New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 810138 link

Starred by 1 user
Status: Assigned
Owner:
ellyjo...@chromium.org
Cc:
nek...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Browser crashes when requesting native accessibility tree from chrome://accessibility

Project Member Reported by lgrey@chromium.org, Feb 7 2018 
10.13, stable (but reproducible in dev builds, and I'm assuming elsewhere)

Repro steps:
1) Navigate to chrome://accessibility
2) Select Chrome Native UI: "show accessibility tree"
3) Observe crash

Stack trace:
* thread #1: tid = 0x16873af, 0x000000011f351741 libcontent.dylib`content::(anonymous namespace)::RecursiveDumpAXPlatformNodeAsString(node=0x0000000000000000, indent=0) + 289 at accessibility_ui.cc:184, name = 'CrBrowserMain', queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000011f351741 libcontent.dylib`content::(anonymous namespace)::RecursiveDumpAXPlatformNodeAsString(node=0x0000000000000000, indent=0) + 289 at accessibility_ui.cc:184
    frame #1: 0x000000011f3509a0 libcontent.dylib`content::AccessibilityUIMessageHandler::RequestNativeUITree(this=0x0000000155cb83a0, args=0x00007ffeefbfaa98) + 160 at accessibility_ui.cc:400
    frame #2: 0x000000011f353190 libcontent.dylib`void base::internal::FunctorTraits<void (content::AccessibilityUIMessageHandler::*)(base::ListValue const*), void>::Invoke<content::AccessibilityUIMessageHandler*, base::ListValue const*>(method=00 09 35 1f 01 00 00 00 00 00 00 00 00 00 00 00, receiver_ptr=0x00007ffeefbfa2f0, args=0x00007ffeefbfa330)(base::ListValue const*), content::AccessibilityUIMessageHandler*&&, base::ListValue const*&&) + 144 at bind_internal.h:211
    frame #3: 0x000000011f3530bf libcontent.dylib`void base::internal::InvokeHelper<false, void>::MakeItSo<void (functor=0x0000000155c79350, args=0x00007ffeefbfa2f0, args=0x00007ffeefbfa330)(base::ListValue const*), content::AccessibilityUIMessageHandler*, base::ListValue const*>(void (content::AccessibilityUIMessageHandler::* const&&&)(base::ListValue const*), content::AccessibilityUIMessageHandler*&&, base::ListValue const*&&) + 95 at bind_internal.h:294
    frame #4: 0x000000011f353033 libcontent.dylib`void base::internal::Invoker<base::internal::BindState<void (content::AccessibilityUIMessageHandler::*)(base::ListValue const*), base::internal::UnretainedWrapper<content::AccessibilityUIMessageHandler> >, void (base::ListValue const*)>::RunImpl<void (functor=0x0000000155c79350, bound=0x0000000155c79360, (null)=std::__1::index_sequence<0UL> @ 0x00007ffeefbfa2c0, unbound_args=0x00007ffeefbfa330)(base::ListValue const*), std::__1::tuple<base::internal::UnretainedWrapper<content::AccessibilityUIMessageHandler> > const&, 0ul>(void (content::AccessibilityUIMessageHandler::* const&&&)(base::ListValue const*), std::__1::tuple<base::internal::UnretainedWrapper<content::AccessibilityUIMessageHandler> > const&&&, std::__1::integer_sequence<unsigned long, 0ul>, base::ListValue const*&&) + 115 at bind_internal.h:368
    frame #5: 0x000000011f352f1a libcontent.dylib`base::internal::Invoker<base::internal::BindState<void (content::AccessibilityUIMessageHandler::*)(base::ListValue const*), base::internal::UnretainedWrapper<content::AccessibilityUIMessageHandler> >, void (base::ListValue const*)>::Run(base=0x0000000155c79330, unbound_args=0x00007ffeefbfaa98) + 74 at bind_internal.h:350
    frame #6: 0x0000000120c7e6a1 libcontent.dylib`base::RepeatingCallback<void (base::ListValue const*)>::Run(this=0x0000000155cf4948, args=0x00007ffeefbfaa98) const + 97 at callback.h:94
    frame #7: 0x0000000120c7e588 libcontent.dylib`content::WebUIImpl::ProcessWebUIMessage(this=0x0000000155c79270, source_url=0x00007ffeefbfaa08, message="requestNativeUITree", args=0x00007ffeefbfaa98) + 1160 at web_ui_impl.cc:258
    frame #8: 0x0000000120c7b64b libcontent.dylib`content::WebUIImpl::OnWebUISend(this=0x0000000155c79270, sender=0x0000000158829800, source_url=0x00007ffeefbfaa08, message="requestNativeUITree", args=0x00007ffeefbfaa98) + 267 at web_ui_impl.cc:125
    frame #9: 0x0000000120c7f8cf libcontent.dylib`void IPC::DispatchToMethodImpl<content::WebUIImpl, void (content::WebUIImpl::*)(content::RenderFrameHost*, GURL const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, base::ListValue const&), content::RenderFrameHost, std::__1::tuple<GURL, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, base::ListValue>, 0ul, 1ul, 2ul>(obj=0x0000000155c79270, method=40 b5 c7 20 01 00 00 00 00 00 00 00 00 00 00 00, parameter=0x0000000158829800, tuple=0x00007ffeefbfaa08, (null)=std::__1::index_sequence<0UL, 1UL, 2UL> @ 0x00007ffeefbfa7d0)(content::RenderFrameHost*, GURL const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, base::ListValue const&), content::RenderFrameHost*, std::__1::tuple<GURL, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, base::ListValue>&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul>) + 271 at ipc_message_templates.h:64
    frame #10: 0x0000000120c7f6c0 libcontent.dylib`std::__1::enable_if<(sizeof...(GURL const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, base::ListValue const&)) == (std::tuple_size<std::__1::decay<std::__1::tuple<GURL, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, base::ListValue> >::type>::value), void>::type IPC::DispatchToMethod<content::WebUIImpl, content::RenderFrameHost, GURL const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, base::ListValue const&, std::__1::tuple<GURL, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, base::ListValue> >(obj=0x0000000155c79270, method=40 b5 c7 20 01 00 00 00 00 00 00 00 00 00 00 00, parameter=0x0000000158829800, tuple=0x00007ffeefbfaa08)(content::RenderFrameHost*, GURL const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, base::ListValue const&), content::RenderFrameHost*, std::__1::tuple<GURL, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, base::ListValue>&&) + 112 at ipc_message_templates.h:76
    frame #11: 0x0000000120c7b4bf libcontent.dylib`bool IPC::MessageT<FrameHostMsg_WebUISend_Meta, std::__1::tuple<GURL, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, base::ListValue>, void>::Dispatch<content::WebUIImpl, content::WebUIImpl, content::RenderFrameHost, void (msg=0x000000015855de78, obj=0x0000000155c79270, sender=0x0000000155c79270, parameter=0x0000000158829800, func=40 b5 c7 20 01 00 00 00 00 00 00 00 00 00 00 00)(content::RenderFrameHost*, GURL const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, base::ListValue const&)>(IPC::Message const*, content::WebUIImpl*, content::WebUIImpl*, content::RenderFrameHost*, void (content::WebUIImpl::*)(content::RenderFrameHost*, GURL const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, base::ListValue const&)) + 863 at ipc_message_templates.h:146
    frame #12: 0x0000000120c7b12c libcontent.dylib`content::WebUIImpl::OnMessageReceived(this=0x0000000155c79270, message=0x000000015855de78, sender=0x0000000158829800) + 124 at web_ui_impl.cc:101
    frame #13: 0x0000000120bc5fbc libcontent.dylib`content::WebContentsImpl::OnMessageReceived(this=0x0000000156833e00, render_frame_host=0x0000000158829800, message=0x000000015855de78) + 92 at web_contents_impl.cc:820
    frame #14: 0x000000011fda702f libcontent.dylib`content::RenderFrameHostImpl::OnMessageReceived(this=0x0000000158829800, msg=0x000000015855de78) + 303 at render_frame_host_impl.cc:893
    frame #15: 0x0000000120681d59 libcontent.dylib`content::RenderProcessHostImpl::OnMessageReceived(this=0x000000015889e200, msg=0x000000015855de78) + 841 at render_process_host_impl.cc:2912
    frame #16: 0x000000011b38d5c8 libipc.dylib`IPC::ChannelProxy::Context::OnDispatchMessage(this=0x000000015859d110, message=0x000000015855de78) + 152 at ipc_channel_proxy.cc:320
    frame #17: 0x000000011b39465f libipc.dylib`void base::internal::FunctorTraits<void (IPC::ChannelProxy::Context::*)(IPC::Message const&), void>::Invoke<scoped_refptr<IPC::ChannelProxy::Context> const&, IPC::Message const&>(method=30 d5 38 1b 01 00 00 00 00 00 00 00 00 00 00 00, receiver_ptr=0x000000015855de70, args=0x000000015855de78)(IPC::Message const&), scoped_refptr<IPC::ChannelProxy::Context> const&&&, IPC::Message const&&&) + 143 at bind_internal.h:211
    frame #18: 0x000000011b39455f libipc.dylib`void base::internal::InvokeHelper<false, void>::MakeItSo<void (functor=0x000000015855de60, args=0x000000015855de70, args=0x000000015855de78)(IPC::Message const&), scoped_refptr<IPC::ChannelProxy::Context> const&, IPC::Message const&>(void (IPC::ChannelProxy::Context::* const&&&)(IPC::Message const&), scoped_refptr<IPC::ChannelProxy::Context> const&&&, IPC::Message const&&&) + 95 at bind_internal.h:294
    frame #19: 0x000000011b3944ed libipc.dylib`void base::internal::Invoker<base::internal::BindState<void (IPC::ChannelProxy::Context::*)(IPC::Message const&), scoped_refptr<IPC::ChannelProxy::Context>, IPC::Message>, void ()>::RunImpl<void (functor=0x000000015855de60, bound=0x000000015855de70, (null)=std::__1::index_sequence<0UL, 1UL> @ 0x00007ffeefbfb470)(IPC::Message const&), std::__1::tuple<scoped_refptr<IPC::ChannelProxy::Context>, IPC::Message> const&, 0ul, 1ul>(void (IPC::ChannelProxy::Context::* const&&&)(IPC::Message const&), std::__1::tuple<scoped_refptr<IPC::ChannelProxy::Context>, IPC::Message> const&&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) + 125 at bind_internal.h:368
    frame #20: 0x000000011b3943fc libipc.dylib`base::internal::Invoker<base::internal::BindState<void (IPC::ChannelProxy::Context::*)(IPC::Message const&), scoped_refptr<IPC::ChannelProxy::Context>, IPC::Message>, void ()>::Run(base=0x000000015855de40) + 44 at bind_internal.h:350
    frame #21: 0x00000001185fc0cf libbase.dylib`base::OnceCallback<void ()>::Run(this=0x00007ffeefbfbc88) && + 95 at callback.h:65
    frame #22: 0x000000011865c404 libbase.dylib`base::debug::TaskAnnotator::RunTask(this=0x000000014de3ec30, queue_function="MessageLoop::PostTask", pending_task=0x00007ffeefbfbc88) + 884 at task_annotator.cc:55
    frame #23: 0x00000001187397aa libbase.dylib`base::internal::IncomingTaskQueue::RunTask(this=0x000000014de3ebd0, pending_task=0x00007ffeefbfbc88) + 234 at incoming_task_queue.cc:124
    frame #24: 0x000000011874647f libbase.dylib`base::MessageLoop::RunTask(this=0x000000014de24130, pending_task=0x00007ffeefbfbc88) + 911 at message_loop.cc:399
    frame #25: 0x0000000118746a69 libbase.dylib`base::MessageLoop::DeferOrRunPendingTask(this=0x000000014de24130, pending_task=PendingTask @ 0x00007ffeefbfbc88) + 89 at message_loop.cc:411
    frame #26: 0x0000000118746d99 libbase.dylib`base::MessageLoop::DoWork(this=0x000000014de24130) + 569 at message_loop.cc:455
    frame #27: 0x0000000118755282 libbase.dylib`base::MessagePumpCFRunLoopBase::RunWork(this=0x000000014de39580) + 98 at message_pump_mac.mm:462
    frame #28: 0x000000011875520c libbase.dylib`::___ZN4base24MessagePumpCFRunLoopBase13RunWorkSourceEPv_block_invoke(.block_descriptor=0x00007ffeefbfbeb0) + 28 at message_pump_mac.mm:439
    frame #29: 0x00000001186f709a libbase.dylib`base::mac::CallWithEHFrame(void () block_pointer) + 10 at call_with_eh_frame_asm.S:36
    frame #30: 0x00000001187540f5 libbase.dylib`base::MessagePumpCFRunLoopBase::RunWorkSource(info=0x000000014de39580) + 101 at message_pump_mac.mm:438
    frame #31: 0x00007fff47ccb711 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
    frame #32: 0x00007fff47d8339c CoreFoundation`__CFRunLoopDoSource0 + 108
    frame #33: 0x00007fff47cae700 CoreFoundation`__CFRunLoopDoSources0 + 208
    frame #34: 0x00007fff47cadb7d CoreFoundation`__CFRunLoopRun + 1293
    frame #35: 0x00007fff47cad3d7 CoreFoundation`CFRunLoopRunSpecific + 487
    frame #36: 0x00007fff46fbae26 HIToolbox`RunCurrentEventLoopInMode + 286
    frame #37: 0x00007fff46fbab96 HIToolbox`ReceiveNextEventCommon + 613
    frame #38: 0x00007fff46fba914 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 64
    frame #39: 0x00007fff45285f5f AppKit`_DPSNextEvent + 2085
    frame #40: 0x00007fff45a1bb4c AppKit`-[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 3044
    frame #41: 0x0000000103c8b7ea libchrome_dll.dylib`::__71-[BrowserCrApplication nextEventMatchingMask:untilDate:inMode:dequeue:]_block_invoke(.block_descriptor=0x00007ffeefbfd568) + 106 at chrome_browser_application_mac.mm:174
    frame #42: 0x00000001186f709a libbase.dylib`base::mac::CallWithEHFrame(void () block_pointer) + 10 at call_with_eh_frame_asm.S:36
    frame #43: 0x0000000103c8b688 libchrome_dll.dylib`::-[BrowserCrApplication nextEventMatchingMask:untilDate:inMode:dequeue:](self=0x000000014de008c0, _cmd="nextEventMatchingMask:untilDate:inMode:dequeue:", mask=18446744073709551615, expiration=4001-01-01 00:00:00 UTC, mode="kCFRunLoopDefaultMode", dequeue=YES) + 248 at chrome_browser_application_mac.mm:173
    frame #44: 0x00007fff4527ad6d AppKit`-[NSApplication run] + 764
    frame #45: 0x00000001187568d2 libbase.dylib`base::MessagePumpNSApplication::DoRun(this=0x000000014de39580, delegate=0x000000014de24130) + 354 at message_pump_mac.mm:815
    frame #46: 0x0000000118753794 libbase.dylib`base::MessagePumpCFRunLoopBase::Run(this=0x000000014de39580, delegate=0x000000014de24130) + 116 at message_pump_mac.mm:189
    frame #47: 0x0000000118745c33 libbase.dylib`base::MessageLoop::Run(this=0x000000014de24130, application_tasks_allowed=true) + 579 at message_loop.cc:350
    frame #48: 0x000000011884c371 libbase.dylib`base::RunLoop::Run(this=0x00007ffeefbfe110) + 593 at run_loop.cc:133
    frame #49: 0x0000000103c9ce8c libchrome_dll.dylib`ChromeBrowserMainParts::MainMessageLoopRun(this=0x0000000152704780, result_code=0x0000000152700cb8) + 364 at chrome_browser_main.cc:2207
    frame #50: 0x000000011f6db6d5 libcontent.dylib`content::BrowserMainLoop::RunMainMessageLoopParts(this=0x0000000152700ca0) + 453 at browser_main_loop.cc:1162
    frame #51: 0x000000011f6e507a libcontent.dylib`content::BrowserMainRunnerImpl::Run(this=0x0000000152700ac0) + 378 at browser_main_runner.cc:145
    frame #52: 0x000000011f6cd9f2 libcontent.dylib`content::BrowserMain(parameters=0x00007ffeefbfeb88) + 658 at browser_main.cc:46
    frame #53: 0x00000001222ed01b libcontent.dylib`content::RunNamedProcessTypeMain(process_type="", main_function_params=0x00007ffeefbfeb88, delegate=0x00007ffeefbff628) + 603 at content_main_runner.cc:423
    frame #54: 0x00000001222ee896 libcontent.dylib`content::ContentMainRunnerImpl::Run(this=0x000000010010f2f0) + 1334 at content_main_runner.cc:713
    frame #55: 0x00000001222e5465 libcontent.dylib`content::ContentServiceManagerMainDelegate::RunEmbedderProcess(this=0x00007ffeefbff550) + 53 at content_service_manager_main_delegate.cc:51
    frame #56: 0x000000011815e850 libembedder.dylib`service_manager::Main(params=0x00007ffeefbff538) + 2128 at main.cc:456
    frame #57: 0x00000001222ecd7c libcontent.dylib`content::ContentMain(params=0x00007ffeefbff5f0) + 92 at content_main.cc:19
    frame #58: 0x000000010180658e libchrome_dll.dylib`::ChromeMain(argc=1, argv=0x00007ffeefbff7a0) + 270 at chrome_main.cc:144
    frame #59: 0x0000000100000de6 Chromium`main(argc=1, argv=0x00007ffeefbff7a0) + 630 at chrome_exe_main_mac.cc:165
    frame #60: 0x00007fff6f64f115 libdyld.dylib`start + 1

Comment 1 by ellyjo...@chromium.org, Feb 8 2018

Cc: -ellyjo...@chromium.org
Labels: -Pri-3 Pri-2
Owner: ellyjo...@chromium.org
Status: Assigned (was: Available)
I looked into this some - I don't think this feature is even implemented on Mac. AXPlatformNode::FromNativeWindow() requires you to have called AXPlatformNode::RegisterNativeWindowHandler() beforehand, which is only called in Views' accessibility code. We also need to call this in Cocoa's accessibility code somewhere, with a callback that can turn a gfx::NativeWindow (NSWindow*) into an AXPlatformNodeMac.

nektar@: how does one turn an NSWindow* into an AXPlatformNodeMac?

Sign in to add a comment