Closed Bug 1768391 Opened 2 years ago Closed 2 years ago

[CTW] Crash in [@ mozilla::detail::InvalidArrayIndex_CRASH | mozilla::a11y::HyperTextAccessibleBase::GetChildOffset]

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
102 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox100 --- unaffected
firefox101 --- unaffected
firefox102 --- fixed

People

(Reporter: Jamie, Assigned: Jamie)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, Whiteboard: [ctw-m2])

Crash Data

Attachments

(1 file)

Bug 1768391: Invalidate the remote HyperText offsets cache when we mutate the tree.
(deleted), text/x-phabricator-request
Details

Crash report: https://crash-stats.mozilla.org/report/index/02387c94-b296-4b94-ac3d-f32e40220507

Reason: EXCEPTION_BREAKPOINT

Top 10 frames of crashing thread:

0 mozglue.dll mozilla::detail::InvalidArrayIndex_CRASH mfbt/Assertions.cpp:50
1 xul.dll mozilla::a11y::HyperTextAccessibleBase::GetChildOffset const accessible/basetypes/HyperTextAccessibleBase.cpp:71
2 xul.dll mozilla::a11y::ia2AccessibleText::get_nCharacters accessible/windows/ia2/ia2AccessibleText.cpp:376
3 rpcrt4.dll Invoke 
4 ia2marshal.dll seh_filter_dll 
5 rpcrt4.dll NdrStubCall2 
6 combase.dll CStdStubBuffer_Invoke onecore\com\combase\ndr\ndrole\stub.cxx:1552
7 rpcrt4.dll CStdStubBuffer_Invoke 
8 combase.dll ObjectMethodExceptionHandlingAction<<lambda_c9f3956a20c9da92a64affc24fdd69ec> > onecore\com\combase\dcomrem\excepn.hxx:94
9 combase.dll DefaultStubInvoke onecore\com\combase\dcomrem\channelb.cxx:1228

This is almost certainly due to bug 1766794. I haven't been able to reliably reproduce it, but it's happening often enough to be pretty annoying.

My guess is that NVDA is querying HyperText offsets after the RemoteAccessible tree has mutated but before the reorder event has been received. This is a very small window of time, but because they're separate IPDL calls, it's possible that a client call could be handled between them.

If I'm correct, the fix is to invalidate the HyperText cache as we mutate the tree, rather than doing it based on the reorder.

Blocks: a11y-ctw-text
Whiteboard: [ctw-m2]

Previously, we invalidated this cache when the reorder event arrived.
Because the mutation and the reorder event happen in separate IPDL calls, it's possible for a client call to arrive between them.
If that client call queried HyperText offsets, this could result in returning incorrect information to the client or even a parent process crash.
Now, we invalidate the cache during the mutation, so there's no possibility of an intervening client call.
It made sense to put this invalidation call in RemoteAccessibleBase, so I also moved the call to invalidate for text leaf updates into RemoteAccessibleBase so that they're both in the same class.

Set release status flags based on info from the regressing bug 1766794

status-firefox100: --- → unaffected
status-firefox101: --- → unaffected
status-firefox102: --- → affected
status-firefox-esr91: --- → unaffected
Has Regression Range: --- → yes
Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3dd1b7e892e0 Invalidate the remote HyperText offsets cache when we mutate the tree. r=eeejay

https://hg.mozilla.org/mozilla-central/rev/3dd1b7e892e0

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox102: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: