Stack overflow in nsHTMLComboboxAccessible::GetDescription()

RESOLVED FIXED

Status

()

Core
Disability Access APIs
--
critical
RESOLVED FIXED
11 years ago
10 years ago

People

(Reporter: Aaron Leventhal, Assigned: Aaron Leventhal)

Tracking

(4 keywords)

1.8 Branch
x86
All
access, crash, fixed1.8.0.10, fixed1.8.1.2
Points:
---
Bug Flags:
blocking1.8.1.2 -
blocking1.8.0.10 -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [needs testcase] Has been baking on trunk via fix bug 278034)

Attachments

(1 attachment)

(Assignee)

Description

11 years ago
This is causing stack overflows in assistive technologies.

The problem exists in the following code:
http://lxr.mozilla.org/seamonkey/source/accessible/src/html/nsHTMLSelectAccessible.cpp#898

What Mozila does for a combobox or list description is forward the description for the current "focused option node". We use that awful hack for descriptions on option nodes, where we provide positional info like "3 of 5".
So the idea is that the description for the combo box would be "3 of 5" if the currently focused option would be item #3 of #5.

Unfortunately the code that returns the current option can fallback on returning the original combo box or list node itself, in which case when we try to forward the description from that we end up in an infinite loop. The fallback is probably happening whenever a combobox is closed.
how to reproduce this?
(Assignee)

Comment 2

11 years ago
This was reported by Freedom Scientific and JAWS users. They said that getting the description from a combo box or listbox would reproduce it. After looking at the code, I think it's an obvious problem, but I haven't spent the time to try and duplicate the error condition.
(Assignee)

Updated

10 years ago
Blocks: 278034
No longer blocks: 342901
(Assignee)

Comment 3

10 years ago
Fixed via checkin to bug 278034.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
(Assignee)

Comment 4

10 years ago
Created attachment 251562 [details] [diff] [review]
The part of the fix from bug 278034 that addresses this crash
Attachment #251562 - Flags: superreview?(neil)
Attachment #251562 - Flags: review?(neil)
(Assignee)

Updated

10 years ago
Flags: blocking1.8.1.2?
Flags: blocking1.8.0.10?
Whiteboard: Has been baking on trunk via fix bug 278034
Version: Trunk → 1.8 Branch
(Assignee)

Comment 5

10 years ago
Same patch applies 1.8.0 and 1.8 branches.

Comment 6

10 years ago
Comment on attachment 251562 [details] [diff] [review]
The part of the fix from bug 278034 that addresses this crash

sr=me for branch port.
Attachment #251562 - Flags: superreview?(neil)
Attachment #251562 - Flags: superreview+
Attachment #251562 - Flags: review?(neil)
Attachment #251562 - Flags: review+
(Assignee)

Updated

10 years ago
Attachment #251562 - Flags: approval1.8.1.2?
Attachment #251562 - Flags: approval1.8.0.10?

Updated

10 years ago
Flags: blocking1.8.1.2?
Flags: blocking1.8.1.2-
Flags: blocking1.8.0.10?
Flags: blocking1.8.0.10-
Comment on attachment 251562 [details] [diff] [review]
The part of the fix from bug 278034 that addresses this crash

approved for 1.8/1.8.0 branches, a=dveditz for drivers

Please land ASAP, we'll remove the approval after the code freeze as this is not a blocking bug.
Attachment #251562 - Flags: approval1.8.1.2?
Attachment #251562 - Flags: approval1.8.1.2+
Attachment #251562 - Flags: approval1.8.0.10?
Attachment #251562 - Flags: approval1.8.0.10+
(Assignee)

Updated

10 years ago
Keywords: fixed1.8, fixed1.8.1
(Assignee)

Updated

10 years ago
Keywords: fixed1.8, fixed1.8.1 → fixed1.8.0.10, fixed1.8.1.2

Updated

10 years ago
Whiteboard: Has been baking on trunk via fix bug 278034 → [needs testcase] Has been baking on trunk via fix bug 278034
You need to log in before you can comment on or make changes to this bug.