Closed Bug 1793423 Opened 2 years ago Closed 2 years ago

Crash in [@ PLDHashTable::EntryStore::IsAllocated | PLDHashTable::Search | nsTHashtable<T>::GetEntry | nsBaseHashtable<T>::Lookup | mozilla::a11y::AccAttributes::GetAttribute]

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
107 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox105 --- wontfix
firefox106 --- wontfix
firefox107 --- fixed

People

(Reporter: emilghitta, Assigned: Jamie)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1793423: Don't assume the document has a cache yet in RemoteAccessibleBase::ChildAtPoint.
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/61ca71cf-555b-49cd-a8e8-798da0221003

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll PLDHashTable::EntryStore::IsAllocated const xpcom/ds/PLDHashTable.h:325
0 xul.dll PLDHashTable::Search const xpcom/ds/PLDHashTable.cpp:496
1 xul.dll nsTHashtable<nsBaseHashtableET<nsRefPtrHashKey<nsAtom>, mozilla::Variant<bool, float, double, int, RefPtr<nsAtom>, nsTArray<int>, mozilla::gfx::CoordTyped<mozilla::CSSPixel, float>, mozilla::a11y::FontSize, mozilla::a11y::Color, mozilla::a11y::DeleteEntry, mozilla::UniquePtr<nsTString<char16_t>, mozilla::DefaultDelete<nsTString<char16_t> > >, RefPtr<mozilla::a11y::AccAttributes>, unsigned long long, mozilla::UniquePtr<mozilla::a11y::AccGroupInfo, mozilla::DefaultDelete<mozilla::a11y::AccGroupInfo> >, mozilla::UniquePtr<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float>, mozilla::DefaultDelete<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> > >, nsTArray<unsigned long long> > > >::GetEntry const xpcom/ds/nsTHashtable.h:288
1 xul.dll nsBaseHashtable<nsRefPtrHashKey<nsAtom>, mozilla::Variant<bool, float, double, int, RefPtr<nsAtom>, nsTArray<int>, mozilla::gfx::CoordTyped<mozilla::CSSPixel, float>, mozilla::a11y::FontSize, mozilla::a11y::Color, mozilla::a11y::DeleteEntry, mozilla::UniquePtr<nsTString<char16_t>, mozilla::DefaultDelete<nsTString<char16_t> > >, RefPtr<mozilla::a11y::AccAttributes>, unsigned long long, mozilla::UniquePtr<mozilla::a11y::AccGroupInfo, mozilla::DefaultDelete<mozilla::a11y::AccGroupInfo> >, mozilla::UniquePtr<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float>, mozilla::DefaultDelete<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> > >, nsTArray<unsigned long long> >, mozilla::Variant<bool, float, double, int, RefPtr<nsAtom>, nsTArray<int>, mozilla::gfx::CoordTyped<mozilla::CSSPixel, float>, mozilla::a11y::FontSize, mozilla::a11y::Color, mozilla::a11y::DeleteEntry, mozilla::UniquePtr<nsTString<char16_t>, mozilla::DefaultDelete<nsTString<char16_t> > >, RefPtr<mozilla::a11y::AccAttributes>, unsigned long long, mozilla::UniquePtr<mozilla::a11y::AccGroupInfo, mozilla::DefaultDelete<mozilla::a11y::AccGroupInfo> >, mozilla::UniquePtr<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float>, mozilla::DefaultDelete<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> > >, nsTArray<unsigned long long> >, nsDefaultConverter<mozilla::Variant<bool, float, double, int, RefPtr<nsAtom>, nsTArray<int>, mozilla::gfx::CoordTyped<mozilla::CSSPixel, float>, mozilla::a11y::FontSize, mozilla::a11y::Color, mozilla::a11y::DeleteEntry, mozilla::UniquePtr<nsTString<char16_t>, mozilla::DefaultDelete<nsTString<char16_t> > >, RefPtr<mozilla::a11y::AccAttributes>, unsigned long long, mozilla::UniquePtr<mozilla::a11y::AccGroupInfo, mozilla::DefaultDelete<mozilla::a11y::AccGroupInfo> >, mozilla::UniquePtr<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float>, mozilla::DefaultDelete<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> > >, nsTArray<unsigned long long> >, mozilla::Variant<bool, float, double, int, RefPtr<nsAtom>, nsTArray<int>, mozilla::gfx::CoordTyped<mozilla::CSSPixel, float>, mozilla::a11y::FontSize, mozilla::a11y::Color, mozilla::a11y::DeleteEntry, mozilla::UniquePtr<nsTString<char16_t>, mozilla::DefaultDelete<nsTString<char16_t> > >, RefPtr<mozilla::a11y::AccAttributes>, unsigned long long, mozilla::UniquePtr<mozilla::a11y::AccGroupInfo, mozilla::DefaultDelete<mozilla::a11y::AccGroupInfo> >, mozilla::UniquePtr<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float>, mozilla::DefaultDelete<mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> > >, nsTArray<unsigned long long> > > >::Lookup const xpcom/ds/nsBaseHashtable.h:641
1 xul.dll mozilla::a11y::AccAttributes::GetAttribute const accessible/base/AccAttributes.h:126
1 xul.dll mozilla::a11y::RemoteAccessibleBase<mozilla::a11y::RemoteAccessible>::ChildAtPoint accessible/ipc/RemoteAccessibleBase.cpp:352
2 xul.dll mozilla::a11y::OuterDocAccessible::ChildAtPoint accessible/generic/OuterDocAccessible.cpp:224
3 xul.dll mozilla::a11y::MsaaAccessible::accHitTest accessible/windows/msaa/MsaaAccessible.cpp:1632
4 rpcrt4.dll Invoke 
5 rpcrt4.dll NdrStubCall2

This is a random crash that occurred while accessing the https://www.digi24.ro/ webpage with accessibility.cache.enabled set to true and NVDA enabled.

Unfortunately I don't have any reliable steps, it occurred randomly.

Please feel free to change the component if necessary!

Jamie can this crash be something related to the "Cache the World" feature?

Flags: needinfo?(jteh)

It's definitely Cache the World. Thank you.

Blocks: a11y-ctw
Severity: S2 → S3
Flags: needinfo?(jteh)

Caused by bug 1758689. We assume the document has mCachedFields, but it might not if a client call arrives between the RecvPDocAccessibleConstructor and RecvCache IPDL calls. This is rare, but possible, so we should null check mCachedFields there.

Keywords: regression
Regressed by: 1758689
Assignee: nobody → jteh
Status: NEW → ASSIGNED

Set release status flags based on info from the regressing bug 1758689

status-firefox105: --- → affected
status-firefox106: --- → affected
status-firefox-esr102: --- → unaffected
Pushed by jteh@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f878938d8cb9
Don't assume the document has a cache yet in RemoteAccessibleBase::ChildAtPoint. r=morgan

https://hg.mozilla.org/mozilla-central/rev/f878938d8cb9

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox107: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 107 Branch

The patch landed in nightly and beta is affected.
:Jamie, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox106 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(jteh)
status-firefox106: affectedwontfix
Flags: needinfo?(jteh)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: