Closed Bug 363849 Opened 18 years ago Closed 17 years ago

Stack overflow in nsHTMLComboboxAccessible::GetDescription()

Categories

(Core :: Disability Access APIs, defect)

1.8 Branch
x86
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: aaronlev, Assigned: aaronlev)

References

Details

(4 keywords, Whiteboard: [needs testcase] Has been baking on trunk via fix bug 278034)

Attachments

(1 file)

This is causing stack overflows in assistive technologies.

The problem exists in the following code:
http://lxr.mozilla.org/seamonkey/source/accessible/src/html/nsHTMLSelectAccessible.cpp#898

What Mozila does for a combobox or list description is forward the description for the current "focused option node". We use that awful hack for descriptions on option nodes, where we provide positional info like "3 of 5".
So the idea is that the description for the combo box would be "3 of 5" if the currently focused option would be item #3 of #5.

Unfortunately the code that returns the current option can fallback on returning the original combo box or list node itself, in which case when we try to forward the description from that we end up in an infinite loop. The fallback is probably happening whenever a combobox is closed.
how to reproduce this?
This was reported by Freedom Scientific and JAWS users. They said that getting the description from a combo box or listbox would reproduce it. After looking at the code, I think it's an obvious problem, but I haven't spent the time to try and duplicate the error condition.
Blocks: 278034
No longer blocks: keya11y
Fixed via checkin to bug 278034.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Attachment #251562 - Flags: superreview?(neil)
Attachment #251562 - Flags: review?(neil)
Flags: blocking1.8.1.2?
Flags: blocking1.8.0.10?
Whiteboard: Has been baking on trunk via fix bug 278034
Version: Trunk → 1.8 Branch
Same patch applies 1.8.0 and 1.8 branches.
Comment on attachment 251562 [details] [diff] [review]
The part of the fix from bug 278034 that addresses this crash

sr=me for branch port.
Attachment #251562 - Flags: superreview?(neil)
Attachment #251562 - Flags: superreview+
Attachment #251562 - Flags: review?(neil)
Attachment #251562 - Flags: review+
Attachment #251562 - Flags: approval1.8.1.2?
Attachment #251562 - Flags: approval1.8.0.10?
Flags: blocking1.8.1.2?
Flags: blocking1.8.1.2-
Flags: blocking1.8.0.10?
Flags: blocking1.8.0.10-
Comment on attachment 251562 [details] [diff] [review]
The part of the fix from bug 278034 that addresses this crash

approved for 1.8/1.8.0 branches, a=dveditz for drivers

Please land ASAP, we'll remove the approval after the code freeze as this is not a blocking bug.
Attachment #251562 - Flags: approval1.8.1.2?
Attachment #251562 - Flags: approval1.8.1.2+
Attachment #251562 - Flags: approval1.8.0.10?
Attachment #251562 - Flags: approval1.8.0.10+
Keywords: fixed1.8, fixed1.8.1
Whiteboard: Has been baking on trunk via fix bug 278034 → [needs testcase] Has been baking on trunk via fix bug 278034
You need to log in before you can comment on or make changes to this bug.