Freeze when navigating by landmarks with certain labeled article landmarks

[MarcoZehe]

Steps to reproduce:

There are several prerequisites:

1. You have to have an account on some Mastodon social network instance.
2. You have to have the Extended ARIA Add-On installed and the Articles landmark activated.

Steps:

1. Log into https://dev.pinafore.social. Pinafore is an alternative web client to the Mastodon social network.

• If you're not logged in, click the AddInstance link, fill in your instance name, like mastodon.social or toot.cafe, or whichever instance you're on, then click Login.
• Authorize Pinafore to access your account.

2. After you've logged in, start navigating the Home timeline via the letter D. At some point, NVDA will cause a Windows ascending error tone to be heard, and fall silent. The braille display, if connected, will continue to blink, but NVDA is essentially dead then.
3. Restart NVDA, then simply arrow through the page onto any article. A crash does not occur, NVDA reads the article name normally.

Actual behavior:

NVDA produces an error sound, then falls silent. As if it partially crashed. Braille continues to blink, but won't respond to anything.

Expected behavior:

No crash.

System configuration:

NVDA Installed/portable/running from source:

Installed.

NVDA version:

NVDA version alpha-16298,c651588e

Windows version:

Windows 10 19H1 18282 build. But also happens on 1809 regular.

Name and version of other software in use when reproducing the issue:

Firefox Nightly 65.

Other information about your system:

Other questions:

Does the issue still occur after restarting your PC?

Yes.

Have you tried any other versions of NVDA?

2018.4beta, 2018.3.2, happens with both, too.

Log entries

Developer info for an article element that causes this problem:

INFO - globalCommands.GlobalCommands.script_navigatorObject_devInfo (15:28:21.299):
Developer info for navigator object:
name: u'Eric Eggert, RT @bigfinish@twitter.comComing September 2019, @BilliePiper is returning to the #DoctorWho universe in Rose Tyler: The Dimension Cannon. -> http://bit.ly/2FIKkiZFour episodes follow Rose\u2019s mission to seek out the Doctor, the only person who can save the doomed multiverse\u2026, 1 hour ago, @yatil@micro.yatil.net, Unlisted'
role: ROLE_DOCUMENT
states: STATE_READONLY, STATE_FOCUSABLE
isFocusable: True
hasFocus: False
Python object: <baseObject.Dynamic_BrokenFocusedStateDocumentMozillaIAccessible object at 0x05B715F0>
Python class mro: (<class 'baseObject.Dynamic_BrokenFocusedStateDocumentMozillaIAccessible'>, <class 'NVDAObjects.IAccessible.mozilla.BrokenFocusedState'>, <class 'NVDAObjects.IAccessible.mozilla.Document'>, <class 'NVDAObjects.IAccessible.mozilla.Mozilla'>, <class 'NVDAObjects.IAccessible.ia2Web.Document'>, <class 'NVDAObjects.IAccessible.ia2Web.Ia2Web'>, <class 'NVDAObjects.IAccessible.IAccessible'>, <class 'NVDAObjects.window.Window'>, <class 'NVDAObjects.NVDAObject'>, <class 'documentBase.TextContainerObject'>, <class 'baseObject.ScriptableObject'>, <class 'baseObject.AutoPropertyObject'>, <type 'object'>)
description: u''
location: RectLTWH(left=665, top=1398, width=900, height=1013)
value: None
appModule: <'firefox' (appName u'firefox', process ID 2012) at address 5766fb0>
appModule.productName: u'Firefox Nightly'
appModule.productVersion: u'65.0a1'
TextInfo: <class 'NVDAObjects.IAccessible.IA2TextTextInfo'>
windowHandle: 590326L
windowClassName: u'MozillaWindowClass'
windowControlID: 0
windowStyle: 399441920
windowThreadID: 14052
windowText: u'toot.cafe \xb7 Home - Firefox Nightly'
displayText: u''
IAccessibleObject: <POINTER(IAccessible2) ptr=0xc0e57b4 at 5a2b8f0>
IAccessibleChildID: 0
IAccessible event parameters: windowHandle=590326L, objectID=-4, childID=-67109111
IAccessible accName: u'Eric Eggert, RT @bigfinish@twitter.comComing September 2019, @BilliePiper is returning to the #DoctorWho universe in Rose Tyler: The Dimension Cannon. -> http://bit.ly/2FIKkiZFour episodes follow Rose\u2019s mission to seek out the Doctor, the only person' (truncated)
IAccessible accRole: ROLE_SYSTEM_DOCUMENT
IAccessible accState: STATE_SYSTEM_READONLY, STATE_SYSTEM_FOCUSABLE, STATE_SYSTEM_VALID (1048640)
IAccessible accDescription: u''
IAccessible accValue: None
IAccessible2 windowHandle: 590326
IAccessible2 uniqueID: -67109111
IAccessible2 role: ROLE_SYSTEM_DOCUMENT
IAccessible2 states: IA2_STATE_SELECTABLE_TEXT, IA2_STATE_OPAQUE (5120)
IAccessible2 attributes: u'margin-left:0px;text-align:start;text-indent:0px;setsize:20;container-busy:false;margin-right:0px;tag:article;class:status-article status-in-timeline;margin-top:0px;posinset:6;margin-bottom:0px;xml-roles:article;display:grid;explicit-name:true;'

End of nvda.log from pressing D before such a crash onwards

Input: kb(laptop):d
DEBUGWARNING - watchdog.watcher (15:24:05.726):
Trying to recover from freeze, core stack:
File "nvda.pyw", line 217, in
File "core.pyc", line 515, in main
File "wx\core.pyc", line 2134, in MainLoop
File "gui_init.pyc", line 963, in Notify
File "core.pyc", line 486, in run
File "queueHandler.pyc", line 86, in pumpAll
File "queueHandler.pyc", line 53, in flushQueue
File "scriptHandler.pyc", line 145, in _queueScriptCallback
File "scriptHandler.pyc", line 187, in executeScript
File "browseMode.pyc", line 414, in
File "browseMode.pyc", line 386, in quickNavScript
File "virtualBuffers_init.pyc", line 570, in _iterNodesByAttribs

DEBUGWARNING - brailleDisplayDrivers.handyTech.BrailleDisplayDriver._handleInputStream (15:24:10.657):
Unhandled extended packet of type 'U': 'U\x05'
DEBUGWARNING - brailleDisplayDrivers.handyTech.BrailleDisplayDriver._handleInputStream (15:24:10.709):
Unhandled extended packet of type 'U': 'U\xff'
DEBUGWARNING - brailleDisplayDrivers.handyTech.BrailleDisplayDriver._handleInputStream (15:24:10.759):
Unhandled extended packet of type 'U': 'U\x06'
DEBUGWARNING - brailleDisplayDrivers.handyTech.BrailleDisplayDriver._handleInputStream (15:24:10.809):
Unhandled extended packet of type 'U': 'U\xff'
DEBUGWARNING - brailleDisplayDrivers.handyTech.BrailleDisplayDriver._handleInputStream (15:24:10.907):
Unhandled extended packet of type 'U': 'U\x08'
DEBUGWARNING - brailleDisplayDrivers.handyTech.BrailleDisplayDriver._handleInputStream (15:24:11.061):
Unhandled extended packet of type 'U': 'U\xff'
DEBUGWARNING - brailleDisplayDrivers.handyTech.BrailleDisplayDriver._handleInputStream (15:24:11.161):
Unhandled extended packet of type 'U': 'U\n'
DEBUGWARNING - brailleDisplayDrivers.handyTech.BrailleDisplayDriver._handleInputStream (15:24:11.260):
Unhandled extended packet of type 'U': 'U\x0b'
DEBUGWARNING - brailleDisplayDrivers.handyTech.BrailleDisplayDriver._handleInputStream (15:24:11.311):
Unhandled extended packet of type 'U': 'U\xff'
DEBUGWARNING - brailleDisplayDrivers.handyTech.BrailleDisplayDriver._handleInputStream (15:24:11.460):
Unhandled extended packet of type 'U': 'U\r'
DEBUGWARNING - brailleDisplayDrivers.handyTech.BrailleDisplayDriver._handleInputStream (15:24:11.559):
Unhandled extended packet of type 'U': 'U\xff'
WARNING - watchdog.watcher (15:24:20.730):
Core frozen in stack:
File "nvda.pyw", line 217, in
File "core.pyc", line 515, in main
File "wx\core.pyc", line 2134, in MainLoop
File "gui_init.pyc", line 963, in Notify
File "core.pyc", line 486, in run
File "queueHandler.pyc", line 86, in pumpAll
File "queueHandler.pyc", line 53, in flushQueue
File "scriptHandler.pyc", line 145, in _queueScriptCallback
File "scriptHandler.pyc", line 187, in executeScript
File "browseMode.pyc", line 414, in
File "browseMode.pyc", line 386, in quickNavScript
File "virtualBuffers_init.pyc", line 570, in _iterNodesByAttribs

DEBUGWARNING - brailleDisplayDrivers.handyTech.BrailleDisplayDriver._handleInputStream (15:24:35.359):
Unhandled extended packet of type 'U': 'U\x01'
DEBUGWARNING - brailleDisplayDrivers.handyTech.BrailleDisplayDriver._handleInputStream (15:24:35.411):
Unhandled extended packet of type 'U': 'U\xff'
WARNING - watchdog.watcher (15:24:35.740):
Core frozen in stack:
File "nvda.pyw", line 217, in
File "core.pyc", line 515, in main
File "wx\core.pyc", line 2134, in MainLoop
File "gui_init.pyc", line 963, in Notify
File "core.pyc", line 486, in run
File "queueHandler.pyc", line 86, in pumpAll
File "queueHandler.pyc", line 53, in flushQueue
File "scriptHandler.pyc", line 145, in _queueScriptCallback
File "scriptHandler.pyc", line 187, in executeScript
File "browseMode.pyc", line 414, in
File "browseMode.pyc", line 386, in quickNavScript
File "virtualBuffers_init.pyc", line 570, in _iterNodesByAttribs

Other info

The pull request that will introduce these new names for the article elements into Pinafore is here.

[MarcoZehe]

I investigated the Python side of things, and it appears that the call to VBuf_findNodeByAttributes referenced at the bottom of the stack somehow causes a crash or hang in the VBufBackend, or rather VBufStorage. @jcsteh and @michaelDCurran are probably quicker at investigating this than I, since I'm on PTO even. :) Just found this yesterday while trying out the new Pinafore features.

[michaelDCurran]

So far I have confirmed that regex_match is throwing regex_error with a code of error_stack. Apparently there is insufficient memory to check if the expression matches for some of the article names. At very least we can catch the c++ exception and keep searching. But it does mean next/prev landmark may skip certain articles. It would be good to work out what is special about these particular strings. It is certainly not the majority of them.

[nolanlawson]

To try to simplify the repro steps, I've created a static version of the page that reproduces the crash. So it should no longer be required to have a Mastodon account; you can just load this page: http://bl.ocks.org/nolanlawson/raw/07e732b654842a2fe62760c4bda179ee/

As in the original description, you should install the Enhanced Aria plugin and ensure that "Report articles" is enabled in the plugin settings. Then you can press D on the page and eventually you will repro the crash.

[michaelDCurran]

I have tried increasing the stack size of all rpc server threads created for NvDAHelper. However, no matter how large I made the stack the problem remains.
This may be some strange corner case with MSVC's regex processing that resorts in some kind of infinit recursion. If we can try and work out what causes it we could try filtering it out of the strings... but I'm not seeing anything interesting yet. My testing was showing all bad strings ending in the 🎄 (Christmas tree) emoji, but @MarcoZehe provided a log with a string that does not do that.

[jcsteh]

This kind of thing isn't supposed to matter with the STL, but could there be some weird restriction when you allocate a regexp on the stack? We could try building late and allocating on the heap (with That assumes it's size related.new).

[MarcoZehe]

This problem now also occurs in the Twitter PWA. I encountered it once while skipping through my notifications and once while reading through my Home timeline.

[michaelDCurran]

Although I can't reproduce this yet in the Twitter example, back on the original testcase: The freeze occurs in Mozilla Firefox 64 and 67, but not Google Chrome 72 and 74. I have verified that where the c++ regexp match freezes, both the regular expression string and the input were identical in allBrowsers. I will try and simplify the testcase down to a page with only that one article that I know causes the freeze.

[michaelDCurran]

match_regexp freezes if the input is 295 characters or longer. It doesn't matter what the characters are. I was able to reproduce it with an article with an aria-label made up of 295 'x' characters. I will investigate Jamie's idea about allocating the regexp object differently.

[jcsteh]

Failing that, we could just trim any "name" strings longer than 100 characters or so. It's a bit arbitrary, but we don't ever search by name so much as the "presence" of name, so I think we can live with it.

[michaelDCurran]

@jcsteh I logged both the regular expression, and the input string, where the regex match freezes. I doubt this is the cause, but I am finding it hard to read. Should name appear twice? and should IAccessible2::attribute_xml-roles appear twice for both region, and the other group of landmarks (search,main etc)?

Here is the regular expression:

IAccessible2\\:\\:attribute_xml-roles:(?:\\;|[^;])*\b(?:search|form|complementary|banner|contentinfo|article|main|navigation)\b(?:\\;|[^;])*;IAccessible2\\:\\:attribute_xml-roles:(?:\\;|[^;])*\b(?:search|form|complementary|banner|contentinfo|article|main|navigation)\b(?:\\;|[^;])*;name:(?:\\;|[^;])*;|IAccessible2\\:\\:attribute_xml-roles:(?:\\;|[^;])*\b(?:region)\b(?:\\;|[^;])*;IAccessible2\\:\\:attribute_xml-roles:(?:\\;|[^;])*\b(?:region)\b(?:\\;|[^;])*;name:(?:\\;|[^;])+;

And here is the input string:

IAccessible2\:\:attribute_xml-roles:article;IAccessible2\:\:attribute_xml-roles:article;name	:☕🏴‍☠️ Crazypedia 🍵🏴‍☠️, Question for other #mastoadminsI am looking at changing instance hosting providers. If i move to something like #AWS/#Azure does it make sense to offload the #pgSQL to their database service or keep it on the instance? If i move it off the instance, are the resource savings enough to significantly step down the RAM usage, like from 4GB to 2GB or less?I am looking to minimize costs while also learning new things., 2 hours ago, @crazypedia@toot.chat, Public; 

[michaelDCurran]

Actually, I think I get it. As the comments say: It has to match on all attributes for each dictionary. Never mind. Just never really read the output before.