Closed Bug 376239 Opened 17 years ago Closed 17 years ago

Firefox crashes when running w/ Screen Readers

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: deangelo, Assigned: surkov)

Details

(Keywords: access, regression) 

Env: Firefox 3 (Minefield) nightly build 20070402, any either JAWS 8.0 or Window Eyes 6.1.

Reported Problem: Firefox will crash without the option of Talkback when loading a about:blank page/mozilla.org and running a screen reader (either JAWS or Window Eyes). 
  Note: This regression started on or about the nightly build of 03/26/2007. As stated by Aaron L. (No talkback usually means it's an infinite loop / stack overflow.)

Steps to recreate:
1. Start FF and either screen reader, load mozilla.org or about:blank, notice that FF crashes or you might have to press the tab a few times.
Victor says that Thunderbird broke somewhere on March 14-15. 

Can you use the nightly Firefox builds and find out what was the last day this was not a bug?
Here are the accessible module checkins during that time:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=mozilla%2Faccessible&file=&filetype=regexp&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-03-14&maxdate=2007-03-16&cvsroot=%2Fcvsroot
Aaronlev -- Bug 374100. Regression in GetTextAtOffset for forced line breaks. r=parente
Surkov -- Bug 373532 - moved states out of nsIAccessible. r=aaronlev
Surkov -- Bug 373532 - move roles out of nsIAccessible. r=aaronlev
The crash happens with a debug build on my machine, but it's not obvious what the cause is. Wayne says that Victor's crash window of March 15 is correct.

I have verified that bug 374100 is not the problem, by backing it out. The crash still happens when I build.

Alexander, this may be a regression from your role/state patch.
Assignee: aaronleventhal → surkov.alexander
There may be several different crashes here. I think the one I'm seeing right now is from the focus rewrite. Here's the crash I'm seeing:
1) At launch, we fire a focus event for the document
2) Window-Eyes call back has some garbage node and tries to do stuff with it.
3) We crash in QueryInterface() because |this| is garbage.
My crash from comment 4 goes away when I back out Surkov's fix for bug 372367. 
Ignore comment 5.
I found the real culprit. It's bug 370790.

This part of the change causes the crash, but I don't know why (backing out just this ends the crashing behavior):

@@ -105,20 +109,22 @@ STDMETHODIMP nsAccessibleWrap::QueryInte
 
   if (IID_IUnknown == iid || IID_IDispatch == iid || IID_IAccessible == iid)
     *ppv = NS_STATIC_CAST(IAccessible*, this);
   else if (IID_IEnumVARIANT == iid && !gIsEnumVariantSupportDisabled) {
     long numChildren;
     get_accChildCount(&numChildren);
     if (numChildren > 0)  // Don't support this interface for leaf elements
       *ppv = NS_STATIC_CAST(IEnumVARIANT*, this);
-  }
-  else if (IID_IServiceProvider == iid) {
+  } else if (IID_IServiceProvider == iid)
     *ppv = NS_STATIC_CAST(IServiceProvider*, this);
-  }
+  else if (IID_IAccessible2 == iid)
+    *ppv = NS_STATIC_CAST(IAccessible2*, this);
+  else if (IID_IAccessibleAction == iid)
+    *ppv = NS_STATIC_CAST(IAccessibleAction*, this);
 
   if (NULL == *ppv)
     return nsAccessNodeWrap::QueryInterface(iid, ppv);
 
   (NS_REINTERPRET_CAST(IUnknown*, *ppv))->AddRef();
   return S_OK;
 }
 

Marking this depended on bug 370790, and taking the discussion over there.
Depends on: 370790
No longer depends on: 370790
Actually I'm just commenting out the 2 lines which cause the problem and marking this fixed. I filed bug 376753 to fix the IAccessible2 QI.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.