Closed Bug 307534 Opened 19 years ago Closed 19 years ago

Accessibility cache becomes corrupt leading to crash

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: aaronlev, Assigned: aaronlev)

Details

(Keywords: access, fixed1.8)

Attachments

(1 file)

1) Create focused accessible in document/presshell it belongs in, 2) Add safeguards to prevent this from happening again, 3) Fix another talkback crash where infinite reentrancy caused a stack overflo
3.39 KB, patch
parente
: review+
jst
: superreview+
asa
: approval1.8b5+
Details | Diff | Splinter Review 
Recent talkback reports show crashes in nsAccessible::GetNextSibling()

When I ran the testcase I saw an assertion that some elements being initialized
and put in the cache were already in there.

In turns out that we were creating an entry in the current document's cache for
calls into get_accFocus(), even though the focused element may be outside of the
current document.

After speaking with AT vendors, they want get_accFocus() to return the current
focused element, even if it is not in the current document. We just need to make
sure it is cached under the right doc accessible.
The test case is:
Run Window-Eyes 5.5 beta (you can get it from www.gwmicro.com)
Arrow through the Tools menu
Go to Help -> About 
Hit Okay
Go to Help -> About a 2nd time
Flags: blocking1.8b5?
Corrupted cached talkback report:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=9015268


Reentrancy overflow:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=9125014


I couldn't see from the stack of the reentrancy overflow how it could really
happen, but that's what was happening. What's strange is that it seemed to be
treating have created an HTML4 <button> accessible for an <input
type="button">, but I can't reproduce that one or see how it would occur. The
reentrance check should fix it though, and I've only seen that crash once in
the history of talkback reports.
Attachment #195299 - Flags: superreview?(jst)
Attachment #195299 - Flags: review?(parente)
Severity: normal → critical
Comment on attachment 195299 [details] [diff] [review]
1) Create focused accessible in document/presshell it belongs in, 2) Add safeguards to prevent this from happening again, 3) Fix another talkback crash where infinite reentrancy caused a stack overflo

Are we talking about thread re-entrancy here? If so, is the line "isAlreadyHere
= PR_TRUE;" guaranteed to be an atomic op? If not, re-entrancy can still occur.
(In reply to comment #3)
> (From update of attachment 195299 [details] [diff] [review] [edit])
> Are we talking about thread re-entrancy here? If so, is the line "isAlreadyHere
> = PR_TRUE;" guaranteed to be an atomic op? If not, re-entrancy can still occur.
> 

No, sorry not thread reentrancy. It's just getting in an infinite loop.
See the stack for this report:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=9125014
Comment on attachment 195299 [details] [diff] [review]
1) Create focused accessible in document/presshell it belongs in, 2) Add safeguards to prevent this from happening again, 3) Fix another talkback crash where infinite reentrancy caused a stack overflo

sr=jst, but:

- In nsAccessible::AppendFlatStringFromSubtree():

+  static isAlreadyHere;
+  NS_ASSERTION(!isAlreadyHere, "How did reentrancy happen? It shouldn't");
+  if (isAlreadyHere) {
+    return NS_OK; // Prevent stack overflow from reentrency
+  }
+  isAlreadyHere = PR_TRUE;
   nsresult rv = AppendFlatStringFromSubtreeRecurse(aContent, aFlatString);
+  isAlreadyHere = PR_FALSE;

Is this really the right fix for this re-entrancy? Isn't the problem rather the
fact that this method is called for a node from within a call to this method
for the same node? I.e. shouldn't the caller be fixed instead?

sr=jst with that figured out.
Attachment #195299 - Flags: superreview?(jst) → superreview+
Comment on attachment 195299 [details] [diff] [review]
1) Create focused accessible in document/presshell it belongs in, 2) Add safeguards to prevent this from happening again, 3) Fix another talkback crash where infinite reentrancy caused a stack overflo

(In reply to comment #5)
> Is this really the right fix for this re-entrancy? Isn't the problem rather the
> fact that this method is called for a node from within a call to this method
> for the same node? I.e. shouldn't the caller be fixed instead?
> 
> sr=jst with that figured out.

Yes. This has me confused too. Shouldn't AppendFlatStringFromSubtreeRecurse be
fixed so it doesn't call AppendFlatStringFromSubtree when it shouldn't? It just
looks like the check for the terminal condition of the recursion is faulty.

r=parente assuming the right fix
Attachment #195299 - Flags: review?(parente) → review+
I'll just leave that part of the fix out when I check in, and I'll see if it
comes up again with a reproduceable testcase, because I can't figure out how to
fix it the "right" way from the info I have. The crash has only ever happened
once in talkback reports. This was just to fix it in whatever way I could.

If you look at the stack trace below you see that we're calling GetName from
AppendFlatStringFromContentNode.
Funny thing is, the code for AppendFlatStringFromContentNode never calls GetName.

nsAccessible::AppendFlatStringFromContentNode 
nsAccessible::AppendFlatStringFromSubtreeRecurse 
nsAccessible::AppendFlatStringFromSubtree
nsAccessible::GetHTMLName
nsHTML4ButtonAccessible::GetName
nsAccessible::AppendFlatStringFromContentNode 
nsAccessible::AppendFlatStringFromSubtreeRecurse 
nsAccessible::AppendFlatStringFromSubtree
nsAccessible::GetHTMLName
nsHTML4ButtonAccessible::GetName  
Comment on attachment 195299 [details] [diff] [review]
1) Create focused accessible in document/presshell it belongs in, 2) Add safeguards to prevent this from happening again, 3) Fix another talkback crash where infinite reentrancy caused a stack overflo

Seeking a= for the the parts Johnny and Peter didn't have any issues with (not
the nsAccessible.cpp part).
Attachment #195299 - Flags: approval1.8b5?
I checked in everything but the nsAccessible.cpp recursion check.

Could the talkback stack have occured because of some kind of memory corruption
which changed the code?
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Attachment #195299 - Flags: approval1.8b5? → approval1.8b5+
Flags: blocking1.8b5? → blocking1.8b5+
Keywords: fixed1.8
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: