Closed Bug 1820069 Opened 2 years ago Closed 2 years ago

[CTW] Crash in [@ mozilla::detail::InvalidArrayIndex_CRASH | nsTArray_Impl<T>::ElementAt | mozilla::a11y::TextLeafPoint::CharBounds]

Categories

(Core :: Disability Access APIs, defect, P1)

defect

Tracking

()

RESOLVED FIXED
112 Branch
Tracking Status
firefox-esr102 --- unaffected
firefox110 --- wontfix
firefox111 --- wontfix
firefox112 --- fixed

People

(Reporter: Jamie, Assigned: Jamie)

References

Details

(Keywords: crash, Whiteboard: [ctw-m5])

Crash Data

Attachments

(1 file)

Crash report: https://crash-stats.mozilla.org/report/index/e68e7f71-e875-45eb-ad0d-783730230303

Reason: EXCEPTION_BREAKPOINT

Top 10 frames of crashing thread:

0  mozglue.dll  MOZ_Crash  mfbt/Assertions.h:261
0  mozglue.dll  mozilla::detail::InvalidArrayIndex_CRASH  mfbt/Assertions.cpp:50
1  xul.dll  nsTArray_Impl<nsRect, nsTArrayInfallibleAllocator>::ElementAt  xpcom/ds/nsTArray.h:1194
1  xul.dll  mozilla::a11y::TextLeafPoint::CharBounds  accessible/base/TextLeafRange.cpp:1674
2  xul.dll  mozilla::a11y::HyperTextAccessibleBase::CharBounds  accessible/basetypes/HyperTextAccessibleBase.cpp:219
3  xul.dll  mozilla::a11y::ia2AccessibleText::get_characterExtents  accessible/windows/ia2/ia2AccessibleText.cpp:120
4  rpcrt4.dll  Invoke  
5  rpcrt4.dll  NdrStubCall2  
6  combase.dll  CStdStubBuffer_Invoke  onecore\com\combase\ndr\ndrole\stub.cxx:1552
7  rpcrt4.dll  CStdStubBuffer_Invoke  

This occurs when calling HyperTextAccessibleBase::CharBounds with TEXT_OFFSET_CARET on a cached RemoteAccessible. We need to convert these magic offsets like we do in other HyperText functions.

  1. HyperTextAccessibleBase::CharBounds didn't have code to support magic offsets (like TEXT_OFFSET_CARET) at all, resulting in a crash.
  2. HyperTextAccessibleBase::TextBounds handled the end offset being a magic offset, but not the start offset.
  3. HyperTextAccessible::CharBounds assumed it could just add 1 to the start offset to pass to TextBounds, which resulted in returning the rect from the caret to the end of the container, since length (-1) is caret (-2) + 1.

This patch addresses all three of these issues.

Pushed by jteh@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/cc49a4388379
Fix handling of magic offsets in HyperTextAccessible*::Char/TextBounds. r=morgan
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: