Closed Bug 377376 Opened 17 years ago Closed 17 years ago

Segmentation fault when opening large folder and ATK accessibility is enabled

Categories

(Thunderbird :: General, defect)

Product:
Thunderbird
Component:
General
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: stransky, Assigned: mscott)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.8.0.10) Gecko/20070301 Fedora/1.0.8-0.6.2.fc6 pango-text SeaMonkey/1.0.8
Build Identifier: Fedora 6, all updates, i386, Thunderbird version 1.5.0.10 (20070302)

Thunderbird (version 1.5.0.10 (20070302)), Fedora 6/7

Thunderbird crashes when ATK accessibility is enabled, in nsXULTreeAccessible component (nsXULTreeitemAccessible::GetNextSibling).

GTK calls "atk_object_get_index_in_parent" for an AtkObject and tries to
determine a position of a given AtkObject in a stream of a child which belongs
to a superrior object. Then it's called (via. nsAccessibleWrap)
nsAccessible::GetIndexInParent.

GetIndexInParent goes through all siblings of the superrior object (via.
GetNextSibling) and adds those siblings to Accessibility Cache (via.
nsIAccessibleTreeCache::GetCachedTreeitemAccessible).

And that's where the problem is. Every single sibling stored in Accessibility
Cache (when it's created and moved to cache) holds a reference to the superrior
object. Number of those siblings is quite large (~30 000 and more, 7-8 for any
mail stored in a mail folder) so the short int mRefCnt can overflow to negative
range and the parent object holds a wrong ref. count.
 
Some bactraces are at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228281

Reproducible: Always

Steps to Reproduce:
1. Enable Accessiblity in GTK
2. Run thunderbird
3. click to any folder with ~4000 mails

or
1. Enable Accessiblity in GTK
2. Run thunderbird
3. Enable Accessiblity in GTK
4. Disable Accessiblity in GTK
5. Switch back to thunderbird and click to any folder with ~4000 mails

Actual Results:  
Thunderbird crashes (mRefCnt is negative)

Expected Results:  
Thunderbird don't crash
I'm sorry, the former steps should be:

1. Enable Accessiblity in GTK
2. Run thunderbird
3. Disable Accessiblity in GTK
4. Enable Accessiblity in GTK
5. Switch back to thunderbird and click to any folder with ~4000 mails
fixed in thunderbird-2.0.0.0 rc1
->WFM per comment 2
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.