Closed Bug 1666720 Opened 4 years ago Closed 4 years ago

Crash in AccessibleHandler::CleanupDynamicIA2Data with Vispero's ZoomText or Fusion 2021 Public Beta

Categories

(Core :: Disability Access APIs, defect, P1)

Product:
Core
Component:
Disability Access APIs
Version:
80 Branch
Platform:
Desktop
Windows
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
83 Branch
Tracking Flags:
Tracking Status
firefox-esr78 83+ fixed
firefox80 --- wontfix
firefox81 --- wontfix
firefox82 + fixed
firefox83 --- fixed

People

(Reporter: MarcoZ, Assigned: Jamie)

References

(Regression)

Details

(Keywords: crash, regression)

Attachments

(2 files)

Testcase
(deleted), text/html
Details
Bug 1666720: AccessibleHandler: When refreshing the cache, fetch into a temporary struct rather than into the live cache to avoid problems triggered by COM re-entry.
(deleted), text/x-phabricator-request
jcristau
: approval-mozilla-beta+
jcristau
: approval-mozilla-esr78+
Details

[Tracking Requested - why for this release]:
Regression introduced in 78, crash with external software.

Steps:

  1. Download the Fusion Public Beta from this page and install it.
  2. After restarting your computer, start Fusion first (is normally started automatically the first time after an install), and then Firefox. This order is important.
  3. Open the attached test case. This was sent to us by an engineer at Vispero, and I was able to reproduce the crash with it.
  4. Tab to the first input box and start typing.
    • Result: A parent process crash with reports like this will be submitted.

The people at Vispero were seeing this crash with Firefox 80, I was able to reproduce this with the 83 Nightly build as well.

This is another regression from bug 1640553.

Attached file Testcase (deleted) —

See steps above.

Marco, does this try build (only just kicked off) help? (I haven't tested myself; this is a speculative fix.)

Flags: needinfo?(mzehe)

Unfortunately, this build still crashes with Fusion and the test case. If it is of any use: here is the report for that crash.

Flags: needinfo?(mzehe)

The second try build fixes the crash for me.

Assignee: nobody → jteh
Status: NEW → ASSIGNED
Pushed by mzehe@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f2e684839464 AccessibleHandler: When refreshing the cache, fetch into a temporary struct rather than into the live cache to avoid problems triggered by COM re-entry. r=MarcoZ

https://hg.mozilla.org/mozilla-central/rev/f2e684839464

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox83: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch

The patch landed in nightly and beta is affected.
:Jamie, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(jteh)

Verified in Nightly 83.0a1 20200929213959.

Status: RESOLVED → VERIFIED

Comment on attachment 9177517 [details]
Bug 1666720: AccessibleHandler: When refreshing the cache, fetch into a temporary struct rather than into the live cache to avoid problems triggered by COM re-entry.

Beta/Release Uplift Approval Request

  • User impact if declined: Crashes with ZoomText or ZoomText Fusion 2021 assistive technology products (currently in public beta).
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Only affects Windows accessibility. Straightforward patch which updates a complete cache in two stages instead of one.
  • String changes made/needed: None.
Flags: needinfo?(jteh)
Attachment #9177517 - Flags: approval-mozilla-beta?

Comment on attachment 9177517 [details]
Bug 1666720: AccessibleHandler: When refreshing the cache, fetch into a temporary struct rather than into the live cache to avoid problems triggered by COM re-entry.

a11y crash fix, approved for 82.0b6

Attachment #9177517 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Do we want to fix this in esr78 also?

Flags: needinfo?(jteh)

Comment on attachment 9177517 [details]
Bug 1666720: AccessibleHandler: When refreshing the cache, fetch into a temporary struct rather than into the live cache to avoid problems triggered by COM re-entry.

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Crashes.
  • User impact if declined: Crashes with ZoomText or ZoomText Fusion 2021 assistive technology products (currently in public beta).
  • Fix Landed on Version: 82, 83
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Only affects Windows accessibility. Straightforward patch which updates a complete cache in two stages instead of one.
  • String or UUID changes made by this patch: None.
Flags: needinfo?(jteh)
Attachment #9177517 - Flags: approval-mozilla-esr78?

Comment on attachment 9177517 [details]
Bug 1666720: AccessibleHandler: When refreshing the cache, fetch into a temporary struct rather than into the live cache to avoid problems triggered by COM re-entry.

approved for 78.5esr

Attachment #9177517 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: