Closed Bug 1425030 Opened 3 years ago Closed 3 years ago

Crash in mozilla::a11y::ia2Accessible::get_accessibleWithCaret

Categories

(Core :: Disability Access APIs, defect)

Unspecified
Windows 10
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla59
Tracking Status
firefox-esr52 --- wontfix
firefox57 --- wontfix
firefox58 --- fixed
firefox59 --- verified

People

(Reporter: Jamie, Assigned: Jamie)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is
report bp-f1c56d1b-bb91-4ac6-b7a7-a456d0171212.

We don't null check the result of SelectionManager::AccessibleWithCaret. Note that this is returning null in cases where it shouldn't, which is what initially led to this crash, but we should still null check the result regardless.

=============================================================

Top 10 frames of crashing thread:

0 xul.dll mozilla::a11y::ia2Accessible::get_accessibleWithCaret accessible/windows/ia2/ia2Accessible.cpp:525
1 ole32.dll ole32.dll@0x30ddd 
2 xul.dll xul.dll@0x2d207b3 
3 ole32.dll ole32.dll@0x5b59 
4 ole32.dll ole32.dll@0x5b2b 
5 xul.dll xul.dll@0x16957db 
6 xul.dll `anonymous namespace'::HandoffRunnable::Run ipc/mscom/MainThreadHandoff.cpp:143
7 xul.dll `anonymous namespace'::SyncRunnable::Run ipc/mscom/MainThreadInvoker.cpp:48
8 xul.dll mozilla::mscom::MainThreadInvoker::MainThreadAPC ipc/mscom/MainThreadInvoker.cpp:148
9 ntdll.dll RtlDispatchAPC 

=============================================================
Comment on attachment 8936652 [details]
Bug 1425030: ia2Accessible::get_accessibleWithCaret: Gracefully handle null returned from SelectionManager::AccessibleWithCaret.

https://reviewboard.mozilla.org/r/207392/#review213270

::: accessible/windows/ia2/ia2Accessible.cpp:528
(Diff revision 1)
>    int32_t caretOffset = -1;
>    Accessible* accWithCaret = SelectionMgr()->AccessibleWithCaret(&caretOffset);
> +  if (!accWithCaret) {
> +    return S_FALSE;
> +  }
>    if (acc->Document() != accWithCaret->Document())

it makes sense to move it under this condition
Attachment #8936652 - Flags: review?(surkov.alexander) → review+
Pushed by jteh@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/979ceb379e0b
ia2Accessible::get_accessibleWithCaret: Gracefully handle null returned from SelectionManager::AccessibleWithCaret. r=surkov
https://hg.mozilla.org/mozilla-central/rev/979ceb379e0b
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Verified fixed in Firefox Version 59.0a1 Build ID 20171215100105 64 bit.
Comment on attachment 8936652 [details]
Bug 1425030: ia2Accessible::get_accessibleWithCaret: Gracefully handle null returned from SelectionManager::AccessibleWithCaret.

Approval Request Comment
[Feature/Bug causing the regression]: Bug 873438.
[User impact if declined]: Accessibility clients which call a specific method in certain circumstances will cause Firefox to crash.
[Is this code covered by automated tests?]: No, because we don't have a mechanism for platform accessibility testing.
[Has the fix been verified in Nightly?]: Yes.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: Trivial null check to prevent crash.
[String changes made/needed]: None.
Attachment #8936652 - Flags: approval-mozilla-beta?
Comment on attachment 8936652 [details]
Bug 1425030: ia2Accessible::get_accessibleWithCaret: Gracefully handle null returned from SelectionManager::AccessibleWithCaret.

Not null check, crash fix, Beta58+
Attachment #8936652 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Assignee: nobody → jteh
Blocks: 873438
You need to log in before you can comment on or make changes to this bug.