Closed
Bug 376884
Opened 17 years ago
Closed 17 years ago
Crashing site reported -- with disability access
Categories
(Firefox :: Disability Access, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 376924
People
(Reporter: tim.miao, Assigned: evan.yan)
References
()
Details
(Keywords: access)
Attachments
(1 file)
|
9.25 KB,
text/plain
|
Details |
This site will crash the firefox. Steps to reproduce: 1. Launch orca2.19.0 and firefox 20070331 nightly trunk build. 2. Press Tab key to browse the page. Bug observation: Firefox crashed if user keeps on tab browsing.
crashing site url: https://www.bankofamerica.com/index.jsp
|
||
Comment 2•17 years ago
|
||
It's in nsHyperTextAccessible::GetText Is there a talkback report? Providing a link to a talkback report makes this much, much easier.
|
||
Comment 3•17 years ago
|
||
Hi Aaron, it was me that pointed this out to Tim and Evan however as talkback is inaccessible I can't get you this information. Hopefully you'll be able to reproduce the problem with accessibility running.
The cause: When tabbing in the web page which "URI" points to, there will be a dynamically showing link, right before the top left "View demo" link. When you tabbed into that link, it shows dynamically; and when you tabbed out of it, the link will be hidden. So when we tab quickly, the frame may have been destroyed when we access it. It then will crash at http://mxr.mozilla.org/seamonkey/source/accessible/src/html/nsHyperTextAccessible.cpp#341 frame->GetContent() returns a pointer to illegal address. Aaron, How can we know whether a frame has been destroyed? Can it be checked by checking presShell === nsnull? The frame is got from accessNode->GetFrame(), which has already checked presShell.
|
|
||
Comment 7•17 years ago
|
||
The thing is that text frames are cached by nsHTMLTextAccessible. See how GetFrame() is overridden in that method and we use mFrame. The mFrame is supposed to get set to nsnull in nsHTMLTextAccessible::Shutdown(). And the accessible should be shut down whenever the frame is destroyed. One thing to test is this. If you remove the GetFrame() method in nsHTMLTextAccessible so that we no longer cache the frame for those accessibles, it will fall back on the base GetFrame() impl (which uses GetPrimaryFrameFor), does it still crash? There is no test for a dangling pointer that we can use which isn't hacky. The right thing is to find out why the accessible is not getting shutdown if it no longer exists. Why are we still trying to use it?
(In reply to comment #7) > There is no test for a dangling pointer that we can use which isn't hacky. The > right thing is to find out why the accessible is not getting shutdown if it no > longer exists. Why are we still trying to use it? > Can an accessible be notified and then shutdown when the frame is destroyed? I mean, we may hold an accessible whose frame has gone. Why we cache mFrame in some accessible? for performance reason?
|
|
||
Comment 9•17 years ago
|
||
(In reply to comment #8) > Can an accessible be notified and then shutdown when the frame is destroyed? > I mean, we may hold an accessible whose frame has gone. It is. Layout notifies nsAccessibilityService::InvalidateSubtreeFor() http://lxr.mozilla.org/seamonkey/source/accessible/src/base/nsAccessibilityService.cpp#1601 > Why we cache mFrame in some accessible? for performance reason? Yes, because GetPrimaryFrameFor() must add extra items to primary frame hash table whenever request comes in for a frame. Since we already have the frame when accessible is created it seems like extra work to do that. However, it may not really be a big improvement. Maybe getting rid of that optimization is okay.
|
Assignee | |
Comment 10•17 years ago
|
||
(In reply to comment #7) > One thing to test is this. If you remove the GetFrame() method in > nsHTMLTextAccessible so that we no longer cache the frame for those > accessibles, it will fall back on the base GetFrame() impl (which uses > GetPrimaryFrameFor), does it still crash? > it won't crash any more. (In reply to comment #9) > It is. Layout notifies nsAccessibilityService::InvalidateSubtreeFor() > http://lxr.mozilla.org/seamonkey/source/accessible/src/base/nsAccessibilityService.cpp#1601 > nsAccessibilityService::InvalidateSubtreeFor() is called by nsFrameManager::ReResolveStyleContext(). I added some prints in nsFrame::Destroy(), nsFrameManager::ReResolveStyleContext(), and nsHyperTextAccessible::GetPosAndText(), to print the value of the frame. I found that, the frame which caused crash has already been destroyed, but nsFrameManager::ReResolveStyleContext() is not called for it. So the accessible can't be notified about this.
|
|
Assignee | |
Comment 11•17 years ago
|
||
I'm not clear about the layout code. Does nsFrameManager::ReResolveStyleContext() guaranteed to be called before the frame is destroyed?
|
|
||
Comment 12•17 years ago
|
||
See bug 376924.
|
|
||
Comment 13•17 years ago
|
||
Does the patch in bug 376924 fix this?
|
|
Assignee | |
Comment 14•17 years ago
|
||
yes, it does. should we dupe this bug to bug 376924?
|
|
||
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•