Closed
Bug 1420773
Opened 6 years ago
Closed 3 years ago
stack-overflow [@ mozilla::a11y::Accessible::ARIATransformRole]
Categories
(Core :: Disability Access APIs, defect, P2)
Tracking
()
People
(Reporter: tsmith, Assigned: eeejay)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [a11y:crash][fuzzblocker])
Attachments
(2 files)
==2097==ERROR: AddressSanitizer: stack-overflow on address 0x7fffa6617fb8 (pc 0x0000004be4ae bp 0x7fffa6618810 sp 0x7fffa6617fc0 T0) #0 0x4be4ad in __asan_memset /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:27:3 #1 0x7ff11583a6d6 in DOMString /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/DOMString.h:50:7 #2 0x7ff11583a6d6 in mozilla::dom::Element::GetAttr(int, nsAtom*, nsTSubstring<char16_t>&) const /builds/worker/workspace/build/src/dom/base/Element.cpp:3055 #3 0x7ff11d8b9231 in mozilla::a11y::IDRefsIterator::IDRefsIterator(mozilla::a11y::DocAccessible*, nsIContent*, nsAtom*) /builds/worker/workspace/build/src/accessible/base/AccIterator.cpp:261:15 #4 0x7ff11d92e727 in nsTextEquivUtils::GetTextEquivFromIDRefs(mozilla::a11y::Accessible*, nsAtom*, nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/accessible/base/nsTextEquivUtils.cpp:65:18 #5 0x7ff11d93f760 in ARIAName /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1977:17 #6 0x7ff11d93f760 in mozilla::a11y::Accessible::Name(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:139 #7 0x7ff11d94d400 in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1438:5 #8 0x7ff11d94d9cb in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h #9 0x7ff11d94d9cb in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1474 #10 0x7ff11d9acbf1 in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h #11 0x7ff11d9acbf1 in mozilla::a11y::HTMLTableAccessible::Caption() const /builds/worker/workspace/build/src/accessible/html/HTMLTableAccessible.cpp:483 #12 0x7ff11d9ac124 in mozilla::a11y::HTMLTableAccessible::NativeName(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/html/HTMLTableAccessible.cpp:429:25 #13 0x7ff11d93f924 in mozilla::a11y::Accessible::Name(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:150:29 #14 0x7ff11d94d400 in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1438:5 #15 0x7ff11d94d9cb in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h #16 0x7ff11d94d9cb in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1474 #17 0x7ff11d9acbf1 in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h #18 0x7ff11d9acbf1 in mozilla::a11y::HTMLTableAccessible::Caption() const /builds/worker/workspace/build/src/accessible/html/HTMLTableAccessible.cpp:483 #19 0x7ff11d9ac124 in mozilla::a11y::HTMLTableAccessible::NativeName(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/html/HTMLTableAccessible.cpp:429:25 #20 0x7ff11d93f924 in mozilla::a11y::Accessible::Name(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:150:29 #21 0x7ff11d94d400 in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1438:5 #22 0x7ff11d94d9cb in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h #23 0x7ff11d94d9cb in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1474 #24 0x7ff11d9acbf1 in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h #25 0x7ff11d9acbf1 in mozilla::a11y::HTMLTableAccessible::Caption() const /builds/worker/workspace/build/src/accessible/html/HTMLTableAccessible.cpp:483 #26 0x7ff11d9ac124 in mozilla::a11y::HTMLTableAccessible::NativeName(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/html/HTMLTableAccessible.cpp:429:25 #27 0x7ff11d93f924 in mozilla::a11y::Accessible::Name(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:150:29 #28 0x7ff11d94d400 in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1438:5 #29 0x7ff11d94d9cb in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h ...
Flags: in-testsuite?
Updated•6 years ago
|
Priority: -- → P2
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → eitan
Assignee | ||
Comment 1•6 years ago
|
||
Looks like we are stuck in an endless cycle of role calculations between the table and its row..
Assignee | ||
Updated•6 years ago
|
Comment 2•6 years ago
|
||
(In reply to Eitan Isaacson [:eeejay] from comment #1) > Looks like we are stuck in an endless cycle of role calculations between the > table and its row.. do you have detailed explanation of what happens here? Is there something wrong with the hierarchy?
Comment 3•6 years ago
|
||
Eitan, pinging. If could dump out your findings here, it'd be helpful :)
Flags: needinfo?(eitan)
Assignee | ||
Comment 4•6 years ago
|
||
I'm unassigning myself because I don't want to hog this if someone else could fix it.. 1. Accessible::Role is on called table@role=region, it calls 2. Accessible::ARIATransformRole with "region" as the aria role to transform. Bug 1358462 added a change(i) that we need to know if the accessible has a name to determine the role in the case of role=region. 3. Because the element is a table, Accessible::Name calls HTMLTableAccessible::NativeName 4. HTMLTableAccessible::NativeName tries to determine the "table" name by retrieving the caption(ii). 5. HTMLTableAccessible::Caption checks to see if the table's first child is a caption(iii) 6. The first child is a tr@role=option, so Accessible::ARIATransformRole is called on it with a role of "option" 7. In order to know if the child should indeed have an "option" role, ARIATransformRole check's for the parent's role, which is table@role=region, so we end up in step 1(iv). i. https://hg.mozilla.org/mozilla-central/rev/2286518951eb ii. https://searchfox.org/mozilla-central/rev/2031c0f517185b2bd0e8f6f92f9491b3410c1f7f/accessible/html/HTMLTableAccessible.cpp#429 iii. https://searchfox.org/mozilla-central/rev/2031c0f517185b2bd0e8f6f92f9491b3410c1f7f/accessible/html/HTMLTableAccessible.cpp#483 iv. https://searchfox.org/mozilla-central/rev/2031c0f517185b2bd0e8f6f92f9491b3410c1f7f/accessible/generic/Accessible.cpp#1485
Assignee | ||
Updated•6 years ago
|
Assignee: eitan → nobody
Flags: needinfo?(eitan)
Updated•6 years ago
|
Whiteboard: a11y:crash
Reporter | ||
Updated•4 years ago
|
status-firefox71:
--- → wontfix
status-firefox72:
--- → affected
status-firefox73:
--- → affected
status-firefox-esr68:
--- → affected
Reporter | ||
Comment 5•3 years ago
|
||
Marking as fuzzblocker because this is hit frequently by the fuzzers.
status-firefox86:
--- → wontfix
status-firefox87:
--- → affected
status-firefox88:
--- → affected
status-firefox-esr78:
--- → affected
Whiteboard: a11y:crash → [a11y:crash][fuzzblocker]
Assignee | ||
Updated•3 years ago
|
Assignee: nobody → eitan
Assignee | ||
Comment 6•3 years ago
|
||
Pushed by eisaacson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/bc4bc30be17e Only return HTML captions as HTML table captions. r=morgan
Comment 8•3 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch
Comment 9•3 years ago
|
||
The patch landed in nightly and beta is affected.
:eeejay, is this bug important enough to require an uplift?
If not please set status_beta
to wontfix
.
For more information, please visit auto_nag documentation.
Flags: needinfo?(eitan)
Assignee | ||
Updated•3 years ago
|
Flags: needinfo?(eitan)
Updated•3 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•