Closed Bug 1767169 Opened 2 years ago Closed 2 years ago

Crash in [@ style::gecko_properties::ComputedValues::get_resolved_value]

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
102 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox100 --- unaffected
firefox101 --- disabled
firefox102 --- fixed

People

(Reporter: Jamie, Assigned: Jamie)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1767169: When processing queued cache updates, ensure Accessibles haven't been detached from the document.
(deleted), text/x-phabricator-request
Details

Crash report: https://crash-stats.mozilla.org/report/index/6f1be058-4a17-4e81-865a-24c8a0220430

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll style::gecko_properties::ComputedValues::get_resolved_value x86_64-pc-windows-msvc/release/build/style-2d82e9baf87a3ed2/out/properties.rs:66324
1 xul.dll geckoservo::glue::Servo_GetPropertyValue servo/ports/geckolib/glue.rs:6588
2 xul.dll mozilla::a11y::StyleInfo::Display accessible/base/StyleInfo.cpp:23
3 xul.dll mozilla::a11y::LocalAccessible::DisplayStyle const accessible/generic/LocalAccessible.cpp:3557
4 xul.dll mozilla::a11y::LocalAccessible::BundleFieldsForCache accessible/generic/LocalAccessible.cpp:3389
5 xul.dll mozilla::a11y::DocAccessible::ProcessQueuedCacheUpdates accessible/generic/DocAccessible.cpp:1428
6 xul.dll mozilla::a11y::NotificationController::WillRefresh accessible/base/NotificationController.cpp:890
7 xul.dll nsRefreshDriver::Tick layout/base/nsRefreshDriver.cpp:2467
8 xul.dll mozilla::RefreshDriverTimer::TickRefreshDrivers layout/base/nsRefreshDriver.cpp:346
9 xul.dll mozilla::RefreshDriverTimer::Tick layout/base/nsRefreshDriver.cpp:362

I saw this twice but I can't seem to reproduce it now. However, I think it's a regression from bug 1739560. In that patch, I moved the processing of queued cache updates before the firing of mutation events. That means that Accessibles removed from the tree might not be shut down (and thus defunct) yet, since we have this limbo "not in document" state. I took a look at the dump and it confirms this; the Accessible causing the crash has the eNotInDocument flag.

We should check IsInDocument() as well as !IsDefunct().

In bug 1739560, I moved the processing of queued cache updates before the firing of mutation events.
That means that Accessibles removed from the tree might not be shut down (and thus defunct) yet, since we have this limbo "not in document" state.
Therefore, as well as skipping defunct Accessibles, we must also skip Accessibles that are no longer in the document.

Has Regression Range: --- → yes
Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6a2ad49b2630 When processing queued cache updates, ensure Accessibles haven't been detached from the document. r=eeejay

https://hg.mozilla.org/mozilla-central/rev/6a2ad49b2630

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox102: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch

Set release status flags based on info from the regressing bug 1739560

status-firefox100: --- → unaffected
status-firefox101: --- → affected
status-firefox-esr91: --- → unaffected

The patch landed in nightly and beta is affected.
:Jamie, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(jteh)
status-firefox101: affecteddisabled
Flags: needinfo?(jteh)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: