Closed Bug 857339 Opened 11 years ago Closed 3 years ago

crash in mozilla::a11y::FocusManager::IsFocused

Categories

(Core :: Disability Access APIs, defect, P5)

Product:
Core
Component:
Disability Access APIs
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: wsmwk, Unassigned)

References

Details

(Keywords: crash, Whiteboard: a11y:crash-mac)

Crash Data

this is perhaps related to windows file dialog

This bug was filed from the Socorro interface and is 
report bp-58cf64b3-ac5c-4ab7-b8fa-19f062130322 .
============================================================= 
"Trying to attach an image, had a message that the scrit was busy (whatever that is, please use language I can understand) I locked the laptop as guided, opend it in my name again, tried to attach and it crashed, never had it happen before, any ideas "

0	xul.dll	mozilla::a11y::FocusManager::IsFocused	accessible/src/base/FocusManager.cpp:59
1	xul.dll	Accessible::NativeState	accessible/src/generic/Accessible.cpp:671
2	xul.dll	Accessible::State	accessible/src/generic/Accessible.cpp:1440
3	xul.dll	AccessibleWrap::get_accState	accessible/src/msaa/AccessibleWrap.cpp:468
4	rpcrt4.dll	Invoke	
5	rpcrt4.dll	NdrStubCall2	
6	ole32.dll	NdrpCreateStub	
7	oleaut32.dll	CUnivStubWrapper::Invoke	
8	ole32.dll	SyncStubInvoke	
9	ole32.dll	StubInvoke	
10	ole32.dll	CCtxComChnl::ContextInvoke	
11	ole32.dll	MTAInvoke	
12	ole32.dll	STAInvoke	
13	ole32.dll	AppInvoke	
14	ole32.dll	ComInvokeWithLockAndIPID	
15	ole32.dll	ComInvoke	
16	ole32.dll	ThreadDispatch	
17	ole32.dll	ThreadWndProc	
18	user32.dll	InternalCallWinProc	
19	user32.dll	UserCallWinProcCheckWow	
20	user32.dll	DispatchClientMessage	
21	user32.dll	__fnDWORD	
22	ntdll.dll	KiUserCallbackDispatcher	
23	ntdll.dll	KiUserApcDispatcher	
24	shell32.dll	CDefView::_DoContextMenuPopup	
25	shell32.dll	CDefView::OnSelectionContextMenu	
26	explorerframe.dll	UIItemsView::ShowContextMenu	
27	explorerframe.dll	CItemsView::ShowContextMenu	
28	shell32.dll	CDefView::_DoContextMenu	
29	shell32.dll	CDefView::_OnContextMenu	
30	shell32.dll	CDefView::OnGetTryHarderArray	
31	shell32.dll	CDefView::s_WndProc	
32	user32.dll	InternalCallWinProc	
33	user32.dll	UserCallWinProcCheckWow	
34	user32.dll	CallWindowProcAorW	
35	user32.dll	CallWindowProcW	
36	duser.dll	WndBridge::RawWndProc	
37	user32.dll	InternalCallWinProc	
38	user32.dll	UserCallWinProcCheckWow	
39	user32.dll	DispatchClientMessage	
40	user32.dll	__fnDWORD	
41	ntdll.dll	KiUserCallbackDispatcher	
42	ntdll.dll	KiUserApcDispatcher	
43	user32.dll	RealDefWindowProcW	
44	uxtheme.dll	_ThemeDefWindowProc	
45	uxtheme.dll	ThemeDefWindowProcW	
46	user32.dll	GetRealWindowOwner	
47	explorerframe.dll	ItemLayout::SetSectionCount	
48	user32.dll	InternalCallWinProc	
49	user32.dll	UserCallWinProcCheckWow	
50	user32.dll	CallWindowProcAorW	
51	user32.dll	CallWindowProcW	
52	duser.dll	ExtraInfoWndProc	
53	user32.dll	InternalCallWinProc	
54	user32.dll	UserCallWinProcCheckWow	
55	user32.dll	CallWindowProcAorW	
56	user32.dll	CallWindowProcW	
57	comctl32.dll	CallOriginalWndProc	
58	comctl32.dll	CallNextSubclassProc	
59	comctl32.dll	DefSubclassProc	
60	explorerframe.dll	UIItemsView::_UIItemsViewSubclassProc	
61	explorerframe.dll	UIItemsView::s_UIItemsViewSubclassProc	
62	comctl32.dll	CallNextSubclassProc	
63	comctl32.dll	DefSubclassProc	
64	explorerframe.dll	CToolTipManager::_PropertyToolTipSubclassProc	
65	explorerframe.dll	CToolTipManager::s_PropertyToolTipSubclassProc	
66	comctl32.dll	CallNextSubclassProc	
67	comctl32.dll	DefSubclassProc	
68	comctl32.dll	TTSubclassProc	
69	comctl32.dll	CallNextSubclassProc	
70	comctl32.dll	MasterSubclassProc	
71	user32.dll	InternalCallWinProc	
72	user32.dll	UserCallWinProcCheckWow	
73	user32.dll	DispatchMessageWorker	
74	user32.dll	DispatchMessageW	
75	user32.dll	IsDialogMessageW	
76	user32.dll	DialogBox2	
77	user32.dll	InternalDialogBox	
78	user32.dll	DialogBoxIndirectParamAorW	
79	user32.dll	DialogBoxIndirectParamW	
80	comdlg32.dll	CFileOpenSave::Show	
81	xul.dll	nsFilePicker::ShowFilePicker	widget/windows/nsFilePicker.cpp:968
82	xul.dll	nsFilePicker::ShowW	widget/windows/nsFilePicker.cpp:1059
Component: Disability Access → Disability Access APIs
Product: Thunderbird → Core
Version: 17 → unspecified
Trev, ideas?

aAccessible->GetNode() shouldn't be null since aAccessible is 'this' that complies with mContent->IsElement() == true.

What does 0xc crash address point to here?
Whiteboard: [tbird crash]
(In reply to alexander :surkov from comment #1)
> Trev, ideas?
> 
> aAccessible->GetNode() shouldn't be null since aAccessible is 'this' that
> complies with mContent->IsElement() == true.
> 
> What does 0xc crash address point to here?

Good question. I don't know why 0xc is reported as the crashing address for all these reports.

(Note this is not a high volume crash)
Still around. Seems the stacks are all similar and related to XULTabAccessible, like:

0 	xul.dll mozilla::a11y::FocusManager::IsFocused(mozilla::a11y::Accessible const*) 	accessible/src/base/FocusManager.cpp
1 	xul.dll 	mozilla::a11y::Accessible::NativeState() 	accessible/src/generic/Accessible.cpp
2 	xul.dll 	mozilla::a11y::XULTabAccessible::NativeState() 	accessible/src/xul/XULTabAccessible.cpp
3 	xul.dll 	mozilla::a11y::Accessible::State() 	accessible/src/generic/Accessible.cpp
4 	xul.dll 	mozilla::a11y::AccessibleWrap::get_accState(tagVARIANT, tagVARIANT*)

https://crash-stats.mozilla.com/report/index/f8f09027-bd88-4ed2-b08e-d4c662140911
what's interesting, the code path is triggered by ffxtn.dll which is malicious application, it seems to be one more use case of a11y
(In reply to alexander :surkov from comment #4)
> what's interesting, the code path is triggered by ffxtn.dll which is
> malicious application, it seems to be one more use case of a11y

Oh crap.
Benjamin, what is the right process here? Nominate ffxtn.dll for WindowsDllBlocklist.cpp?
Flags: needinfo?(benjamin)
Oh I found https://wiki.mozilla.org/Blocklisting#How_to_request_a_block

Alex is this dll in all the stacks?
Flags: needinfo?(benjamin)
You can morph this bug into a DLL block if you want. We probably need to make sure that we won't be blocking real things along with the unwanted thing. dmajor can help walk you through it and review patches.
I'm not convinced that a block is worth spending time on. Across all products and channels we get something like 10 crashes a day. Our correlation files don't even include such crashes, so I had to spot-check by hand: about one third have ffxtn, another third have other malware, and the last third look like our fault. The Socorro folks might be able to run a more accurate query if you really want.
Thanks for the manual checking David!

OK let's not morph this bug.
Crash Signature: [@ mozilla::a11y::FocusManager::IsFocused(Accessible const*)] → [@ mozilla::a11y::FocusManager::IsFocused(Accessible const*)] [@ mozilla::a11y::FocusManager::IsFocused]
Depends on: 857348
the latest affected Firefox is 56, we should probably mark it wontfix.
Whiteboard: [tbird crash] → [tbird crash] a11y:crash-mac
Priority: -- → P5

Crash rate reduced significantly after version 52.
Both Firefox crashes I looked at have uiautomationcore.dll on stack

Also, none of the current crashes are Mac https://crash-stats.mozilla.org/signature/?version=%2152.9.0esr&version=%2152.8.0esr&signature=mozilla%3A%3Aa11y%3A%3AFocusManager%3A%3AIsFocused&date=%3E%3D2019-10-04T12%3A56%3A00.000Z&date=%3C2020-04-04T12%3A56%3A00.000Z#aggregations

Crash Signature: [@ mozilla::a11y::FocusManager::IsFocused(Accessible const*)] [@ mozilla::a11y::FocusManager::IsFocused] → [@ mozilla::a11y::FocusManager::IsFocused]
Whiteboard: [tbird crash] a11y:crash-mac → a11y:crash-mac

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.