Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Crash in VBufStorage_buffer_t::deleteNode in Firefox Nightly with Gmail #8924

Closed
MarcoZehe opened this issue Nov 6, 2018 · 7 comments · Fixed by #8930 or #10188
Closed

Crash in VBufStorage_buffer_t::deleteNode in Firefox Nightly with Gmail #8924

MarcoZehe opened this issue Nov 6, 2018 · 7 comments · Fixed by #8930 or #10188
Milestone

Comments

@MarcoZehe
Copy link
Contributor

@MarcoZehe MarcoZehe commented Nov 6, 2018

Steps to reproduce:

  1. I was in a Gmail conversation.
  2. Pressed Space on the More Actions for the conversation in the upper tool bar.
  3. Arrowed down in the menu, wanted to add a filter. Got to the Add To Tasks item.
  4. Press DownArrow once more.

Actual behavior:

Reproducible crash that closed Firefox. Sometimes, Crash Reporter doesn't even come up. But once it did, and it gave me this crash report.

Expected behavior:

No crash.

System configuration:

NVDA Installed/portable/running from source:

Installed.

NVDA version:

NVDA version alpha-16220,87eb36f8

Windows version:

Windows 10 insider 18272.

Name and version of other software in use when reproducing the issue:

Firefox 65.0a1 Nightly from November 6.

Other information about your system:

Gmail is in New Design, I believe this is the default now, and you cannot eve turn that off any more. It's the standard Gmail, not G Suite.

Other questions:

Does the issue still occur after restarting your PC?

Yes. Reproducible on my system.

Have you tried any other versions of NVDA?

Yes, 2018.3.x does not crash. I suspect this is a result of either the VBuf speedup or the merging of DLLs, or both.

CC @michaelDCurran @jcsteh.

@MarcoZehe
Copy link
Contributor Author

@MarcoZehe MarcoZehe commented Nov 7, 2018

Related Mozilla bug 1505276. And on a second machine, I got a crash with a slightly different signature, but with the same steps. Always once I get past the third menu item from the top, I crash.

I am using NVDA with braille, if that makes a difference.

@jcsteh
Copy link
Contributor

@jcsteh jcsteh commented Nov 7, 2018

I can't reproduce this, neither with nor without braille. However, here are some interesting observations.

This Gmail menu is pretty strange. All of the items are in the tree, but not inside the button. However, the focused item is always moved beneath the button using aria-owns and focused using aria-activedescendant. That is, there is only ever one menu item which is a child of the button. When you move the focus, the previously focused menu item returns to the full menu and the newly focused item gets owned and made the active descendant.

Note that the accessibles aren't re-generated in this case. The menu items always have the same ids, but their parents change. We do fire reorder/text change events as usual when the tree mutates, though. The fact that a node with the same id is moving within the tree does make me suspicious that the buffer is somehow not handling that correctly.

This distilled test case illustrates what Gmail is doing. I can't reproduce the crash with this either, but I'm curious if you can, Marco.

data:text/html,<body onkeydown="if (event.key == 'ArrowDown') { let oldActive = owner.getAttribute('aria-activedescendant'); let newActive = oldActive == 'item1' ? 'item2' : 'item1'; owner.setAttribute('aria-owns', newActive); owner.setAttribute('aria-activedescendant', newActive); }"><div id="item1" role="menuitem"><div>item1</div></div><div id="item2" role="menuitem"><div>item2</div></div><div id="owner" role="menu" tabindex="0" aria-owns="item1" aria-activedescendant="item1"><div></div></div></body>

@michaelDCurran
Copy link
Member

@michaelDCurran michaelDCurran commented Nov 8, 2018

@MarcoZehe
Copy link
Contributor Author

@MarcoZehe MarcoZehe commented Nov 8, 2018

I cannot reproduce the crash with @jcsteh's reduced test case on either machine where I see the crash in Gmail.

Mick, let me know if you need me to test a try build with the code changes to confirm that this fixes the crash. :)

@michaelDCurran
Copy link
Member

@michaelDCurran michaelDCurran commented Nov 8, 2018

@MarcoZehe
Copy link
Contributor Author

@MarcoZehe MarcoZehe commented Nov 9, 2018

I can confirm that the crash is fixed with this try build. I'd say "go". :)

@nvaccessAuto nvaccessAuto added this to the 2018.4 milestone Nov 9, 2018
@MarcoZehe
Copy link
Contributor Author

@MarcoZehe MarcoZehe commented Nov 9, 2018

I can confirm that the crash is also fixed in the NVDA version alpha-16243,244ed4ec snapshot.

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
4 participants