Firefox crashes when running w/ Screen Readers

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
12 years ago
12 years ago

People

(Reporter: deangelo, Assigned: surkov)

Tracking

({access, regression})

Trunk
x86
Windows XP
access, regression
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

12 years ago
Env: Firefox 3 (Minefield) nightly build 20070402, any either JAWS 8.0 or Window Eyes 6.1.

Reported Problem: Firefox will crash without the option of Talkback when loading a about:blank page/mozilla.org and running a screen reader (either JAWS or Window Eyes). 
  Note: This regression started on or about the nightly build of 03/26/2007. As stated by Aaron L. (No talkback usually means it's an infinite loop / stack overflow.)

Steps to recreate:
1. Start FF and either screen reader, load mozilla.org or about:blank, notice that FF crashes or you might have to press the tab a few times.

Comment 1

12 years ago
Victor says that Thunderbird broke somewhere on March 14-15. 

Can you use the nightly Firefox builds and find out what was the last day this was not a bug?

Comment 2

12 years ago
Here are the accessible module checkins during that time:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=mozilla%2Faccessible&file=&filetype=regexp&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-03-14&maxdate=2007-03-16&cvsroot=%2Fcvsroot
Aaronlev -- Bug 374100. Regression in GetTextAtOffset for forced line breaks. r=parente
Surkov -- Bug 373532 - moved states out of nsIAccessible. r=aaronlev
Surkov -- Bug 373532 - move roles out of nsIAccessible. r=aaronlev

Comment 3

12 years ago
The crash happens with a debug build on my machine, but it's not obvious what the cause is. Wayne says that Victor's crash window of March 15 is correct.

I have verified that bug 374100 is not the problem, by backing it out. The crash still happens when I build.

Alexander, this may be a regression from your role/state patch.
Assignee: aaronleventhal → surkov.alexander

Comment 4

12 years ago
There may be several different crashes here. I think the one I'm seeing right now is from the focus rewrite. Here's the crash I'm seeing:
1) At launch, we fire a focus event for the document
2) Window-Eyes call back has some garbage node and tries to do stuff with it.
3) We crash in QueryInterface() because |this| is garbage.

Comment 5

12 years ago
My crash from comment 4 goes away when I back out Surkov's fix for bug 372367. 

Comment 6

12 years ago
Ignore comment 5.

Comment 7

12 years ago
I found the real culprit. It's bug 370790.

This part of the change causes the crash, but I don't know why (backing out just this ends the crashing behavior):

@@ -105,20 +109,22 @@ STDMETHODIMP nsAccessibleWrap::QueryInte
 
   if (IID_IUnknown == iid || IID_IDispatch == iid || IID_IAccessible == iid)
     *ppv = NS_STATIC_CAST(IAccessible*, this);
   else if (IID_IEnumVARIANT == iid && !gIsEnumVariantSupportDisabled) {
     long numChildren;
     get_accChildCount(&numChildren);
     if (numChildren > 0)  // Don't support this interface for leaf elements
       *ppv = NS_STATIC_CAST(IEnumVARIANT*, this);
-  }
-  else if (IID_IServiceProvider == iid) {
+  } else if (IID_IServiceProvider == iid)
     *ppv = NS_STATIC_CAST(IServiceProvider*, this);
-  }
+  else if (IID_IAccessible2 == iid)
+    *ppv = NS_STATIC_CAST(IAccessible2*, this);
+  else if (IID_IAccessibleAction == iid)
+    *ppv = NS_STATIC_CAST(IAccessibleAction*, this);
 
   if (NULL == *ppv)
     return nsAccessNodeWrap::QueryInterface(iid, ppv);
 
   (NS_REINTERPRET_CAST(IUnknown*, *ppv))->AddRef();
   return S_OK;
 }
 

Comment 8

12 years ago
Marking this depended on bug 370790, and taking the discussion over there.
Depends on: 370790

Updated

12 years ago
No longer depends on: 370790

Comment 9

12 years ago
Actually I'm just commenting out the 2 lines which cause the problem and marking this fixed. I filed bug 376753 to fix the IAccessible2 QI.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.