1420773 - stack-overflow [@ mozilla::a11y::Accessible::ARIATransformRole]

Status: RESOLVED FIXED

(Core :: Disability Access APIs, defect, P2)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

==2097==ERROR: AddressSanitizer: stack-overflow on address 0x7fffa6617fb8 (pc 0x0000004be4ae bp 0x7fffa6618810 sp 0x7fffa6617fc0 T0)
    #0 0x4be4ad in __asan_memset /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:27:3
    #1 0x7ff11583a6d6 in DOMString /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/DOMString.h:50:7
    #2 0x7ff11583a6d6 in mozilla::dom::Element::GetAttr(int, nsAtom*, nsTSubstring<char16_t>&) const /builds/worker/workspace/build/src/dom/base/Element.cpp:3055
    #3 0x7ff11d8b9231 in mozilla::a11y::IDRefsIterator::IDRefsIterator(mozilla::a11y::DocAccessible*, nsIContent*, nsAtom*) /builds/worker/workspace/build/src/accessible/base/AccIterator.cpp:261:15
    #4 0x7ff11d92e727 in nsTextEquivUtils::GetTextEquivFromIDRefs(mozilla::a11y::Accessible*, nsAtom*, nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/accessible/base/nsTextEquivUtils.cpp:65:18
    #5 0x7ff11d93f760 in ARIAName /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1977:17
    #6 0x7ff11d93f760 in mozilla::a11y::Accessible::Name(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:139
    #7 0x7ff11d94d400 in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1438:5
    #8 0x7ff11d94d9cb in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h
    #9 0x7ff11d94d9cb in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1474
    #10 0x7ff11d9acbf1 in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h
    #11 0x7ff11d9acbf1 in mozilla::a11y::HTMLTableAccessible::Caption() const /builds/worker/workspace/build/src/accessible/html/HTMLTableAccessible.cpp:483
    #12 0x7ff11d9ac124 in mozilla::a11y::HTMLTableAccessible::NativeName(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/html/HTMLTableAccessible.cpp:429:25
    #13 0x7ff11d93f924 in mozilla::a11y::Accessible::Name(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:150:29
    #14 0x7ff11d94d400 in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1438:5
    #15 0x7ff11d94d9cb in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h
    #16 0x7ff11d94d9cb in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1474
    #17 0x7ff11d9acbf1 in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h
    #18 0x7ff11d9acbf1 in mozilla::a11y::HTMLTableAccessible::Caption() const /builds/worker/workspace/build/src/accessible/html/HTMLTableAccessible.cpp:483
    #19 0x7ff11d9ac124 in mozilla::a11y::HTMLTableAccessible::NativeName(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/html/HTMLTableAccessible.cpp:429:25
    #20 0x7ff11d93f924 in mozilla::a11y::Accessible::Name(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:150:29
    #21 0x7ff11d94d400 in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1438:5
    #22 0x7ff11d94d9cb in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h
    #23 0x7ff11d94d9cb in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1474
    #24 0x7ff11d9acbf1 in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h
    #25 0x7ff11d9acbf1 in mozilla::a11y::HTMLTableAccessible::Caption() const /builds/worker/workspace/build/src/accessible/html/HTMLTableAccessible.cpp:483
    #26 0x7ff11d9ac124 in mozilla::a11y::HTMLTableAccessible::NativeName(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/html/HTMLTableAccessible.cpp:429:25
    #27 0x7ff11d93f924 in mozilla::a11y::Accessible::Name(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:150:29
    #28 0x7ff11d94d400 in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1438:5
    #29 0x7ff11d94d9cb in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h
...

Comment 1

[Eitan Isaacson [:eeejay]]

Looks like we are stuck in an endless cycle of role calculations between the table and its row..

Comment 2

[alexander :surkov (:asurkov)]

(In reply to Eitan Isaacson [:eeejay] from comment #1)
> Looks like we are stuck in an endless cycle of role calculations between the
> table and its row..

do you have detailed explanation of what happens here? Is there something wrong with the hierarchy?

Comment 3

[alexander :surkov (:asurkov)]

Eitan, pinging. If could dump out your findings here, it'd be helpful :)

Comment 4

[Eitan Isaacson [:eeejay]]

I'm unassigning myself because I don't want to hog this if someone else could fix it..

1. Accessible::Role is on called table@role=region, it calls
2. Accessible::ARIATransformRole with "region" as the aria role to transform. Bug 1358462 added a change(i) that we need to know if the accessible has a name to determine the role in the case of role=region.
3. Because the element is a table, Accessible::Name calls HTMLTableAccessible::NativeName
4. HTMLTableAccessible::NativeName tries to determine the "table" name by retrieving the caption(ii).
5. HTMLTableAccessible::Caption checks to see if the table's first child is a caption(iii)
6. The first child is a tr@role=option, so Accessible::ARIATransformRole is called on it with a role of "option"
7. In order to know if the child should indeed have an "option" role, ARIATransformRole check's for the parent's role, which is table@role=region, so we end up in step 1(iv).

i.   https://hg.mozilla.org/mozilla-central/rev/2286518951eb
ii.  https://searchfox.org/mozilla-central/rev/2031c0f517185b2bd0e8f6f92f9491b3410c1f7f/accessible/html/HTMLTableAccessible.cpp#429
iii. https://searchfox.org/mozilla-central/rev/2031c0f517185b2bd0e8f6f92f9491b3410c1f7f/accessible/html/HTMLTableAccessible.cpp#483
iv.  https://searchfox.org/mozilla-central/rev/2031c0f517185b2bd0e8f6f92f9491b3410c1f7f/accessible/generic/Accessible.cpp#1485

Comment 5

[Tyson Smith [:tsmith]]

Marking as fuzzblocker because this is hit frequently by the fuzzers.

Comment 6

[Eitan Isaacson [:eeejay]]

Attachment: Bug 1420773 - Only return HTML captions as HTML table captions. r?morgan

Comment 7

[Pulsebot]

Pushed by eisaacson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bc4bc30be17e
Only return HTML captions as HTML table captions. r=morgan

Comment 8

[Noemi Erli[:noemi_erli]]

https://hg.mozilla.org/mozilla-central/rev/bc4bc30be17e

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:eeejay, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.