Closed Bug 345434 Opened 15 years ago Closed 15 years ago

Firefox crashes with orca testcase [@nsHyperTextAccessible::GetRelativeOffset]

Categories

(Core :: Disability Access APIs, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: ginnchen+exoracle, Assigned: ginnchen+exoracle)

References

Details

(Keywords: access, crash)

Crash Data

Attachments

(1 file)

1) Open www.google.com
2) Run testcase in bug 317482 in xterm
python bug_317482.py

3) Click firefox window, press F11

4) Crash
Stack:
427       nsresult rv = aFromFrame->PeekOffset(aPresShell->GetPresContext(), &pos);

#0  0xb6f56781 in nsHyperTextAccessible::GetRelativeOffset (this=0x8d2c1b0,
    aPresShell=0x8a43fd8, aFromFrame=0x0, aFromOffset=3,
    aAmount=eSelectEndLine, aDirection=eDirNext, aNeedsStart=1)
    at nsHyperTextAccessible.cpp:427
#1  0xb6f57e00 in nsHyperTextAccessible::GetTextHelper (this=0x8d2c1b0,
    aType=eGetAt, aBoundaryType=5, aOffset=5, aStartOffset=0xbfb47d48,
    aEndOffset=0xbfb47d44, aText=@0xbfb47c54) at nsHyperTextAccessible.cpp:545
#2  0xb6f57edc in nsHyperTextAccessible::GetTextAtOffset (this=0x8d2c1b0,
    aOffset=5, aBoundaryType=5, aStartOffset=0xbfb47d48,
    aEndOffset=0xbfb47d44, aText=@0xbfb47c54) at nsHyperTextAccessible.cpp:565
#3  0xb6f6662b in getTextAtOffsetCB (aText=0xb0d608c8, aOffset=5,
    aBoundaryType=ATK_TEXT_BOUNDARY_LINE_START, aStartOffset=0xbfb47dd8,
    aEndOffset=0xbfb47dd4) at nsMaiInterfaceText.cpp:152
#4  0xb7940c22 in atk_text_get_text_at_offset (text=0xb0d608c8, offset=5,
    boundary_type=ATK_TEXT_BOUNDARY_CHAR, start_offset=0xbfb47dd8,
    end_offset=0xbfb47dd4) at atktext.c:386
Severity: normal → critical
Component: Disability Access → Disability Access APIs
Product: Firefox → Core
QA Contact: disability.access → accessibility-apis
Attached patch patchSplinter Review
get rid of crash
Assignee: aaronleventhal → ginn.chen
Status: NEW → ASSIGNED
Attachment #230407 - Flags: review?(aaronleventhal)
Comment on attachment 230407 [details] [diff] [review]
patch

Ginn, under what conditions does that happen?
Attachment #230407 - Flags: review?(aaronleventhal) → review+
Checking in nsHyperTextAccessible.cpp;
/cvsroot/mozilla/accessible/src/html/nsHyperTextAccessible.cpp,v  <--  nsHyperTextAccessible.cpp
new revision: 1.9; previous revision: 1.8
done
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
(In reply to comment #2)
> Ginn, under what conditions does that happen?

I think the logic in GetPosAndText have some problems.
We can fix it in another bug.

Here's a simple case:
<html><body>abcd<br>efgh<br>123456</body><html>

If we call GetPosAndText with startOffset = endOffset = 4.
The first frame's textContentLength is also 4.
(startOffset < textContentLength) fails, then startOffset = endOffset = 0,
because endOffset is 0, we will break.
So we don't have a startFrame to return.

Crash Signature: [@nsHyperTextAccessible::GetRelativeOffset]
You need to log in before you can comment on or make changes to this bug.