Closed Bug 268935 Opened 18 years ago Closed 15 years ago

calling createHTMLTextAccessible from JS crashes mozilla & firefox [@ nsHTMLDocument::StartDocumentLoad]

Categories

(Core :: Disability Access APIs, defect)

x86
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla1.9alpha8

People

(Reporter: sabetts, Assigned: aaronlev)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files, 1 obsolete file)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2

<html>
<body>
<div id="crashid">crash me</div>.
<script>
try{
    node = document.getElementById("crashid").firstChild;
    var acc = Components.classes["@mozilla.org/accessibilityService;1"]
	.createInstance(Components.interfaces.nsIAccessibilityService);
    var acc_node = acc.createHTMLTextAccessible(node);
    document.write(acc_node);
} catch(e) {document.write(e);}
</script>
</body>
</html>

Open the above html page as chrome. Watch mozilla & firefox crash and burn.

Reproducible: Always
Steps to Reproduce:

Actual Results:  
it crashes.

Expected Results:  
it doesn't crash.
Attached file Testcase
It doesn't crash here (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041109 Firefox/1.0).

It returns:
. Permission denied to get property UnnamedClass.classes
You have to install it as chrome so it has access to XPCOM.
steps:
1. open dom inspector
2. in the url field enter:
data:text/html,<html><body><div id="crashid">crash me</div>.</body></html>
3. select the #document node.
4. select object - javascript object
5. right click target
6. click evaluate javascript
7. enter:
var document=target; try{    node =
document.getElementById("crashid").firstChild;    var acc =
Components.classes["@mozilla.org/accessibilityService;1"].createInstance(Components.interfaces.nsIAccessibilityService);
   var acc_node = acc.createHTMLTextAccessible(node);   
document.write(acc_node);} catch(e) {document.write(e);}
8. click evaluate
Keywords: crash, talkbackid
Whiteboard: TB1863622Q
Stack Signature	nsHTMLDocument::StartDocumentLoad dfdd1263
Product ID	MozillaTrunk
Build ID	2004110805
Trigger Time	2004-11-10 14:37:14.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	gklayout.dll + (000d82eb)
URL visited	data:text/html,<html><body><div id="crashid">crash
me</div>.</body></html>
User Comments	inspect that url in domi. select the #document node. select
javascript object. right click and evaluate javascript. enter: var
document=target; try{ node = document.getElementById("crashid").firstChild; var
acc =
Since Last Crash	1658 sec
Total Uptime	1676 sec
Trigger Reason	Access violation
Source File, Line No.
c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLDocument.cpp,
line 695
Stack Trace 	
nsHTMLDocument::StartDocumentLoad 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLDocument.cpp,
line 695]
nsAccessibilityService::GetInfo 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/accessible/src/base/nsAccessibilityService.cpp,
line 226]
nsAccessibilityService::CreateHTMLTextAccessible 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/accessible/src/base/nsAccessibilityService.cpp,
line 828]
XPTC_InvokeByIndex 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2036]
XPC_WN_CallMethod 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1288]
js_Invoke 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1288]
js_Interpret 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 3509]
js_Invoke 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1307]
js_InternalInvoke 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1430]
JS_CallFunctionValue 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line
3758]
nsJSContext::CallEventHandler 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1346]
nsJSEventListener::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/events/nsJSEventListener.cpp,
line 181]
nsEventListenerManager::HandleEventSubType 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1513]
nsEventListenerManager::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1589]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2820]
PresShell::HandleDOMEventWithTarget 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6037]
nsButtonBoxFrame::MouseClicked 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsButtonBoxFrame.cpp,
line 178]
nsButtonBoxFrame::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsButtonBoxFrame.cpp,
line 147]
PresShell::HandleEventInternal 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6008]
PresShell::HandleEventWithTarget 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5876]
nsEventStateManager::CheckForAndDispatchClick 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 2942]
nsEventStateManager::PostHandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 1936]
PresShell::HandleEventInternal 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6013]
PresShell::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5845]
nsViewManager::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2404]
nsViewManager::DispatchEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2133]
HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp,
line 166]
nsWindow::DispatchEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1078]
nsWindow::DispatchWindowEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1095]
nsWindow::DispatchMouseEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 5329]
ChildWindow::DispatchMouseEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 5581]
nsWindow::ProcessMessage 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 4091]
nsWindow::WindowProc 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1356]
USER32.dll + 0x8709 (0x77d48709)
USER32.dll + 0x87eb (0x77d487eb)
USER32.dll + 0x89a5 (0x77d489a5)
USER32.dll + 0x89e8 (0x77d489e8)
nsAppShell::Run 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp,
line 159]
nsAppStartup::Run 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/components/startup/src/nsAppStartup.cpp,
line 221]
main1 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1331]
main 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1802]
WinMain 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1828]
WinMainCRTStartup()
kernel32.dll + 0x16d4f (0x7c816d4f)

stack trace does not look happy,
Keywords: talkbackid
Summary: calling createHTMLTextAccessible from JS crashes mozilla & firefox → calling createHTMLTextAccessible from JS crashes mozilla & firefox [@ nsHTMLDocument::StartDocumentLoad]
(In reply to comment #3)
Ok, that's confirmed (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041109 Firefox/1.0)
OS: Linux → All
The accessibility code doesn't seem to FlushPendingNotifications() anywhere.  It
should, if it's going to grab layout objects, imo.
Keywords: talkbackid
Keywords: talkbackid
Whiteboard: TB1863622Q
This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/
Target Milestone: --- → mozilla1.9beta
This testcase uses enhanced privileges, you only need to download it to your computer and open it to see the crash.

Talkback ID: TB32163173G
nsCOMPtr<nsIWritableVariant>::nsCOMPtr<nsIWritableVariant>  [mozilla/dist/include/xpcom/nscomptr.h, line 627]
nsAccessibilityService::CreateHTMLTextAccessible  [mozilla/accessible/src/base/nsaccessibilityservice.cpp, line 813]
NS_InvokeByIndex_P  [mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102]
XPCWrappedNative::CallMethod  [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2245]
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: testcase
Actually, that interface shouldn't be scriptable. Only nsIAccessibleRetrieval neesd to be.
Attachment #264886 - Flags: review?(surkov.alexander)
Comment on attachment 264886 [details] [diff] [review]
Make nsIAccessibilityService not scriptable

Doh, it does need to be scriptable becaue of XBL, but perhaps not all of the methods need  to be.
Attachment #264886 - Flags: review?(surkov.alexander) → review-
Comment on attachment 264889 [details] [diff] [review]
I was right the first time, but our XBL should be returning accessible type. Anything that needs an accessible should use nsIAccessibleRetrieval

r=me, though I wonder does it actually fixes the bug. Does the crash happen when accessible is casted to string (I suppose document.write do it) or when accessible is created?.
Attachment #264889 - Flags: review?(surkov.alexander) → review+
Well, I don't really see any way that nsAccessibilityService::GetInfo() could call StartDocumentLoad() as the stack trace says. To me it looks like an interface mismatch -- it seems like the build should be made with distclean to be sure.
Okay the interface is no longer scriptable.

Should I mark it fixed or should we figure out how this corruption is occuring where sAccessibilityService::GetInfo() is calling a method it doesn't even have.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsHTMLDocument::StartDocumentLoad]
You need to log in before you can comment on or make changes to this bug.