Closed
Bug 379872
Opened 18 years ago
Closed 18 years ago
Crash [@ nsHTMLSelectOptionAccessible::GetName] when moving option around
Categories
(Core :: Disability Access APIs, defect)
Core
Disability Access APIs
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)
References
Details
(Keywords: crash, testcase, Whiteboard: null ptr crash)
Crash Data
Attachments
(2 files, 1 obsolete file)
1.49 KB,
text/html
|
Details | |
4.54 KB,
patch
|
aaronlev
:
review+
|
Details | Diff | Splinter Review |
See testcase, which crashes Mozilla after 500ms or so after loading.
The testcase uses enhanced privileges, so you need to download it to your computer to get the crash.
Talkback ID: TB31857111M
nsHTMLSelectOptionAccessible::GetName [mozilla/accessible/src/html/nshtmlselectaccessible.cpp, line 507]
Comment 1•18 years ago
|
||
Another a11y crash in <select> is bug 378612. Probably unrelated though.
Reporter | ||
Comment 2•18 years ago
|
||
Aaron changed something in bug 268935 that makes the original testcase not work
anymore with current trunk builds.
This is the updated testcase, using nsIAccessibleRetrieval.
Attachment #263914 -
Attachment is obsolete: true
Assignee | ||
Updated•18 years ago
|
Assignee: aaronleventhal → mats.palmgren
Assignee | ||
Comment 3•18 years ago
|
||
Simple null-pointer crash, testcase isn't sensitive and requires priviligies
to trigger, so making bug public.
Group: security
Status: NEW → ASSIGNED
CC list accessible: false
Flags: in-testsuite?
OS: Windows XP → All
Hardware: PC → All
Not accessible to reporter
Assignee | ||
Comment 4•18 years ago
|
||
The DOM node has been removed from the document, and the corresponding a11y
node has been Shutdown, thus 'mDOMNode' is null.
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/accessible/src/html/nsHTMLSelectAccessible.cpp&rev=1.81&root=/cvsroot&mark=497-499#490
I suggest we the error code NS_ERROR_DOM_NOT_FOUND_ERR for this type of
error. Then the JS exception look like:
Exception... "Node was not found" code: "8" nsresult: "0x80530008 (NS_ERROR_DOM_NOT_FOUND_ERR)" ...
which I think is more informative than the generic NS_ERROR_FAILURE.
Other than that, I also made it return the empty string and NS_OK if
there is no label or first child text node. I don't see why
GetName() on <option></option> should cause an exception.
The last hunk just kills a compiler warning (gcc 4.1.2 on Linux).
I still crash on the testcase after a few Reloads, but I think it's
an unrelated crash, I'll file it separately if not done already.
Attachment #265034 -
Flags: review?(aaronleventhal)
Comment 5•18 years ago
|
||
Comment on attachment 265034 [details] [diff] [review]
Patch rev. 1
You could just use NS_ERROR_FAILURE I think -- do we really need the specific DOM error? That means we'll need to change a lot. It's pretty normal for nodes to get shut down and the accessible objects to hang around until their owner releases them.
Attachment #265034 -
Flags: review?(aaronleventhal) → review+
Assignee | ||
Comment 6•18 years ago
|
||
> You could just use NS_ERROR_FAILURE I think ...
Ok, checked in with that change. I do think that more diversified error
codes would increase the quality of the API though, so I filed bug 381005.
Checked in to trunk at 2007-05-17 01:12 PDT.
-> FIXED
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 7•18 years ago
|
||
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a5pre) Gecko/20070517 Minefield/3.0a5pre
I don't crash with this stacktrace anymore. Instead, I crash with the stacktrace that has been filed as bug 381010.
Status: RESOLVED → VERIFIED
Comment 8•17 years ago
|
||
The testcase doesn't crash when the fix from bug 381010 is used.
Comment 9•17 years ago
|
||
I should have said, when the fix from bug 387783 is used.
Comment 10•17 years ago
|
||
Ugh, I mean bug 377783! Time for some coffee.
Updated•17 years ago
|
Whiteboard: null ptr crash
Updated•13 years ago
|
Crash Signature: [@ nsHTMLSelectOptionAccessible::GetName]
You need to log in
before you can comment on or make changes to this bug.
Description
•