Issue metadata
Sign in to add a comment
|
UIAutomation Accessibility Applications using GetClickablePoint() can cause Chrome to crash (stack exhaustion due to recursion in ui::AXPlatformNodeWin::accHitTest )
Reported by
is...@smile-email.com,
Apr 26 2018
|
||||||||||||||||||||||||
Issue descriptionIMPORTANT: Your crash has already been automatically reported to our crash system. Please file this bug only if you can provide more information about it. Chrome Version: 66.0.3359.117 Operating System: Windows NT 6.3.9600 URL (if applicable) where crash occurred: Wordpress add New post page, e.g. https://www.softaculous.com/demos/WordPress Can you reproduce this crash? Yes, on some machines What steps will reproduce this crash? (If it's not reproducible, what were you doing just before the crash?) 1. Install TextExpander (https://www.textexpander.com) 2. Launch Chrome 3. Go to a WordPress "Add New Post" page 4. In the content area, enter an abbreviation, quickly followed by another abbreviation (So that TextExpander expands the snippets twice, one after another). At this point Chrome can (sometimes) crash, however if you do get chrome to crash on a particular PC, it will repeatably crash. More detail: I've debugged the crash dump myself and it looks like accHitTest is being called with infinite recursion in ax_platform_node_win.cc TextExpander will call UIAutomationElement::GetClickablePoint() just before expanding, which seems consistent with this crash. ****DO NOT CHANGE BELOW THIS LINE**** Crash ID: crash/c32afeeee264241b
,
Apr 26 2018
Issue 837082 has been merged into this issue.
,
Apr 26 2018
,
Sep 12
This crash was mentioned on chromium-dev in https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/05f0cf73-9e0d-4455-acb3-442116f74f26%40chromium.org?utm_medium=email&utm_source=footer
,
Sep 21
Stack trace from that thread:
chrome.dll!_chkstk() Line 99 Unknown
> chrome.dll!Instrumentation::AcquireSample(InstItemData * instItem, char * & argptr) Line 1424 C++
chrome.dll!InstTraceFunctor::operator()(const char * format, ...) Line 121 C++
chrome.dll!base::debug::TaskAnnotator::DidQueueTask(const char * queue_function, const base::PendingTask & pending_task) Line 41 C++
chrome.dll!base::internal::IncomingTaskQueue::PostPendingTaskLockRequired(base::PendingTask * pending_task) Line 334 C++
chrome.dll!base::internal::IncomingTaskQueue::PostPendingTask(base::PendingTask * pending_task) Line 291 C++
chrome.dll!base::internal::IncomingTaskQueue::AddToIncomingQueue(const base::Location & delay, base::OnceCallback<void ()> nestable, base::TimeDelta) Line 86 C++
chrome.dll!base::internal::MessageLoopTaskRunner::PostDelayedTask(const base::Location &) Line 31 C++
chrome.dll!content::`anonymous namespace'::PostTaskHelper(content::BrowserThread::ID identifier, const base::Location & task, base::OnceCallback<void ()> nestable, base::TimeDelta) Line 156 C++
chrome.dll!content::BrowserThread::PostDelayedTask(content::BrowserThread::ID identifier, const base::Location & from_here, base::OnceCallback<void ()>) Line 289 C++
chrome.dll!content::`anonymous namespace'::BrowserThreadTaskRunner::PostDelayedTask(const base::Location &) Line 40 C++
chrome.dll!base::TaskRunner::PostTask(const base::Location &) Line 44 C++
chrome.dll!IPC::ChannelProxy::Context::Send(IPC::Message * message) Line 396 C++
chrome.dll!IPC::ChannelProxy::Send(IPC::Message * message) Line 527 C++
chrome.dll!content::RenderProcessHostImpl::Send(IPC::Message * msg) Line 3031 C++
[External Code]
chrome.dll!content::BrowserAccessibilityManager::HitTest(const gfx::Point & point) Line 745 C++
chrome.dll!content::BrowserAccessibilityManager::CachingAsyncHitTest(const gfx::Point & screen_point) Line 1247 C++
chrome.dll!content::BrowserAccessibilityManager::CachingAsyncHitTest(const gfx::Point & screen_point) Line 1236 C++
chrome.dll!content::BrowserAccessibility::HitTestSync(int x, int y) Line 928 C++
chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 422 C++
chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
<continues past the size of dump file>
,
Sep 21
I'm not finding that crash ID. If you reproduce it again can you visit chrome://crashes and paste anything you find there?
,
Sep 21
Also, from the stack trace it doesn't look like infinite stack recursion - the top of the stack looks correct as if the hit test found something. Is the stack just too deep?
,
Sep 28
Closing due to lack of feedback, please feel free to reopen with more info. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by jmukthavaram@chromium.org
, Apr 26 2018