Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Python 3.8: Impossible to navigate in Windows Explorer under Windows Server 2012. #12154

Closed
lukaszgo1 opened this issue Mar 11, 2021 · 7 comments · Fixed by #12298
Closed

Python 3.8: Impossible to navigate in Windows Explorer under Windows Server 2012. #12154

lukaszgo1 opened this issue Mar 11, 2021 · 7 comments · Fixed by #12298
Assignees
@michaelDCurran
Labels
bug/crash bug/regression
Milestone
2021.1

Comments

@lukaszgo1
Copy link
Contributor

Steps to reproduce:

  1. Launch recent Alpha based on Python 3.8
  2. Open run dialog with Windows + R, type %temp% press enter and attempt to navigate in the newly opened folder.

Actual behavior:

Windows error sound plays and NVDA crashes and restarts. If the folder view is still focused after restart NVDA crashes again.

Expected behavior:

Windows Explorer should be navigable with NVDA

System configuration

NVDA installed/portable/running from source:

Tested with both portable and installed

NVDA version:

alpha-21882,528d5708

Windows version:

Windows Server 2012.

Name and version of other software in use when reproducing the issue:

Windows Explorer

Other information about your system:

None relevant.

Other questions

Does the issue still occur after restarting your computer?

Yes

Have you tried any other versions of NVDA? If so, please report their behaviors.

2020.4 works okay, latest Python 3.7 based Alpha works okay.

If add-ons are disabled, is your problem still occurring?

Yes

Did you try to run the COM registry fixing tool in NVDA menu / tools?

Yes with no effect.

The attached zip file contains log at debug level and NVDA crash dump file.
crash.zip
@LeonarddeR
Copy link
Collaborator

Do you have Enable selective registration for UI Automation events and property changes enabled? If so, how does this behave when that's off?

@lukaszgo1
Copy link
Contributor Author

Do you have Enable selective registration for UI Automation events and property changes enabled? If so, how does this behave when that's off?

No, I don't. Enabling selective event registration made the crash way less frequent but it still occurs from time to time.

@LeonarddeR
Copy link
Collaborator

Can this be reproduced with the build from #12155 ?

@lukaszgo1
Copy link
Contributor Author

Can this be reproduced with the build from #12155 ?

Yes, it still happens with this build.

@feerrenrut feerrenrut added this to the 2021.1 milestone Mar 22, 2021
@michaelDCurran
Copy link
Member

Stack trace from crash dump:

 # ChildEBP RetAddr      
00 0623fcf0 723f3e68     UIAutomationCore!AutoRelease<IAccIdentity *>::~AutoRelease<IAccIdentity *>+0x11
01 0623fd24 724111de     UIAutomationCore!ClientIEventHandler<IUIAutomationPropertyChangedEventHandler>::OnEvent+0x135
02 0623fd40 7241125a     UIAutomationCore!EventRecord::CrossProcess_OnEvent+0x59
03 0623fd54 72410297     UIAutomationCore!EventRecord::CallbackAdapter::CrossProcess_OnEvent+0x13
04 0623fdb4 724103cd     UIAutomationCore!SavedEvent::OnMessage+0xd6
05 0623fddc 72411bba     UIAutomationCore!SavedEvent::DoWork+0x31
06 0623fdf0 72411b41     UIAutomationCore!WorkItemQueue::ThreadProc+0x6e
07 0623fdfc 771386e3     UIAutomationCore!WorkItemQueue::StaticThreadProc+0xd
08 0623fe08 77349e89     kernel32!BaseThreadInitThunk+0xe
09 0623fe4c 77349e5c     ntdll!__RtlUserThreadStart+0x72
0a 0623fe64 00000000     ntdll!_RtlUserThreadStart+0x1b

In short it looks like a UI Automation propertyChange event handler is freeing an IAccIdentity COM interface after it has already been freed.

IAccIdentity suggests this is MSAA being proxied by UI Automation. However, we have tried rather hard to stop UIA core from proxying MSAA, especially the mapping of winEvents to UIA propertyChange events, as NVDA already gets them from MSAA itself.

@lukaszgo1 lukaszgo1 mentioned this issue Apr 12, 2021
Closed
@michaelDCurran
Copy link
Member

I have made a try build of NVDA downgraded to Python 3.7, but otherwise identicfal to NVDA master at time of this comment:
https://ci.appveyor.com/api/buildjobs/9j0yrsjmphluhd9n/artifacts/output%2Fnvda_snapshot_try-py37-22369%2C439dc27a.exe
Please give this try build a test and let me know if the issue no longer occurs.

@lukaszgo1
Copy link
Contributor Author

@michaelDCurran I can confirm that UIA controls are once again usable under Windows Server 2012 with the try build that you've posted above.

@michaelDCurran michaelDCurran mentioned this issue Apr 16, 2021
Merged
7 tasks
michaelDCurran added a commit that referenced this issue Apr 20, 2021
@michaelDCurran
Downgrade to Python 3.7 due to stack corruption in Python 3.8+ (#12298)
e019a24 
Fixes #12152
Fixes #12154

Since upgrading to Python 3.8, several serious crashes in NVDA have been reported. Specifically:
• NVDA crashing when using the SAPI4 speech synthesizer: #12152
• NVDA crashing when using Windows Explorer on Windows Server 2012: #12154
Both of these issues were traced to stack corruption after a Python callback of NVDA's was called from external libraries. In SAPI4's case, after calling NVDA's implementation of ITTSBufNotifySink::TextDataStarted, and in the Windows Server 2012 case: IUIAutomationPropertyChangedEventHandler::handlePropertyChangedEvent.
It seems as though libFFI / Python ctypes is not cleaning the stack properly after executing a Python callback with the stdcall calling convention (ctypes WINFUNCTYPE), where the callback contained at least one argument larger than 4 bytes (E.g. a long long, or a VARIANT struct), and the arguments preceding it were such that this argument was not aligned to an 8 byte boundary. E.g. the callback might be:
• callback(void*, long long) or
• callback(void*, void*, int, VARIANT)
See Python bug: https://bugs.python.org/issue38748
On that bug I have attached a minimal testcase.
This bug affects both Python 3.8 and Python 3.9.
The bug is most likely in the libFFI project used by Python's ctypes module. Python 3.8 switched to a much more recent and official version of libFFI I believe.
Although we do really want to move to Python 3.8+ as soon as we can, right now this bug makes it impossible to do so. We could specifically work around the currently known manifestations by moving some of that code into C++, but that brings its own risks, and we still don't know where else this issue may appear in our code. The appropriate thing to do right now is stay on Python 3.7 until we can work with Python / libFFI to get this resolved.

Description of how this pull request fixes the issue:
Downgrades to Python 3.7 by referencing Python 3.7 (rather than 3.8) in NVDA's build system.
The existing PRs that needed to be reverted were:
• Updating brlAPI to a Python 3.8 build: nvaccess/nvda-misc-deps#20
• Switching to using Python's own pgettext: #12109
• calling os.add_dll_directory when loading liblouis: #12020
None of these PRs provided any user visible changes.
The rest of the Python 3.8 work, including the switch to a virtual
environment etc is all compatible with Python 3.7 and can remain.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelDCurran michaelDCurran

Labels
bug/crash bug/regression
Projects
None yet
Milestone
2021.1
Development

Successfully merging a pull request may close this issue.

Downgrade to Python 3.7 due to stack corruption in Python 3.8+ nvaccess/nvda
4 participants
@LeonarddeR @feerrenrut @lukaszgo1 @michaelDCurran