212104 - Browser just exits when find finds a link while running with gtk 2.2 and atk libraries on AIX

Status: RESOLVED FIXED

(Core :: Disability Access APIs, defect)

Description

[Michael Lew]

User-Agent:       Mozilla/5.0 (X11; U; AIX 00FFFFFF4C00; en-US; rv:1.4) Gecko/20030702
Build Identifier: Mozilla/5.0 (X11; U; AIX 00FFFFFF4C00; en-US; rv:1.4) Gecko/20030702

While running with the gtk accessibility modules, mozilla will exit if a search
is done within a web page and the search finds a link.  If the search finds just
text, there is not a problem.  

Reproducible: Always

Steps to Reproduce:
1. Start mozilla so the accessibility library is loaded.
2.  Go to www.mozilla.org
3.  type a '/' to start typeaheadfind.
4.  type an 'm'

Actual Results:  
browser just exits.  

Expected Results:  
First m in mozilla.org link would be hightlighted as the found letter.

Comment 1

[Michael Lew]

The browser find functionality works fine if the accessibility functionality is
not being used.

Comment 2

[Aaron Leventhal]

-> Kyle

Comment 3

[Philip K. Warren]

Confirming this bug. I am seeing this crash with a GTK2 build from today.

Comment 4

[Philip K. Warren]

Attachment: Stack trace

Here is a stack trace from the crash.

Comment 5

[Philip K. Warren]

I did a little more debugging here. It seems that the NS_REINTERPRET_CAST found
here is not working as expected:

442 /* long getSelectedLinkIndex (); */
443 NS_IMETHODIMP nsAccessibleHyperText::GetSelectedLinkIndex(PRInt32
*aSelectedLinkIndex)
444 {
445   *aSelectedLinkIndex = -1;
446 
447   nsCOMPtr<nsIDOMNode> focusedNode;
448   NS_REINTERPRET_CAST(nsAccessible*,
this)->GetFocusedNode(getter_AddRefs(focusedNode));

I have gone through this in the debugger, and nsAccessible::GetFocusedNode is
never called. It seems to trigger function calls within the
nsAccessibleHyperText, but the 'this' pointer has changed, as has the
mTextChildren pointer. This is what is causing the crash at line 131 in
nsAccessibleHyperText.cpp - the mTextChildren pointer is invalid, so any calls
to it trigger a segfault.

At first glance, I don't see how this cast is supposed to work.
nsAccessibleHyperText does not inherit from nsAccessible, so I don't know how
calling GetFocusedNode in this manner will work. Can someone with more
experience with this code explain what is supposed to happen here? Is there
another way to get a nsAccessible object to determine the focused node?

Comment 6

[Michael Lew]

I reproduced a similar problem running on a Linux system.  To reproduce:

1. export GTK_MODULES=gail:atk-bridge:gail-gnome
2. export GNOME_ACCESSIBILITY
3. start browser
4. go to www.mozilla.org/start
4. start typeaheadfind
5. search for 'buga'
6. browser exits

Only occurs with ATK bridge initialized.  I will try to get a stack trace.

Comment 7

[Kyle Yuan]

-> Simford who already has a patch for this.

Comment 8

[Simford]

Attachment: testing patch

actually this patch is more like a workaround.
I added an implementation of GetFocusedNode in nsAccessibleHyperText.

Comment 9

[Simford]

Attachment: patch

change GetFocusedNode() to a static function

Comment 10

[Kyle Yuan]

Comment on attachment 127938 [details] [diff] [review]
patch

r=kyle.

This patch has been tested in our local tree.

Comment 11

[Aaron Leventhal]

Simford, did you do a test build on Windows?

Comment 12

[Kyle Yuan]

Aaron, yes, the patch was built successfully on Windows.

Comment 13

[Henry Jia]

Comment on attachment 127938 [details] [diff] [review]
patch

sr=Henry

Comment 14

[Simford]

checked in trunk.
Thanks Henry and Kyle.

Comment 15

[Simford]

fixed in trunk