calling createHTMLTextAccessible from JS crashes mozilla & firefox [@ nsHTMLDocument::StartDocumentLoad]

RESOLVED FIXED in mozilla1.9alpha8

Status

()

Core
Disability Access APIs
--
critical
RESOLVED FIXED
13 years ago
7 years ago

People

(Reporter: shawn betts, Assigned: Aaron Leventhal)

Tracking

({crash, testcase})

Trunk
mozilla1.9alpha8
x86
All
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(3 attachments, 1 obsolete attachment)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2

<html>
<body>
<div id="crashid">crash me</div>.
<script>
try{
    node = document.getElementById("crashid").firstChild;
    var acc = Components.classes["@mozilla.org/accessibilityService;1"]
	.createInstance(Components.interfaces.nsIAccessibilityService);
    var acc_node = acc.createHTMLTextAccessible(node);
    document.write(acc_node);
} catch(e) {document.write(e);}
</script>
</body>
</html>

Open the above html page as chrome. Watch mozilla & firefox crash and burn.

Reproducible: Always
Steps to Reproduce:

Actual Results:  
it crashes.

Expected Results:  
it doesn't crash.

Comment 1

13 years ago
Created attachment 165470 [details]
Testcase

It doesn't crash here (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041109 Firefox/1.0).

It returns:
. Permission denied to get property UnnamedClass.classes
(Reporter)

Comment 2

13 years ago
You have to install it as chrome so it has access to XPCOM.

Comment 3

13 years ago
steps:
1. open dom inspector
2. in the url field enter:
data:text/html,<html><body><div id="crashid">crash me</div>.</body></html>
3. select the #document node.
4. select object - javascript object
5. right click target
6. click evaluate javascript
7. enter:
var document=target; try{    node =
document.getElementById("crashid").firstChild;    var acc =
Components.classes["@mozilla.org/accessibilityService;1"].createInstance(Components.interfaces.nsIAccessibilityService);
   var acc_node = acc.createHTMLTextAccessible(node);   
document.write(acc_node);} catch(e) {document.write(e);}
8. click evaluate
Keywords: crash, talkbackid
Whiteboard: TB1863622Q

Comment 4

13 years ago
Stack Signature	nsHTMLDocument::StartDocumentLoad dfdd1263
Product ID	MozillaTrunk
Build ID	2004110805
Trigger Time	2004-11-10 14:37:14.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	gklayout.dll + (000d82eb)
URL visited	data:text/html,<html><body><div id="crashid">crash
me</div>.</body></html>
User Comments	inspect that url in domi. select the #document node. select
javascript object. right click and evaluate javascript. enter: var
document=target; try{ node = document.getElementById("crashid").firstChild; var
acc =
Since Last Crash	1658 sec
Total Uptime	1676 sec
Trigger Reason	Access violation
Source File, Line No.
c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLDocument.cpp,
line 695
Stack Trace 	
nsHTMLDocument::StartDocumentLoad 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLDocument.cpp,
line 695]
nsAccessibilityService::GetInfo 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/accessible/src/base/nsAccessibilityService.cpp,
line 226]
nsAccessibilityService::CreateHTMLTextAccessible 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/accessible/src/base/nsAccessibilityService.cpp,
line 828]
XPTC_InvokeByIndex 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2036]
XPC_WN_CallMethod 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1288]
js_Invoke 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1288]
js_Interpret 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 3509]
js_Invoke 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1307]
js_InternalInvoke 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1430]
JS_CallFunctionValue 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line
3758]
nsJSContext::CallEventHandler 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1346]
nsJSEventListener::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/events/nsJSEventListener.cpp,
line 181]
nsEventListenerManager::HandleEventSubType 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1513]
nsEventListenerManager::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1589]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2820]
PresShell::HandleDOMEventWithTarget 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6037]
nsButtonBoxFrame::MouseClicked 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsButtonBoxFrame.cpp,
line 178]
nsButtonBoxFrame::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsButtonBoxFrame.cpp,
line 147]
PresShell::HandleEventInternal 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6008]
PresShell::HandleEventWithTarget 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5876]
nsEventStateManager::CheckForAndDispatchClick 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 2942]
nsEventStateManager::PostHandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 1936]
PresShell::HandleEventInternal 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6013]
PresShell::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5845]
nsViewManager::HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2404]
nsViewManager::DispatchEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2133]
HandleEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp,
line 166]
nsWindow::DispatchEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1078]
nsWindow::DispatchWindowEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1095]
nsWindow::DispatchMouseEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 5329]
ChildWindow::DispatchMouseEvent 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 5581]
nsWindow::ProcessMessage 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 4091]
nsWindow::WindowProc 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1356]
USER32.dll + 0x8709 (0x77d48709)
USER32.dll + 0x87eb (0x77d487eb)
USER32.dll + 0x89a5 (0x77d489a5)
USER32.dll + 0x89e8 (0x77d489e8)
nsAppShell::Run 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp,
line 159]
nsAppStartup::Run 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/components/startup/src/nsAppStartup.cpp,
line 221]
main1 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1331]
main 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1802]
WinMain 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1828]
WinMainCRTStartup()
kernel32.dll + 0x16d4f (0x7c816d4f)

stack trace does not look happy,
Keywords: talkbackid
Summary: calling createHTMLTextAccessible from JS crashes mozilla & firefox → calling createHTMLTextAccessible from JS crashes mozilla & firefox [@ nsHTMLDocument::StartDocumentLoad]

Comment 5

13 years ago
(In reply to comment #3)
Ok, that's confirmed (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041109 Firefox/1.0)

Updated

13 years ago
OS: Linux → All
The accessibility code doesn't seem to FlushPendingNotifications() anywhere.  It
should, if it's going to grab layout objects, imo.

Updated

13 years ago
Keywords: talkbackid

Updated

13 years ago
Keywords: talkbackid
Whiteboard: TB1863622Q
This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/
(Assignee)

Updated

13 years ago
Target Milestone: --- → mozilla1.9beta
Created attachment 264884 [details]
testcase, using universalxpconnect privs

This testcase uses enhanced privileges, you only need to download it to your computer and open it to see the crash.

Talkback ID: TB32163173G
nsCOMPtr<nsIWritableVariant>::nsCOMPtr<nsIWritableVariant>  [mozilla/dist/include/xpcom/nscomptr.h, line 627]
nsAccessibilityService::CreateHTMLTextAccessible  [mozilla/accessible/src/base/nsaccessibilityservice.cpp, line 813]
NS_InvokeByIndex_P  [mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102]
XPCWrappedNative::CallMethod  [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2245]

Updated

11 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: testcase
(Assignee)

Comment 9

11 years ago
Actually, that interface shouldn't be scriptable. Only nsIAccessibleRetrieval neesd to be.
(Assignee)

Comment 10

11 years ago
Created attachment 264886 [details] [diff] [review]
Make nsIAccessibilityService not scriptable
Attachment #264886 - Flags: review?(surkov.alexander)
(Assignee)

Comment 11

11 years ago
Comment on attachment 264886 [details] [diff] [review]
Make nsIAccessibilityService not scriptable

Doh, it does need to be scriptable becaue of XBL, but perhaps not all of the methods need  to be.
Attachment #264886 - Flags: review?(surkov.alexander) → review-
(Assignee)

Comment 12

11 years ago
Created attachment 264889 [details] [diff] [review]
I was right the first time, but our XBL should be returning accessible type. Anything that needs an accessible should use nsIAccessibleRetrieval
Attachment #264886 - Attachment is obsolete: true
Attachment #264889 - Flags: review?(surkov.alexander)

Comment 13

11 years ago
Comment on attachment 264889 [details] [diff] [review]
I was right the first time, but our XBL should be returning accessible type. Anything that needs an accessible should use nsIAccessibleRetrieval

r=me, though I wonder does it actually fixes the bug. Does the crash happen when accessible is casted to string (I suppose document.write do it) or when accessible is created?.
Attachment #264889 - Flags: review?(surkov.alexander) → review+
(Assignee)

Comment 14

11 years ago
Well, I don't really see any way that nsAccessibilityService::GetInfo() could call StartDocumentLoad() as the stack trace says. To me it looks like an interface mismatch -- it seems like the build should be made with distclean to be sure.
(Assignee)

Comment 15

11 years ago
Okay the interface is no longer scriptable.

Should I mark it fixed or should we figure out how this corruption is occuring where sAccessibilityService::GetInfo() is calling a method it doesn't even have.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsHTMLDocument::StartDocumentLoad]
You need to log in before you can comment on or make changes to this bug.