As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 377535 - Crash [@ nsLinkableAccessible::CacheActionContent] with appending area and strange prefix
: Crash [@ nsLinkableAccessible::CacheActionContent] with appending area and st...
Status: RESOLVED FIXED
[sg:nse null-deref]
: crash, testcase, verified1.8.1.8
Product: Core
Classification: Components
Component: Disability Access APIs (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: Mats Palmgren (:mats)
:
: alexander :surkov
Mentors:
Depends on:
Blocks: 343943
  Show dependency treegraph
 
Reported: 2007-04-14 20:55 PDT by Martijn Wargers [:mwargers]
Modified: 2011-06-13 10:01 PDT (History)
5 users (show)
mats: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (1.34 KB, text/html)
2007-04-14 20:56 PDT, Martijn Wargers [:mwargers]
no flags Details
stack (5.77 KB, text/plain)
2007-04-15 02:29 PDT, Mats Palmgren (:mats)
no flags Details
Patch rev. 1 (1.96 KB, patch)
2007-04-15 02:30 PDT, Mats Palmgren (:mats)
no flags Details | Diff | Splinter Review
Patch rev. 1 (diff -w) (1.75 KB, patch)
2007-04-15 02:31 PDT, Mats Palmgren (:mats)
aaronlev: review+
Details | Diff | Splinter Review
Patch rev. 2 (diff -w) (1.91 KB, patch)
2007-04-20 08:42 PDT, Mats Palmgren (:mats)
aaronlev: review+
Details | Diff | Splinter Review
Patch rev. 2.1 (for branches) (2.31 KB, patch)
2007-07-01 10:36 PDT, Mats Palmgren (:mats)
no flags Details | Diff | Splinter Review
Patch rev. 2.1 (for branches) (diff -w) (1.99 KB, patch)
2007-07-01 10:44 PDT, Mats Palmgren (:mats)
aaronlev: review+
dveditz: approval1.8.1.8+
dveditz: approval1.8.0.14-
Details | Diff | Splinter Review

Description User image Martijn Wargers [:mwargers] 2007-04-14 20:55:17 PDT
The testcase uses enhanced privileges, so you need to download it to your computer to get the crash.
It also crashes a recent 1.8 branch build.

Talkback ID: TB31199479H
nsLinkableAccessible::CacheActionContent  [mozilla/accessible/src/base/nsbasewidgetaccessible.cpp, line 250]
nsLinkableAccessible::Init  [mozilla/accessible/src/base/nsbasewidgetaccessible.cpp, line 286]
nsAccessibilityService::GetAccessible  [mozilla/accessible/src/base/nsaccessibilityservice.cpp, line 1175]
nsThreadManager::GetIsMainThread  [mozilla/xpcom/threads/nsthreadmanager.cpp, line 279]
Comment 1 User image Martijn Wargers [:mwargers] 2007-04-14 20:56:28 PDT
Created attachment 261578 [details]
testcase
Comment 2 User image Mats Palmgren (:mats) 2007-04-15 02:29:44 PDT
Created attachment 261592 [details]
stack
Comment 3 User image Mats Palmgren (:mats) 2007-04-15 02:30:25 PDT
Created attachment 261593 [details] [diff] [review]
Patch rev. 1
Comment 4 User image Mats Palmgren (:mats) 2007-04-15 02:31:23 PDT
Created attachment 261594 [details] [diff] [review]
Patch rev. 1 (diff -w)
Comment 5 User image Aaron Leventhal 2007-04-16 06:21:17 PDT
Comment on attachment 261594 [details] [diff] [review]
Patch rev. 1 (diff -w)

Mats, can yo udescribe what kind of object is <a> or <area> that is not nsILink?
Comment 6 User image Mats Palmgren (:mats) 2007-04-20 08:42:19 PDT
Created attachment 262262 [details] [diff] [review]
Patch rev. 2 (diff -w)

(In reply to comment #5)
> (From update of attachment 261594 [details] [diff] [review])
> Mats, can yo udescribe what kind of object is <a> or <area> that is not
> nsILink?

An element that isn't [X]HTML.  Now that I think about it, we should check
that before trying QI (it's how we do it in other places in the code).

Same patch as before with the addtion to the if-condition:
        walkUpContent->IsNodeOfType(nsINode::eHTML)
Comment 7 User image Aaron Leventhal 2007-04-20 09:56:52 PDT
Comment on attachment 262262 [details] [diff] [review]
Patch rev. 2 (diff -w)

Something about the line breaks --  this patch is unreadable.
Comment 8 User image Mats Palmgren (:mats) 2007-04-20 10:56:39 PDT
Comment on attachment 262262 [details] [diff] [review]
Patch rev. 2 (diff -w)

I forgot to click the Patch checkbox, sorry.
Comment 9 User image Mats Palmgren (:mats) 2007-05-06 02:48:41 PDT
Checked in to trunk at 2007-05-06 02:03	PDT.

-> FIXED
Comment 10 User image Daniel Veditz [:dveditz] 2007-06-18 10:55:37 PDT
Don't need to block on a null deref, but will approve the patch if you want to land it on the branch.
Comment 11 User image juan becerra [:juanb] 2007-06-27 11:02:29 PDT
Comment on attachment 262262 [details] [diff] [review]
Patch rev. 2 (diff -w)

approved for 1.8.1.5, a=juanb for release-drivers
Comment 12 User image Mats Palmgren (:mats) 2007-07-01 10:33:33 PDT
Comment on attachment 262262 [details] [diff] [review]
Patch rev. 2 (diff -w)

This patch does not apply to branches.
Comment 13 User image Mats Palmgren (:mats) 2007-07-01 10:36:57 PDT
Created attachment 270503 [details] [diff] [review]
Patch rev. 2.1 (for branches)
Comment 14 User image Mats Palmgren (:mats) 2007-07-01 10:44:34 PDT
Created attachment 270504 [details] [diff] [review]
Patch rev. 2.1 (for branches) (diff -w)

This makes nsLinkableAccessible::CacheActionContent() up-to-date with
the trunk version.  Notice the added 'break;'s.

I can't crash branch builds on Linux on the testcase without the patch,
although I suspect there could be a way to do it given the similarity
of the code.  Aaron, do you still want this for branches?
Comment 15 User image Daniel Veditz [:dveditz] 2007-08-29 15:48:13 PDT
Comment on attachment 270504 [details] [diff] [review]
Patch rev. 2.1 (for branches) (diff -w)

approved for 1.8.1.7, a=dveditz for release-drivers
Comment 16 User image Mats Palmgren (:mats) 2007-08-30 18:33:58 PDT
MOZILLA_1_8_BRANCH
mozilla/accessible/src/base/nsBaseWidgetAccessible.cpp 	1.38.2.5 
Comment 17 User image Carsten Book [:Tomcat] 2007-09-13 07:43:52 PDT
verified fixed 1.8.1.7 using : Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.7pre) Gecko/2007091303 BonEcho/2.0.0.7pre and Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.7pre) Gecko/2007091303 BonEcho/2.0.0.7pre (Fedora F7) 

no crash the steps to reproduce - local testcase 

-> adding verified keyword

Note You need to log in before you can comment on or make changes to this bug.