Closed Bug 1715284 Opened 3 years ago Closed 3 years ago

Windows 10 Fission Crash in [@ nsAccessibilityService::GetMarkupMapInfoForNode]

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
Unspecified
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
92 Branch
Project Flags:
Fission Milestone Future
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- disabled
firefox89 --- disabled
firefox90 --- disabled
firefox91 --- wontfix
firefox92 --- fixed

People

(Reporter: aryx, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

All crashes on Windows 10 with Fisison enabled, oldest build ID in the reports is 89.0a1 20210414160838. For last week, we have 7 Nightly crashes from 5 installations.

Crash report: https://crash-stats.mozilla.org/report/index/e0800b37-7337-4764-93ab-046560210605

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll nsAccessibilityService::GetMarkupMapInfoForNode const accessible/base/nsAccessibilityService.h:367
1 xul.dll mozilla::a11y::HyperTextAccessible::NativeRole const accessible/generic/HyperTextAccessible.cpp:176
2 xul.dll mozilla::a11y::LocalAccessible::Role const accessible/generic/LocalAccessible-inl.h:26
3 xul.dll static mozilla::a11y::nsAccUtils::MustPrune accessible/base/nsAccUtils.cpp:443
4 xul.dll mozilla::a11y::MsaaAccessible::get_accChildCount accessible/windows/msaa/MsaaAccessible.cpp:796
5 xul.dll mozilla::a11y::HandlerProvider::BuildDynamicIA2Data accessible/ipc/win/HandlerProvider.cpp:307
6 xul.dll mozilla::detail::RunnableMethodImpl<mozilla::a11y::HandlerProvider*, void  xpcom/threads/nsThreadUtils.h:1203
7 xul.dll static mozilla::mscom::MainThreadInvoker::MainThreadAPC ipc/mscom/MainThreadInvoker.cpp:172
8 ntdll.dll RtlDispatchAPC 
9 ntdll.dll KiUserApcDispatch
Severity: -- → S2

I'm not sure how this could happen, but based on the fact that these are all Windows 10 Fission, I wonder if we're somehow calling accChildCount on a RemoteIframeDocRemoteAccessibleWrap (used for OOP iframes). That would have a null mContent, which would result in this crash.

If that's the case, this should be fixed by bug 1715230. Let's see what happens when the patches for that land.

Blocks: a11y-fission
Fission Milestone: --- → ?
Depends on: 1715230

The crash doesn't look like a Fission crash, but let's keep an eye on it. Tracking for Fission MVP.

Fission Milestone: ? → MVP

I confirmed this is definitely a Fission crash as I suspected in comment 1. The crash dump shows that the accessible we're looking at here has eProxyType, and in a content process, that could only be RemoteIframeDocRemoteAccessibleWrap, which is only used for OOP iframes.

Jamie, does someone on the Accessibility team have time to investigate this crash?

This crash's volume is pretty low, so maybe this bug doesn't need to block Fission MVP? We saw 40 crashes from 16 installations from Nightly 91, but only 6 crashes from 2 installations in the first week of Beta 91.

https://crash-stats.mozilla.org/signature/?signature=nsAccessibilityService%3A%3AGetMarkupMapInfoForNode&date=%3E%3D2021-01-19T17%3A32%3A00.000Z&date=%3C2021-07-19T17%3A32%3A00.000Z#summary

Fission Milestone: MVP → Future
status-firefox90: affecteddisabled
status-firefox92: --- → affected
Flags: needinfo?(jteh)
OS: Windows 10 → Windows

I'm hoping this is fixed by bug 1715230, which has only just landed. I suggest we monitor to see if the crash goes away with this patch.

Flags: needinfo?(jteh)

No crashes in 92 recently, so I think it's safe to say this is fixed by bug 1715230 (which landed in 92).

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox91: affectedwontfix
status-firefox92: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 92 Branch
You need to log in before you can comment on or make changes to this bug.