Closed Bug 1578185 Opened 5 years ago Closed 5 years ago

Crash in [@ mozilla::a11y::Accessible::RelocateChild]

Categories

(Core :: Disability Access APIs, defect, P1)

Product:
Core
Component:
Disability Access APIs
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox70 --- unaffected
firefox71 + fixed
firefox72 --- fixed

People

(Reporter: gsvelto, Assigned: Jamie)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

This bug is for crash report bp-0d2d1a28-45b7-4c96-a7ec-3b1c10190901.

Top 10 frames of crashing thread:

0 xul.dll void mozilla::a11y::Accessible::MoveChild accessible/generic/Accessible.cpp:2210
1 xul.dll bool mozilla::a11y::DocAccessible::MoveChild accessible/generic/DocAccessible.cpp:2302
2 xul.dll mozilla::a11y::DocAccessible::ProcessContentInserted accessible/generic/DocAccessible.cpp:1911
3 xul.dll void mozilla::a11y::NotificationController::WillRefresh accessible/base/NotificationController.cpp:743
4 xul.dll void nsRefreshDriver::Tick layout/base/nsRefreshDriver.cpp:1928
5 xul.dll void mozilla::RefreshDriverTimer::TickRefreshDrivers layout/base/nsRefreshDriver.cpp:350
6 xul.dll void mozilla::RefreshDriverTimer::Tick layout/base/nsRefreshDriver.cpp:367
7 xul.dll void mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver layout/base/nsRefreshDriver.cpp:727
8 xul.dll bool mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync layout/base/nsRefreshDriver.cpp:622
9 xul.dll mozilla::layout::PVsyncChild::OnMessageReceived ipc/ipdl/PVsyncChild.cpp:187

These crashes are triggered by a diagnostic assertion, the raw crash reason is:

MOZ_DIAGNOSTIC_ASSERT(aNewIndex <= mChildren.Length()) (Wrong new index was given)

status-firefox70: --- → affected
status-firefox71: --- → affected
Priority: -- → P1
Regressed by: 1576690
Crash Signature: [@ mozilla::a11y::Accessible::MoveChild] → [@ mozilla::a11y::Accessible::MoveChild] [@ mozilla::a11y::Accessible::RelocateChild ]
Flags: needinfo?(eitan)
Summary: Crash in [@ mozilla::a11y::Accessible::MoveChild] → Crash in [@ mozilla::a11y::Accessible::RelocateChild]

So I think the case here may be similar to bug 1581589.

I suspect we are creating accessibles in a subtree of aria-hidden. I'll put together a patch tomorrow.

Flags: needinfo?(eitan)
Depends on: 1585851

Adding a new signature seen in beta as well as marking nightly as affected.

Crash Signature: [@ mozilla::a11y::Accessible::MoveChild] [@ mozilla::a11y::Accessible::RelocateChild ] → [@ mozilla::a11y::Accessible::MoveChild] [@ mozilla::a11y::Accessible::RelocateChild ] [@ InvalidArrayIndex_CRASH | nsTArray_Impl<T>::InsertElementAt<T> | mozilla::a11y::Accessible::RelocateChild ]
status-firefox72: --- → affected

[Tracking Requested - why for this release]:
the frequency of these signatures is starting to go up at the beginning of the 71 beta cycle - currently they account for 1.8% of tab crashes there

status-firefox70: affectedunaffected
tracking-firefox71: --- → ?
Keywords: regression

Jamie, could you help us find somebody to work on this crash? This is a significant volume of crashes in 71 beta and we were not crashing in 70 beta. Thanks

Flags: needinfo?(jteh)
Assignee: nobody → jteh
Flags: needinfo?(jteh)

This should hopefully have been fixed by bug 1585851:
https://hg.mozilla.org/mozilla-central/rev/61e813c94bc9

crash data from the past couple of days confirms that this crash is fixed in 71.0b8.

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox71: affectedfixed
status-firefox72: affectedfixed
Resolution: --- → FIXED
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.