Last Comment Bug 363849 - Stack overflow in nsHTMLComboboxAccessible::GetDescription()
: Stack overflow in nsHTMLComboboxAccessible::GetDescription()
Status: RESOLVED FIXED
[needs testcase] Has been baking on t...
: access, crash, fixed1.8.0.10, fixed1.8.1.2
Product: Core
Classification: Components
Component: Disability Access APIs (show other bugs)
: 1.8 Branch
: x86 All
: -- critical (vote)
: ---
Assigned To: Aaron Leventhal
:
Mentors:
Depends on:
Blocks: 278034
  Show dependency treegraph
 
Reported: 2006-12-14 08:40 PST by Aaron Leventhal
Modified: 2007-02-09 16:40 PST (History)
4 users (show)
jaymoz: blocking1.8.1.2-
jaymoz: blocking1.8.0.10-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
The part of the fix from bug 278034 that addresses this crash (1.97 KB, patch)
2007-01-15 12:40 PST, Aaron Leventhal
neil: review+
neil: superreview+
dveditz: approval1.8.1.2+
dveditz: approval1.8.0.10+
Details | Diff | Splinter Review

Description Aaron Leventhal 2006-12-14 08:40:00 PST
This is causing stack overflows in assistive technologies.

The problem exists in the following code:
http://lxr.mozilla.org/seamonkey/source/accessible/src/html/nsHTMLSelectAccessible.cpp#898

What Mozila does for a combobox or list description is forward the description for the current "focused option node". We use that awful hack for descriptions on option nodes, where we provide positional info like "3 of 5".
So the idea is that the description for the combo box would be "3 of 5" if the currently focused option would be item #3 of #5.

Unfortunately the code that returns the current option can fallback on returning the original combo box or list node itself, in which case when we try to forward the description from that we end up in an infinite loop. The fallback is probably happening whenever a combobox is closed.
Comment 1 Nian Liu(n/a in a long time) 2006-12-15 00:41:59 PST
how to reproduce this?
Comment 2 Aaron Leventhal 2006-12-15 06:19:48 PST
This was reported by Freedom Scientific and JAWS users. They said that getting the description from a combo box or listbox would reproduce it. After looking at the code, I think it's an obvious problem, but I haven't spent the time to try and duplicate the error condition.
Comment 3 Aaron Leventhal 2007-01-11 12:09:06 PST
Fixed via checkin to bug 278034.
Comment 4 Aaron Leventhal 2007-01-15 12:40:23 PST
Created attachment 251562 [details] [diff] [review]
The part of the fix from bug 278034 that addresses this crash
Comment 5 Aaron Leventhal 2007-01-15 12:43:05 PST
Same patch applies 1.8.0 and 1.8 branches.
Comment 6 neil@parkwaycc.co.uk 2007-01-16 05:39:20 PST
Comment on attachment 251562 [details] [diff] [review]
The part of the fix from bug 278034 that addresses this crash

sr=me for branch port.
Comment 7 Daniel Veditz [:dveditz] 2007-01-16 14:23:15 PST
Comment on attachment 251562 [details] [diff] [review]
The part of the fix from bug 278034 that addresses this crash

approved for 1.8/1.8.0 branches, a=dveditz for drivers

Please land ASAP, we'll remove the approval after the code freeze as this is not a blocking bug.

Note You need to log in before you can comment on or make changes to this bug.