-
Type:
Bug
-
Resolution: Fixed
-
Priority:
P3
-
Affects Version/s: 17, 21, 25
-
Component/s: client-libs
-
b27
-
os_x
The application can crash when using accessibility tools on macOS (such as VoiceOver, Voice Control, Zoom, Full Keyboard Access) and interacting with JPopupMenu. This is a regression after JDK-8341311.
We could reproduce the crash in IntelliJ IDEA when using OpenJDK 21.0.9 as runtime, but when trying to recreate the similar scenario in a simple Swing app, it didn't reproduce. It's possible that the custom components in IntelliJ or other parts of our setup affect this. Still, the code path that leads to the crash is clear and needs to account for possible null values.
Specifically, the method `sun.lwawt.macosx.CAccessibility#getCurrentAccessiblePopupMenu` can return null, which then in the native code that calls it, `[MenuAccessibility accessibilityChildren]`, leads to a crash:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00000001661cfca4, pid=97918, tid=259
#
# JRE version: Java(TM) SE Runtime Environment (21.0.9+7) (build 21.0.9+7-LTS-338)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (21.0.9+7-LTS-338, mixed mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, bsd-aarch64)
# Problematic frame:
# C [libawt_lwawt.dylib+0x47ca4] +[CommonComponentAccessibility childrenOfParent:withEnv:withChildrenCode:allowIgnored:recursive:]+0x2c
Host: "Mac14,6" arm64, 12 cores, 64G, Darwin 25.1.0, macOS 26.1 (25B78)
Time: Wed Nov 26 11:04:40 2025 CET elapsed time: 37.019862 seconds (0d 0h 0m 37s)
--------------- T H R E A D ---------------
Current thread (0x0000000a1cab7100): JavaThread "AppKit Thread" daemon [_thread_in_native, id=259, stack(0x000000016b190000,0x000000016b98c000) (8176K)]
Stack: [0x000000016b190000,0x000000016b98c000], sp=0x000000016b985d30, free space=8151k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C [libawt_lwawt.dylib+0x47ca4] +[CommonComponentAccessibility childrenOfParent:withEnv:withChildrenCode:allowIgnored:recursive:]+0x2c
C [libawt_lwawt.dylib+0x80800] -[MenuAccessibility accessibilityChildren]+0x2bc
C [AppKit+0x935af4] -[NSAccessibilityAttributeAccessorInfo getAttributeValue:forObject:]+0x3c
C [AppKit+0x936e84] ___NSAccessibilityEntryPointValueForAttribute_block_invoke.773+0x5f0
C [AppKit+0x932458] NSAccessibilityPerformEntryPointObject+0x2c
C [AppKit+0x12aeb0] _NSAccessibilityEntryPointValueForAttribute+0xe0
C [AppKit+0x5c898] NSAccessibilityChildren+0x68
C [AppKit+0x53b570] -[NSObject(NSObjectAccessibilityAttributeAccessAdditions) accessibilityArrayAttributeCount:]+0x4c
C [AppKit+0x53c6f8] -[NSObject(NSAccessibilityInternal) _accessibilityArrayAttributeValues:index:maxCount:clientError:]+0x90
C [AppKit+0x53ffd8] CopyAttributeValues+0xd0
C [CoreAccessibility+0x2b504] __swift_memcpy25_8+0x36a8
C [HIServices+0x25b50] _AXXMIGCopyAttributeValues+0x1ac
C [HIServices+0x48284] _XCopyAttributeValues+0x198
C [HIServices+0x4edc] mshMIGPerform+0xd0
C [CoreFoundation+0x5ff64] __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__+0x3c
C [CoreFoundation+0x5fe8c] __CFRunLoopDoSource1+0x1fc
C [CoreFoundation+0x5e8bc] __CFRunLoopRun+0x878
C [CoreFoundation+0x11835c] _CFRunLoopRunSpecificWithOptions+0x214
C [HIToolbox+0xc1768] RunCurrentEventLoopInMode+0x13c
C [HIToolbox+0xc4a90] ReceiveNextEventCommon+0x1e8
C [HIToolbox+0x24e308] _BlockUntilNextEventMatchingListInMode+0x30
C [AppKit+0x5263c0] _DPSBlockUntilNextEventMatchingListInMode+0xec
C [AppKit+0x1fe34] _DPSNextEvent+0x24c
C [AppKit+0xaedf44] -[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:]+0x2b0
C [AppKit+0xaedc50] -[NSApplication(NSEventRouting) nextEventMatchingMask:untilDate:inMode:dequeue:]+0x48
C [libosxapp.dylib+0x41a8] -[NSApplicationAWT nextEventMatchingMask:untilDate:inMode:dequeue:]+0x90
C [AppKit+0x18780] -[NSApplication run]+0x170
C [libosxapp.dylib+0x3f60] +[NSApplicationAWT runAWTLoopWithApp:]+0xd0
C [libawt_lwawt.dylib+0x6c4b4] +[AWTStarter starter:headless:]+0x1e8
C [libosxapp.dylib+0x5c28] +[ThreadUtilities invokeBlockCopy:]+0x1c
C [Foundation+0x38114] __NSThreadPerformPerform+0x108
C [CoreFoundation+0x5f9e8] __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x1c
C [CoreFoundation+0x5f97c] __CFRunLoopDoSource0+0xac
C [CoreFoundation+0x5f6e8] __CFRunLoopDoSources0+0xe8
C [CoreFoundation+0x5e378] __CFRunLoopRun+0x334
C [CoreFoundation+0x11835c] _CFRunLoopRunSpecificWithOptions+0x214
C [idea+0x5a6a8] xplat_launcher::main_lib::h6c782f04e7c42fc7+0x1b28
C [idea+0x43f0] std::sys::backtrace::__rust_begin_short_backtrace::hc4f4d0decc7f7219+0xc
C [idea+0x46b8] main+0x2bc
C [dyld+0x8d54] start+0x1c10
siginfo: si_signo: 11 (SIGSEGV), si_code: 2 (SEGV_ACCERR), si_addr: 0x0000000000000030
Steps to reproduce that worked in IntelliJ IDEA:
1. Enable an accessibility tool, such as VoiceOver, Voice Control, Zoom, Full Keyboard Access, in the macOS system settings.
2. Open a combo box with a popup based on JPopupMenu
3. Force GC
4. Open the combo box again
Workarounds: Unknown
We could reproduce the crash in IntelliJ IDEA when using OpenJDK 21.0.9 as runtime, but when trying to recreate the similar scenario in a simple Swing app, it didn't reproduce. It's possible that the custom components in IntelliJ or other parts of our setup affect this. Still, the code path that leads to the crash is clear and needs to account for possible null values.
Specifically, the method `sun.lwawt.macosx.CAccessibility#getCurrentAccessiblePopupMenu` can return null, which then in the native code that calls it, `[MenuAccessibility accessibilityChildren]`, leads to a crash:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00000001661cfca4, pid=97918, tid=259
#
# JRE version: Java(TM) SE Runtime Environment (21.0.9+7) (build 21.0.9+7-LTS-338)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (21.0.9+7-LTS-338, mixed mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, bsd-aarch64)
# Problematic frame:
# C [libawt_lwawt.dylib+0x47ca4] +[CommonComponentAccessibility childrenOfParent:withEnv:withChildrenCode:allowIgnored:recursive:]+0x2c
Host: "Mac14,6" arm64, 12 cores, 64G, Darwin 25.1.0, macOS 26.1 (25B78)
Time: Wed Nov 26 11:04:40 2025 CET elapsed time: 37.019862 seconds (0d 0h 0m 37s)
--------------- T H R E A D ---------------
Current thread (0x0000000a1cab7100): JavaThread "AppKit Thread" daemon [_thread_in_native, id=259, stack(0x000000016b190000,0x000000016b98c000) (8176K)]
Stack: [0x000000016b190000,0x000000016b98c000], sp=0x000000016b985d30, free space=8151k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C [libawt_lwawt.dylib+0x47ca4] +[CommonComponentAccessibility childrenOfParent:withEnv:withChildrenCode:allowIgnored:recursive:]+0x2c
C [libawt_lwawt.dylib+0x80800] -[MenuAccessibility accessibilityChildren]+0x2bc
C [AppKit+0x935af4] -[NSAccessibilityAttributeAccessorInfo getAttributeValue:forObject:]+0x3c
C [AppKit+0x936e84] ___NSAccessibilityEntryPointValueForAttribute_block_invoke.773+0x5f0
C [AppKit+0x932458] NSAccessibilityPerformEntryPointObject+0x2c
C [AppKit+0x12aeb0] _NSAccessibilityEntryPointValueForAttribute+0xe0
C [AppKit+0x5c898] NSAccessibilityChildren+0x68
C [AppKit+0x53b570] -[NSObject(NSObjectAccessibilityAttributeAccessAdditions) accessibilityArrayAttributeCount:]+0x4c
C [AppKit+0x53c6f8] -[NSObject(NSAccessibilityInternal) _accessibilityArrayAttributeValues:index:maxCount:clientError:]+0x90
C [AppKit+0x53ffd8] CopyAttributeValues+0xd0
C [CoreAccessibility+0x2b504] __swift_memcpy25_8+0x36a8
C [HIServices+0x25b50] _AXXMIGCopyAttributeValues+0x1ac
C [HIServices+0x48284] _XCopyAttributeValues+0x198
C [HIServices+0x4edc] mshMIGPerform+0xd0
C [CoreFoundation+0x5ff64] __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__+0x3c
C [CoreFoundation+0x5fe8c] __CFRunLoopDoSource1+0x1fc
C [CoreFoundation+0x5e8bc] __CFRunLoopRun+0x878
C [CoreFoundation+0x11835c] _CFRunLoopRunSpecificWithOptions+0x214
C [HIToolbox+0xc1768] RunCurrentEventLoopInMode+0x13c
C [HIToolbox+0xc4a90] ReceiveNextEventCommon+0x1e8
C [HIToolbox+0x24e308] _BlockUntilNextEventMatchingListInMode+0x30
C [AppKit+0x5263c0] _DPSBlockUntilNextEventMatchingListInMode+0xec
C [AppKit+0x1fe34] _DPSNextEvent+0x24c
C [AppKit+0xaedf44] -[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:]+0x2b0
C [AppKit+0xaedc50] -[NSApplication(NSEventRouting) nextEventMatchingMask:untilDate:inMode:dequeue:]+0x48
C [libosxapp.dylib+0x41a8] -[NSApplicationAWT nextEventMatchingMask:untilDate:inMode:dequeue:]+0x90
C [AppKit+0x18780] -[NSApplication run]+0x170
C [libosxapp.dylib+0x3f60] +[NSApplicationAWT runAWTLoopWithApp:]+0xd0
C [libawt_lwawt.dylib+0x6c4b4] +[AWTStarter starter:headless:]+0x1e8
C [libosxapp.dylib+0x5c28] +[ThreadUtilities invokeBlockCopy:]+0x1c
C [Foundation+0x38114] __NSThreadPerformPerform+0x108
C [CoreFoundation+0x5f9e8] __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x1c
C [CoreFoundation+0x5f97c] __CFRunLoopDoSource0+0xac
C [CoreFoundation+0x5f6e8] __CFRunLoopDoSources0+0xe8
C [CoreFoundation+0x5e378] __CFRunLoopRun+0x334
C [CoreFoundation+0x11835c] _CFRunLoopRunSpecificWithOptions+0x214
C [idea+0x5a6a8] xplat_launcher::main_lib::h6c782f04e7c42fc7+0x1b28
C [idea+0x43f0] std::sys::backtrace::__rust_begin_short_backtrace::hc4f4d0decc7f7219+0xc
C [idea+0x46b8] main+0x2bc
C [dyld+0x8d54] start+0x1c10
siginfo: si_signo: 11 (SIGSEGV), si_code: 2 (SEGV_ACCERR), si_addr: 0x0000000000000030
Steps to reproduce that worked in IntelliJ IDEA:
1. Enable an accessibility tool, such as VoiceOver, Voice Control, Zoom, Full Keyboard Access, in the macOS system settings.
2. Open a combo box with a popup based on JPopupMenu
3. Force GC
4. Open the combo box again
Workarounds: Unknown
- caused by
-
-
- Resolved
-
- links to
-
Commit(master)
openjdk/jdk/019df4d8
-
Review(master)
openjdk/jdk/28599
-
Review(master)
openjdk/jdk/28614