Issue 889189  has been merged into this issue.

Issue 893396 has been merged into this issue.

Current theory: native C++ bindings are in the midst of a tree update when js makes a request (e.g. GetParent). The tree data is actually in an invalid state at this point leading to dereferencing bad memory.

+dmazzoni and +chrishall as FYI.

I confirmed the issue here. The automation bindings need a better thought out threading model. I'm thinking about keeping read locks on each ax tree or on the entire set of trees. ChromeVox quickly makes calls to things like node.parent, which translates into a threaded callback on AutomationInternalCustomBindings::GetParent, which sometimes occurs while unserialization is in progress.

Behavior seen during this bug (copied over from bug 893396) 

ChromeVox starts to double all keypresses as seen in this sentence I tried typing: 

TThhiiss  mmiigghhtt  bbee  aannootthheerr  bbuugg  bbuutt  ssttrraannee  bbeehhaavviioorr  hhaappppens aa

This includes ctrl + alt + z, you hear the earcon for turning off/on twice and ChromeVox can't be shut off. After a few seconds, ChromeVox starts to catch up with itself, the top ChromeVox bar appears, keystrokes are no longer duplicated, and you can turn off ChromeVox. 

Possibly related to  bug 894249 

A possible fix was checked into 71
https://chromium.googlesource.com/chromium/src/+/210142632c6eb24d66dbd4e9a675645a4022839f

@leberly, FYI.

Requesting merge to 70 for the above fix.

This bug requires manual review: We are only 4 days from stable.
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), geohsu@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/33c0f34ef8e2ba25f65078ca1cca21f70e4c8ab8

commit 33c0f34ef8e2ba25f65078ca1cca21f70e4c8ab8
Author: David Gunnarsson <dgunnarsson@vewd.com>
Date: Sun Oct 14 13:20:38 2018

Merge to m70: Fix nullpointer crash when traversing accessibility tree

TBR=dmazzoni@chromium.org

Bug:  888566 
Change-Id: I2a067705707646f3a2021fb7107661a2c4745bd5
Reviewed-on: https://chromium-review.googlesource.com/1243283
Commit-Queue: Dominic Mazzoni <dmazzoni@chromium.org>
Reviewed-by: Dominic Mazzoni <dmazzoni@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#593974}(cherry picked from commit 210142632c6eb24d66dbd4e9a675645a4022839f)
Reviewed-on: https://chromium-review.googlesource.com/c/1279955
Reviewed-by: David Tseng <dtseng@chromium.org>
Cr-Commit-Position: refs/branch-heads/3538@{#995}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
[modify] https://crrev.com/33c0f34ef8e2ba25f65078ca1cca21f70e4c8ab8/chrome/renderer/extensions/automation_internal_custom_bindings.cc

The following revision refers to this bug: 
https://chromium.googlesource.com/chromium/src.git/+/33c0f34ef8e2ba25f65078ca1cca21f70e4c8ab8

Commit: 33c0f34ef8e2ba25f65078ca1cca21f70e4c8ab8
Author: dgunnarsson@vewd.com
Commiter: dtseng@chromium.org
Date: 2018-10-14 13:20:38 +0000 UTC

Merge to m70: Fix nullpointer crash when traversing accessibility tree

TBR=dmazzoni@chromium.org

Bug:  888566 
Change-Id: I2a067705707646f3a2021fb7107661a2c4745bd5
Reviewed-on: https://chromium-review.googlesource.com/1243283
Commit-Queue: Dominic Mazzoni <dmazzoni@chromium.org>
Reviewed-by: Dominic Mazzoni <dmazzoni@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#593974}(cherry picked from commit 210142632c6eb24d66dbd4e9a675645a4022839f)
Reviewed-on: https://chromium-review.googlesource.com/c/1279955
Reviewed-by: David Tseng <dtseng@chromium.org>
Cr-Commit-Position: refs/branch-heads/3538@{#995}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}

 Issue 894249  has been merged into this issue.