Closed Bug 377535 Opened 16 years ago Closed 16 years ago

Crash [@ nsLinkableAccessible::CacheActionContent] with appending area and strange prefix

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, testcase, verified1.8.1.8, Whiteboard: [sg:nse null-deref])

Crash Data

Attachments

(5 files, 2 obsolete files)

testcase
1.34 KB, text/html
Details
stack
5.77 KB, text/plain
Details
Patch rev. 2 (diff -w)
1.91 KB, patch
aaronlev
: review+
Details | Diff | Splinter Review
Patch rev. 2.1 (for branches)
2.31 KB, patch
Details | Diff | Splinter Review
Patch rev. 2.1 (for branches) (diff -w)
1.99 KB, patch
aaronlev
: review+
dveditz
: approval1.8.1.8+
dveditz
: approval1.8.0.14-
Details | Diff | Splinter Review 
The testcase uses enhanced privileges, so you need to download it to your computer to get the crash.
It also crashes a recent 1.8 branch build.

Talkback ID: TB31199479H
nsLinkableAccessible::CacheActionContent  [mozilla/accessible/src/base/nsbasewidgetaccessible.cpp, line 250]
nsLinkableAccessible::Init  [mozilla/accessible/src/base/nsbasewidgetaccessible.cpp, line 286]
nsAccessibilityService::GetAccessible  [mozilla/accessible/src/base/nsaccessibilityservice.cpp, line 1175]
nsThreadManager::GetIsMainThread  [mozilla/xpcom/threads/nsthreadmanager.cpp, line 279]
Attached file testcase 

    
  
Assignee: aaronleventhal → mats.palmgren
OS: Windows XP → All
Hardware: PC → All
Whiteboard: [sg:nse null-deref]

    
    

    
  

      
      
      
      

        Attached file
          
        stack
      

    


  

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch rev. 1 (obsolete)
        — Splinter Review
      

    


  

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch rev. 1 (diff -w) (obsolete)
        — Splinter Review
      

    


  

        Attachment #261594 -
        Flags: review?(aaronleventhal)

    
    

    
  
Comment on attachment 261594 [details] [diff] [review]
Patch rev. 1 (diff -w)

Mats, can yo udescribe what kind of object is <a> or <area> that is not nsILink?

        Attachment #261594 -
        Flags: review?(aaronleventhal) → review+

    
    

    
  


  
(In reply to comment #5)
> (From update of attachment 261594 [details] [diff] [review])
> Mats, can yo udescribe what kind of object is <a> or <area> that is not
> nsILink?

An element that isn't [X]HTML.  Now that I think about it, we should check
that before trying QI (it's how we do it in other places in the code).

Same patch as before with the addtion to the if-condition:
        walkUpContent->IsNodeOfType(nsINode::eHTML)

        Attachment #261593 -
        Attachment is obsolete: true

        Attachment #261594 -
        Attachment is obsolete: true

        Attachment #262262 -
        Flags: review?(aaronleventhal)

    
    

    
  
Comment on attachment 262262 [details] [diff] [review]
Patch rev. 2 (diff -w)

Something about the line breaks --  this patch is unreadable.

        Attachment #262262 -
        Flags: review?(aaronleventhal)

    
  

        Attachment #262262 -
        Attachment is patch: true

        Attachment #262262 -
        Attachment mime type: text/html → text/plain

    
    

    
  
Comment on attachment 262262 [details] [diff] [review]
Patch rev. 2 (diff -w)

I forgot to click the Patch checkbox, sorry.

        Attachment #262262 -
        Flags: review?(aaronleventhal)

    
  

        Attachment #262262 -
        Flags: review?(aaronleventhal) → review+

    
    

    
  
Checked in to trunk at 2007-05-06 02:03	PDT.

-> FIXED
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Group: security
Flags: wanted1.8.1.x?
Flags: wanted1.8.0.x?
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?

    
    

    
  
Don't need to block on a null deref, but will approve the patch if you want to land it on the branch.
Flags: wanted1.8.1.x?
Flags: wanted1.8.0.x?
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?

    
  

        Attachment #262262 -
        Flags: approval1.8.1.5?

    
    

    
  
Comment on attachment 262262 [details] [diff] [review]
Patch rev. 2 (diff -w)

approved for 1.8.1.5, a=juanb for release-drivers

        Attachment #262262 -
        Flags: approval1.8.1.5? → approval1.8.1.5+

    
    

    
  
Comment on attachment 262262 [details] [diff] [review]
Patch rev. 2 (diff -w)

This patch does not apply to branches.

        Attachment #262262 -
        Flags: approval1.8.1.5+

    
    

    
  


  
This makes nsLinkableAccessible::CacheActionContent() up-to-date with
the trunk version.  Notice the added 'break;'s.

I can't crash branch builds on Linux on the testcase without the patch,
although I suspect there could be a way to do it given the similarity
of the code.  Aaron, do you still want this for branches?

        Attachment #270504 -
        Flags: review?(aaronleventhal)

    
  

        Attachment #270504 -
        Flags: review?(aaronleventhal) → review+

    
  

        Attachment #270504 -
        Flags: approval1.8.1.7?

        Attachment #270504 -
        Flags: approval1.8.0.13?

        Attachment #270504 -
        Flags: approval1.8.0.13? → approval1.8.0.14?

    
    

    
  
Comment on attachment 270504 [details] [diff] [review]
Patch rev. 2.1 (for branches) (diff -w)

approved for 1.8.1.7, a=dveditz for release-drivers

        Attachment #270504 -
        Flags: approval1.8.1.7?

        Attachment #270504 -
        Flags: approval1.8.1.7+

        Attachment #270504 -
        Flags: approval1.8.0.14?

        Attachment #270504 -
        Flags: approval1.8.0.14-

    
    

    
  
MOZILLA_1_8_BRANCH
mozilla/accessible/src/base/nsBaseWidgetAccessible.cpp 	1.38.2.5 

Keywords: fixed1.8.1.7

    
    

    
  
verified fixed 1.8.1.7 using : Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.7pre) Gecko/2007091303 BonEcho/2.0.0.7pre and Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.7pre) Gecko/2007091303 BonEcho/2.0.0.7pre (Fedora F7) 

no crash the steps to reproduce - local testcase 

-> adding verified keyword
Keywords: fixed1.8.1.7verified1.8.1.7
Crash Signature: [@ nsLinkableAccessible::CacheActionContent]

          You need to log in
          before you can comment on or make changes to this bug.