrune https://crash-stats.mozilla.com/report/list?product=Firefox&signature=nsAccessible%3A%3ARole https://crash-stats.mozilla.com/report/list?product=Firefox&signature=nsAccessible%3A%3ARole()
When is nsCSSFrameConstructor::ContentRemoved called with no aContainer?
(In reply to David Bolter [:davidb] from comment #10) > When is nsCSSFrameConstructor::ContentRemoved called with no aContainer? on document iirc
(In reply to Trevor Saunders (:tbsaunde) from comment #7) > I'm pretty sure I could cause the same crash > if I removed nsAccessible::GetIndexOf() and replaced it with a direct call > to IndexInParent() which seems like something we should do. can you elaborate that?
(In reply to David Bolter [:davidb] from comment #8) > I should have explicitly added to file a follow up bug. I assumed we > wouldn't be happy just null checking. We aren't happy and if somebody have options/ideas then follow up bug makes sense if we don't put a fix right here. Otherwise I don't see a reason to have a follow up.
(In reply to alexander :surkov from comment #12) > (In reply to Trevor Saunders (:tbsaunde) from comment #7) > > I'm pretty sure I could cause the same crash > > if I removed nsAccessible::GetIndexOf() and replaced it with a direct call > > to IndexInParent() which seems like something we should do. > > can you elaborate that? Well, I'm not actually sure what I was thinking... so, in NotificationController::CreateTextChangeEvent() we call ChildOffset() of the text accessible on the hyper text accessible. which starts by calling GetIndexOf(textAccessible) on the hyper text accessible. which should be changed to just textAccessible->IndexInParent(), but I don't see why tht would crash now just return wrong result.
Comment on attachment 626373 [details] [diff] [review] patch I'm sort of tempted to try adding if (textAcc->Parent() != hyperTextAcc) return in CreateTextChangeEvent(), but I'm not having any luck trying to come up with an explanaition. so r=me I guess :(
Attachment #626373 - Flags: review?(trev.saunders) → review+
(In reply to Trevor Saunders (:tbsaunde) from comment #15) > if (textAcc->Parent() != hyperTextAcc) > return > > in CreateTextChangeEvent() if you meant if (aEvent->mAccessible->Parent() != textAccessible) then yes it helps since Parent() is null but in this case we don't hit the assertion I added. Did you mean something else?
(In reply to alexander :surkov from comment #16) > (In reply to Trevor Saunders (:tbsaunde) from comment #15) > > > if (textAcc->Parent() != hyperTextAcc) > > return > > > > in CreateTextChangeEvent() > > if you meant > if (aEvent->mAccessible->Parent() != textAccessible) > > then yes it helps since Parent() is null but in this case we don't hit the > assertion I added. Did you mean something else? I think what I meant exactly was if (aEvent->mAccessible->Parent() != hyperTextAcc) return; with an assert too. I mostly wanted to be more targeted in when we add computations we shouldn't need.
ok, that makes sense
(In reply to alexander :surkov from comment #18) > ok, that makes sense on the second glace, that check inside CreateTextChangeEvent makes us to not fire an event. I wouldn't do that since I don't understand what's going on here. Perhaps it's worth to go with original patch as is. Trevor?
It's #8 top crasher over the last 3 days.
tracking-firefox15: --- → ?
Keywords: topcrash
(In reply to alexander :surkov from comment #19) > (In reply to alexander :surkov from comment #18) > > ok, that makes sense > > on the second glace, that check inside CreateTextChangeEvent makes us to not > fire an event. I wouldn't do that since I don't understand what's going on > here. Perhaps it's worth to go with original patch as is. Trevor? sure, I'll land this with the Accessible stuff in a few minutes when try finishes getting green. However I noticed one of the crash reports mentioned arte.tv where I can reliably reproduce the crash on linux 64 both non optamized and with debugging on.
(In reply to Trevor Saunders (:tbsaunde) from comment #21) > However I noticed one of the crash reports mentioned arte.tv where I can > reliably reproduce the crash on linux 64 both non optamized and with > debugging on. cool, we can fix it then. I'll try it out.
(In reply to alexander :surkov from comment #22) > (In reply to Trevor Saunders (:tbsaunde) from comment #21) > > > However I noticed one of the crash reports mentioned arte.tv where I can > > reliably reproduce the crash on linux 64 both non optamized and with > > debugging on. > > cool, we can fix it then. I'll try it out. nice, I looked a bit, I didn't get to far, but it seems textAccessibles children flags are eUninitializedChildren which I can only see being the case if aEvent->mAccessible was never added to it. I also saw aEvent->mAccessible->mContent->GetParent() == textAccessible->mContent if that helps.
I can reproduce it. So I'll debug it and land the existing patch to stop crashing.
https://hg.mozilla.org/integration/mozilla-inbound/rev/563cb4e5d1d5 I'll file another bug for the issue when I get something.
Whiteboard: [native-crash] → [native-crash][leave-open]
Target Milestone: --- → mozilla15
Whiteboard: [native-crash][leave-open] → [native-crash]
Crash Signature: [@ nsAccUtils::MustPrune] [@ nsAccessible::Role] [@ nsAccessible::Role()] → [@ nsAccUtils::MustPrune] [@ nsAccessible::Role] [@ nsAccessible::Role()] [@ Accessible::Role] [@ Accessible::Role()]
I filed bug 759650 as follow up
https://hg.mozilla.org/mozilla-central/rev/563cb4e5d1d5
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Marco, can you please verify this bug is fixed in Firefox 15.0a2 Aurora?
Removing QAWANTED as this is currently being tracked in our verification queries through status/tracking flags. Alex, pleas re-add if there is something more then simple verification that you need.
Keywords: qawanted
This landed before the uplift of 15 to Aurora, so yeah should be fixed. I could never reproduce it myself, so have no manual means to verify, but from inspection, the patch is in Aurora.
I'm not seeing any recent crash reports with this signature. This in addition to comment 31 is the best we can do in terms of verification. We can re-open if this signature reappears.
Status: RESOLVED → VERIFIED
status-firefox15: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: