1034640 - crash in nsAccessibilityService::CreateAccessibleByFrameType(nsIFrame*, nsIContent*, mozilla::a11y::Accessible*)

Status: RESOLVED FIXED

(Core :: Disability Access APIs, defect)

Description

[Martijn Wargers (dead)]

Attachment: testcase

See testcase, which crashes within 50ms after load.
You need to have the specialpowers extension installed to get the crash: 
http://people.mozilla.org/~mwargers/extensions/specialpowers/specialpowers_20140612.xpi

The iframe content consists of this:
<html><head></head>
<body style="display: table-row;">
<table style="display: inline; visibility: collapse;">
<tbody>
<tr style="display: list-item;">
</tr>
</tbody>
</table>
</body>
</html>

This bug was filed from the Socorro interface and is 
report bp-9017e5bf-899a-4f39-8987-7eb3b2140704.
=============================================================
0 	XUL 	nsAccessibilityService::CreateAccessibleByFrameType(nsIFrame*, nsIContent*, mozilla::a11y::Accessible*) 	accessible/generic/Accessible-inl.h
1 	XUL 	nsAccessibilityService::GetOrCreateAccessible(nsINode*, mozilla::a11y::Accessible*, bool*) 	accessible/base/nsAccessibilityService.cpp
2 	XUL 	mozilla::a11y::TreeWalker::NextChildInternal(bool) 	accessible/base/TreeWalker.cpp
3 	XUL 	mozilla::a11y::DocAccessible::CacheChildren() 	accessible/base/TreeWalker.h
4 	XUL 	mozilla::a11y::DocAccessible::CacheChildrenInSubtree(mozilla::a11y::Accessible*, mozilla::a11y::Accessible**) 	accessible/generic/Accessible.cpp
5 	XUL 	mozilla::a11y::DocAccessible::ProcessContentInserted(mozilla::a11y::Accessible*, nsTArray<nsCOMPtr<nsIContent> > const*) 	accessible/generic/DocAccessible.cpp
6 	XUL 	mozilla::a11y::NotificationController::TextEnumerator(mozilla::a11y::NotificationController::nsCOMPtrHashKey<nsIContent>*, void*) 	accessible/base/NotificationController.cpp
7 	XUL 	PL_DHashTableEnumerate(PLDHashTable*, PLDHashOperator (*)(PLDHashTable*, PLDHashEntryHdr*, unsigned int, void*), void*) 	xpcom/glue/pldhash.cpp
8 	XUL 	mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) 	obj-firefox/x86_64/dist/include/nsTHashtable.h
9 	XUL 	nsRefreshDriver::Tick(long long, mozilla::TimeStamp) 	layout/base/nsRefreshDriver.cpp
10 	XUL 	mozilla::RefreshDriverTimer::Tick() 	layout/base/nsRefreshDriver.cpp

Comment 1

[Martijn Wargers (dead)]

The testcase doesn't seem to crash online.

Comment 2

[alexander :surkov (:asurkov)]

I cannot reproduce it all. Stack is not clear enough.

Comment 3

[Martijn Wargers (dead)]

Attachment: testcase

The testcase seems to crash on reload.
This is on MacOS10.9.3, btw.

Comment 4

[Martijn Wargers (dead)]

Attachment: testcase

Sorry, this should crash online, after the SpecialPowers extension was installed (which makes accessibility turn on with the testcase).
The testcase now automatically reloads and should crash on reload after 1s.

Comment 5

[alexander :surkov (:asurkov)]

Attachment: patch

aContext is hanging document accessible (not bound to parent document yet) and thus it doesn't have a parent. I don't think we allow cross document tables so it doesn't make sense to wait for document binding before we update it.

Comment 6

[Trevor Saunders (:tbsaunde)]

Comment on attachment 8453250 [details] [diff] [review]
patch

>       Accessible* table = aContext->IsTable() ?
>         aContext :
>-        (aContext->Parent()->IsTable() ? aContext->Parent() : nullptr);
>+        (aContext->Parent() && aContext->Parent()->IsTable() ?
>+         aContext->Parent() : nullptr);

this nested ? thing is kind of rediculous, use an if?

Comment 7

[alexander :surkov (:asurkov)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/06a47123670e

Comment 8

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/06a47123670e