Closed Bug 372201 Opened 17 years ago Closed 15 years ago

Can cause firefox to segfault in accessibility layer

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Version:
1.8 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED WORKSFORME

People

(Reporter: spotter, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20061201 Firefox/2.0.0.2 (Ubuntu-feisty)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20061201 Firefox/2.0.0.2 (Ubuntu-feisty)

We've written a program that extract text from the applications on a user's desktop via the accessibility interface.  Our program listens for the accessibility events and then queuries the events for the text assoicated with them, it can very well be buggy (though it doesn't crash other programs).  Firefox dies with this backtrace (of the crashing thread).

The backtrace is with the version of firefox in ubuntu feisty today (a variant of 2.0.0.2), but has been tested w/ the binary download from ftp.mozilla.org as well, just unable to get a good backtrace due to lack of symbols.

line 127 is the NS_ADDREF_THIS(); which resolves to AddRef(); in the code segment below.

  if(aIID.Equals(NS_GET_IID(nsPIAccessible))) {
    *aInstancePtr = NS_STATIC_CAST(nsPIAccessible*, this);
    NS_ADDREF_THIS();
    return NS_OK;
  }

I'm unsure how to classify this bug as normal or critical. but it is a crasher, but feel free to change it if its mislabeled.

potter@dent:~$ firefox -g
GNU gdb 6.6-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) run
Starting program: /usr/lib/firefox/firefox-bin -a firefox
[Thread debugging using libthread_db enabled]
[New Thread -1221306672 (LWP 31457)]
GTK Accessibility Module initialized
[New Thread -1225294960 (LWP 31461)]
[New Thread -1235448944 (LWP 31462)]
[New Thread -1258247280 (LWP 31474)]
[New Thread -1268675696 (LWP 31475)]
[New Thread -1277068400 (LWP 31476)]
[New Thread -1285461104 (LWP 31477)]
[New Thread -1298273392 (LWP 31481)]
[New Thread -1306666096 (LWP 31482)]
[New Thread -1315058800 (LWP 31483)]
[Thread -1306666096 (LWP 31482) exited]
[Thread -1315058800 (LWP 31483) exited]
[New Thread -1315058800 (LWP 31484)]
[New Thread -1306666096 (LWP 31487)]
[New Thread -1325888624 (LWP 31488)]
** Message: GetValue variable 1 (1)
** Message: GetValue variable 2 (2)
** Message: GetValue variable 1 (1)
** Message: GetValue variable 2 (2)
** Message: GetValue variable 1 (1)
** Message: GetValue variable 2 (2)
** Message: GetValue variable 1 (1)
** Message: GetValue variable 2 (2)
[New Thread -1363559536 (LWP 31494)]
[Thread -1315058800 (LWP 31484) exited]
[New Thread -1315058800 (LWP 31511)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1221306672 (LWP 31457)]
0x00000049 in ?? ()
(gdb) bt
#0  0x00000049 in ?? ()
#1  0xb118ee4b in nsAccessible::QueryInterface (this=0x8fa3470, 
    aIID=@0xb11c8598, aInstancePtr=0xbf88cc5c) at nsAccessible.cpp:127
#2  0xb7e2c003 in nsQueryInterface::operator() (this=<value optimized out>, 
    aIID=@0xb11c8598, answer=0x8fa3470) at nsCOMPtr.cpp:47
#3  0xb7e2c0c5 in nsCOMPtr_base::assign_from_qi (this=0xbf88cc90, qi=
      {mRawPtr = 0x8fa3484}, iid=@0x52f1be88) at nsCOMPtr.cpp:96
#4  0xb118e989 in nsAccessible::Shutdown (this=0x9b3af90)
    at ../../../dist/include/xpcom/nsCOMPtr.h:645
#5  0xb11809fe in nsAccessNode::ClearCacheEntry (aKey=0x9b3af90, 
    aAccessNode=@0x9b3412c, aUserArg=0x0) at nsAccessNode.cpp:530
#6  0xb1181c82 in nsBaseHashtable<nsVoidHashKey, nsCOMPtr<nsIAccessNode>, nsIAccessNode*>::s_EnumStub (table=0x90635dc, hdr=0x9b34124, number=1073, 
    arg=0xbf88cd5c) at ../../../dist/include/xpcom/nsBaseHashtable.h:346
#7  0xb7e2b993 in PL_DHashTableEnumerate (table=0x90635dc, 
    etor=0xb1181c60 <nsBaseHashtable<nsVoidHashKey, nsCOMPtr<nsIAccessNode>, nsIAccessNode*>::s_EnumStub(PLDHashTable*, PLDHashEntryHdr*, unsigned int, void*)>, arg=0xbf88cd5c) at pldhash.c:683
#8  0xb11805be in nsAccessNode::ClearCache (aCache=@0x90635dc)
    at ../../../dist/include/xpcom/nsBaseHashtable.h:221
#9  0xb1183054 in nsDocAccessible::Shutdown (this=0x9063580)
    at nsDocAccessible.cpp:483
#10 0xb11a5c40 in nsDocAccessibleWrap::Shutdown (this=0x9063580)
---Type <return> to continue, or q <return> to quit---
    at nsDocAccessibleWrap.cpp:519
#11 0xb1182d35 in nsDocAccessible::Destroy (this=0x9063580)
    at nsDocAccessible.cpp:462
#12 0xb119822b in nsRootAccessible::HandleEvent (this=0x86fde78, 
    aEvent=0x9c77eec) at nsRootAccessible.cpp:605
#13 0xb5abf360 in nsEventListenerManager::HandleEventSubType (this=0x83bb698, 
    aListenerStruct=0x8a7ca10, aListener=0x86fdf38, aDOMEvent=0x9c77eec, 
    aCurrentTarget=0x83676a8, aSubType=2, aPhaseFlags=4)
    at nsEventListenerManager.cpp:1655
#14 0xb5ac1420 in nsEventListenerManager::HandleEvent (this=0x83bb698, 
    aPresContext=0x0, aEvent=0xbf88e16c, aDOMEvent=0xbf88e118, 
    aCurrentTarget=0x83676a8, aFlags=4, aEventStatus=0xbf88e128)
    at nsEventListenerManager.cpp:1759
#15 0xb5be9dc9 in nsWindowRoot::HandleChromeEvent (this=0x83676a8, 
    aPresContext=0x0, aEvent=0xbf88e16c, aDOMEvent=0xbf88e118, 
    aFlags=4294967291, aEventStatus=0xbf88e128) at nsWindowRoot.cpp:269
#16 0xb5bd3ca1 in nsGlobalWindow::HandleDOMEvent (this=0x83a6b20, 
    aPresContext=0x0, aEvent=0xbf88e16c, aDOMEvent=0xbf88e118, aFlags=4, 
    aEventStatus=0xbf88e128) at nsGlobalWindow.cpp:1678
#17 0xb5ba6521 in nsXULDocument::HandleDOMEvent (this=0x8328200, 
    aPresContext=0x0, aEvent=0xbf88e16c, aDOMEvent=0xbf88e118, aFlags=4, 
    aEventStatus=0xbf88e128) at nsXULDocument.cpp:1227
#18 0xb5b97b64 in nsXULElement::HandleDOMEvent (this=0x8647408, 
---Type <return> to continue, or q <return> to quit---
    aPresContext=0x0, aEvent=0xbf88e16c, aDOMEvent=0xbf88e118, 
    aFlags=<value optimized out>, aEventStatus=0xbf88e128)
    at nsXULElement.cpp:2212
#19 0xb5b974ce in nsXULElement::HandleDOMEvent (this=0x8676850, 
    aPresContext=0x0, aEvent=0xbf88e16c, aDOMEvent=0xbf88e118, 
    aFlags=<value optimized out>, aEventStatus=0xbf88e128)
    at nsXULElement.cpp:2207
#20 0xb5b974ce in nsXULElement::HandleDOMEvent (this=0x86768a8, 
    aPresContext=0x0, aEvent=0xbf88e16c, aDOMEvent=0xbf88e118, 
    aFlags=<value optimized out>, aEventStatus=0xbf88e128)
    at nsXULElement.cpp:2207
#21 0xb5b974ce in nsXULElement::HandleDOMEvent (this=0x8676d10, 
    aPresContext=0x0, aEvent=0xbf88e16c, aDOMEvent=0xbf88e118, 
    aFlags=<value optimized out>, aEventStatus=0xbf88e128)
    at nsXULElement.cpp:2207
#22 0xb5b974ce in nsXULElement::HandleDOMEvent (this=0x8676db8, 
    aPresContext=0x0, aEvent=0xbf88e16c, aDOMEvent=0xbf88e118, 
    aFlags=<value optimized out>, aEventStatus=0xbf88e128)
    at nsXULElement.cpp:2207
#23 0xb5b974ce in nsXULElement::HandleDOMEvent (this=0x87d7d60, 
    aPresContext=0x0, aEvent=0xbf88e16c, aDOMEvent=0xbf88e118, 
    aFlags=<value optimized out>, aEventStatus=0xbf88e128)
    at nsXULElement.cpp:2207
---Type <return> to continue, or q <return> to quit---
#24 0xb5b974ce in nsXULElement::HandleDOMEvent (this=0x8813310, 
    aPresContext=0x0, aEvent=0xbf88e16c, aDOMEvent=0xbf88e118, 
    aFlags=<value optimized out>, aEventStatus=0xbf88e128)
    at nsXULElement.cpp:2207
#25 0xb5b974ce in nsXULElement::HandleDOMEvent (this=0x8813348, 
    aPresContext=0x0, aEvent=0xbf88e16c, aDOMEvent=0xbf88e118, 
    aFlags=<value optimized out>, aEventStatus=0xbf88e128)
    at nsXULElement.cpp:2207
#26 0xb5b974ce in nsXULElement::HandleDOMEvent (this=0x8813380, 
    aPresContext=0x0, aEvent=0xbf88e16c, aDOMEvent=0xbf88e118, 
    aFlags=<value optimized out>, aEventStatus=0xbf88e128)
    at nsXULElement.cpp:2207
#27 0xb5b9710d in nsXULElement::HandleChromeEvent (this=0x8813380, 
    aPresContext=0x0, aEvent=0xbf88e16c, aDOMEvent=0xbf88e118, aFlags=4, 
    aEventStatus=0xbf88e128) at nsXULElement.cpp:2893
#28 0xb5bd3ca1 in nsGlobalWindow::HandleDOMEvent (this=0x905fc28, 
    aPresContext=0x0, aEvent=0xbf88e16c, aDOMEvent=0xbf88e118, aFlags=7, 
    aEventStatus=0xbf88e128) at nsGlobalWindow.cpp:1678
#29 0xb5a73fdc in nsDocument::DispatchEventToWindow (this=0x9437b88, 
    aEvent=0xbf88e16c) at nsDocument.cpp:5081
#30 0xb5a74096 in nsDocument::OnPageHide (this=0x9437b88, aPersisted=0)
    at nsDocument.cpp:5138
#31 0xb58c5031 in DocumentViewerImpl::PageHide (this=0x900afb8, aIsUnload=1)
---Type <return> to continue, or q <return> to quit---  
    at nsDocumentViewer.cpp:1189
#32 0xb575ac3b in nsDocShell::FirePageHideNotification (this=0x888de28, 
    aIsUnload=1) at nsDocShell.cpp:924
#33 0xb575848c in nsDocShell::CreateContentViewer (this=0x888de28, 
    aContentType=0x9c75e50 "text/html", request=0x869f28c, 
    aContentHandler=0x869f884) at nsDocShell.cpp:5678
#34 0xb5764f08 in nsDSURIContentListener::DoContent (this=0x889a378, 
    aContentType=0x9c75e50 "text/html", aIsContentPreferred=1, 
    request=0x869f28c, aContentHandler=0x869f884, aAbortProcess=0xbf88e36c)
    at nsDSURIContentListener.cpp:130
#35 0xb5769c3d in nsDocumentOpenInfo::TryContentListener (this=0x869f878, 
    aListener=0x889a378, aChannel=0x869f28c) at nsURILoader.cpp:774
#36 0xb5769ff2 in nsDocumentOpenInfo::DispatchContent (this=0x869f878, 
    request=0x869f28c, aCtxt=0x0) at nsURILoader.cpp:500
#37 0xb576ae11 in nsDocumentOpenInfo::OnStartRequest (this=0x869f878, 
    request=0x869f28c, aCtxt=0x0) at nsURILoader.cpp:345
#38 0xb70c2a40 in nsHttpChannel::CallOnStartRequest (this=0x869f260)
    at nsHttpChannel.cpp:753
#39 0xb70cd7d1 in nsHttpChannel::ProcessNormal (this=0x869f260)
    at nsHttpChannel.cpp:923
#40 0xb70ce17b in nsHttpChannel::ProcessResponse (this=0x869f260)
    at nsHttpChannel.cpp:858
#41 0xb70ce4e0 in nsHttpChannel::OnStartRequest (this=0x869f260, 
---Type <return> to continue, or q <return> to quit---
    request=0x98fecc8, ctxt=0x0) at nsHttpChannel.cpp:4017
#42 0xb704754d in nsInputStreamPump::OnStateStart (this=0x98fecc8)
    at nsInputStreamPump.cpp:438
#43 0xb70482e8 in nsInputStreamPump::OnInputStreamReady (this=0x98fecc8, 
    stream=0x991c9a0) at nsInputStreamPump.cpp:394
#44 0xb7e599f2 in nsInputStreamReadyEvent::EventHandler (plevent=0x86a0fa4)
    at nsStreamUtils.cpp:120
#45 0xb7e76417 in PL_HandleEvent (self=0x86a0fa4) at plevent.c:688
#46 0xb7e7672b in PL_ProcessPendingEvents (self=0x80e5640) at plevent.c:623
#47 0xb7e7867e in nsEventQueueImpl::ProcessPendingEvents (this=0x80e55f8)
    at nsEventQueue.cpp:417
#48 0xb66f86b5 in event_processor_callback (source=0x85b1a38, 
    condition=G_IO_IN, data=0x52f1be88) at nsAppShell.cpp:67
#49 0xb757725d in g_io_unix_dispatch (source=0x85b1a80, 
    callback=0xb66f86a0 <event_processor_callback>, user_data=0x80e55f8)
    at giounix.c:162
#50 0xb754dc42 in IA__g_main_context_dispatch (context=0x8084f70)
    at gmain.c:2045
#51 0xb7550c1f in g_main_context_iterate (context=0x8084f70, block=1, 
    dispatch=1, self=0x8071a30) at gmain.c:2677
#52 0xb7550fc9 in IA__g_main_loop_run (loop=0x85b1308) at gmain.c:2881
#53 0xb7b85fa4 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#54 0xb66f8b12 in nsAppShell::Run (this=0x815dee0) at nsAppShell.cpp:139
---Type <return> to continue, or q <return> to quit---
#55 0xb65ffbe2 in nsAppStartup::Run (this=0x8161670) at nsAppStartup.cpp:151
#56 0x0804f8d1 in XRE_main (argc=3, argv=0xbf88f044, aAppData=0x805a020)
    at nsAppRunner.cpp:2695
#57 0x0804ab8f in main (argc=156023192, argv=0xb11ca264) at nsBrowserApp.cpp:61
#58 0xb76c0ebc in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
#59 0x0804aac1 in _start ()

Reproducible: Always

Steps to Reproduce:
This doesn't happen on every web page, but it happens reapatably on ebay's huge list of auction pages.  Bsaically, the page will load ok, but if I try to quickly move to a new page, it will crash a backtrace similiar to what I included.

I'm unsure if I can give away the code that we're running that is extracting text from firefox via the accessibility interface, but unsure if it matters?
Don't use our Linux accessibility support in Firefox 2. It's horribly broken. Sorry, it's not fully baked yet even on trunk.
Assignee: nobody → aaronleventhal
Component: Disability Access → Disability Access APIs
Product: Firefox → Core
QA Contact: disability.access → accessibility-apis
Version: unspecified → 1.8 Branch
Spotter, can you try this with Firefox 3 nightly builds and see if it is still a problem?
Blocks: fox3access
we seemed to have better luck w/ firefox 3.0 nightlys (though not quite recently, more like during the summer).
Shaya, that's good news. Taking off the blocker list.
No longer blocks: fox3access
Mass un-assigning bugs assigned to Aaron.
Assignee: aaronleventhal → nobody
Is this crash still reproducible in Firefox 3.5?  If it isn't, we should resolve it as RESOLVED WORKSFORME.
I moved on from the research I was doing then, so I haven't really tried in a long time.
Thank you for the fast reply.

I will resolve and verify it as Worksforme, and if the issue resurfaces, we will reopen the bug.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.