Closed Bug 391132 Opened 17 years ago Closed 17 years ago

Crash [@ nsAttrValue::ToString] with input type=image inside label and with display: table-cell

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: evan.yan)

References

Details

(Keywords: crash, testcase, Whiteboard: orca:immediate)

Crash Data

Attachments

(3 files, 1 obsolete file)

testcase
1.20 KB, text/html
Details
minimal testcase
162 bytes, text/html
Details
patch v2
1.72 KB, patch
surkov
: review+
damons
: approval1.9+
Details | Diff | Splinter Review
Attached file testcase 
See testcase, which crashes Mozilla on load.
The testcase uses enhanced priviliges, so you need to download it to your computer to see the crash.
It doesn't seem to crash on branch.

http://crash-stats.mozilla.com/report/index/f337246b-445e-11dc-8f8d-001a4bd46e84
0  	nsAttrValue::ToString(nsAString_internal&)  	 e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\content\base\src\nsattrvalue.cpp:307
1 	nsAttrValue::Equals(nsAString_internal const&, nsCaseTreatment) 	e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\content\base\src\nsattrvalue.cpp:644
2 	nsAttrValue::Equals(nsIAtom*, nsCaseTreatment) 	e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\content\base\src\nsattrvalue.cpp:656
3 	nsGenericElement::FindAttrValueIn(int, nsIAtom*, nsIAtom* const* const*, nsCaseTreatment) 	e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\content\base\src\nsgenericelement.cpp:3784
4 	nsAccessible::AppendFlatStringFromContentNode(nsIContent*, nsAString_internal*) 	e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\accessible\src\base\nsaccessible.cpp:1579
5 	nsAccessible::AppendFlatStringFromSubtreeRecurse(nsIContent*, nsAString_internal*) 	e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\accessible\src\base\nsaccessible.cpp:1633
6 	nsAccessible::AppendFlatStringFromSubtreeRecurse(nsIContent*, nsAString_internal*) 	e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\accessible\src\base\nsaccessible.cpp:1640
7 	nsAccessible::AppendFlatStringFromSubtreeRecurse(nsIContent*, nsAString_internal*) 	e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\accessible\src\base\nsaccessible.cpp:1640
8 	nsAccessible::AppendFlatStringFromSubtree(nsIContent*, nsAString_internal*) 	e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\accessible\src\base\nsaccessible.cpp:1604
9 	nsAccessible::GetHTMLName(nsAString_internal&, int) 	e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\accessible\src\base\nsaccessible.cpp:1884
10 	nsAccessible::GetName(nsAString_internal&) 	e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\accessible\src\base\nsaccessible.cpp:294
etc.
Assignee: aaronleventhal → Evan.Yan
OS: Windows XP → All
It's infinite recursion of calling nsAccessible::GetName().

We fixed the situation of A.GetName() calls itself in bug 389203. However, the situation in this bug is as below

  A.GetName() --> B.GetName() --> A.GetName()
Evan, can you fix it?
I need some help on this.

We can use a stack to record all the accessibles. At the beginning of GetName(), push |this| into the stack, and pop at the end of GetName(). Check the stack to prevent recursive calling into GetName().

This solution is kinda ugly and tricky. Or we may need change how we implement GetName() function serial.
> A.GetName() --> B.GetName() --> A.GetName()
Where does B call back to A?
URL: 1
URL: 1
Attached file minimal testcase 
the minimal testcase is like below

<label>
<input style="display: table-cell;" type="image">
<input style="display: table-cell;" type="image">
</label>

First, in the first |input|'s GetName(), it tries to get name from the |label|:

  1873   nsIContent *labelContent = GetHTMLLabelContent(content);

Then, |label| will AppendFlatStringFromSubtree(), which will calls its inside |input|s' GetName() indirectly. That makes the second |input|'s GetName() get called. 

That how B (the second |input|) call back to A (the first |input|) again.
Sounds like GetName() , when called on an ancestor should simply not recurse up again.  That is, GetName() on the label as called from the image input should have extra state indicating that this is happening.  Something like a boolean arg, eg (which GetName() usually just propagates without changing and is set to false on entries into GetName and to true when calling it on an ancestor label, or a label in general, perhaps).
Blocks: fox3access
Attached patch patch (obsolete) — Splinter Review 

        Attachment #282660 -
        Flags: review?(aaronleventhal)

    
    

    
  
Comment on attachment 282660 [details] [diff] [review]
patch

Please remove +  static PRBool isRecursing = PR_FALSE;
You don't need that variable, because aContent is always non-null when isRecursing is true.
The startContent == aContent check is enough.

        Attachment #282660 -
        Flags: review?(aaronleventhal) → review+

    
    

    
  
Comment on attachment 282660 [details] [diff] [review]
patch

Actually I'm realizing this isn't complex enough, and passing an argument is necessary.

Like this:
<label>
<input style="display: table-cell;" type="image" aaa:labelledby="somelabel">
<input style="display: table-cell;" type="image" id="anotherlabel">
</label>

<div id="somelabel>
<input style="display: table-cell;" type="image" aaa:labelledby="anotherlabel">
</div>

Right?

        Attachment #282660 -
        Flags: review+ → review-

    
  
Whiteboard: orca:immediate

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch v2Splinter Review
      

    


  
tested with the testcase in Aaron's last comment.

        Attachment #282660 -
        Attachment is obsolete: true

        Attachment #283914 -
        Flags: review?(aaronleventhal)

    
  

        Attachment #283914 -
        Flags: review?(aaronleventhal) → review?(surkov.alexander)

    
    

    
  
Comment on attachment 283914 [details] [diff] [review]
patch v2

looks ok

        Attachment #283914 -
        Flags: review?(surkov.alexander)

        Attachment #283914 -
        Flags: review+

        Attachment #283914 -
        Flags: approval1.9?

        Attachment #283914 -
        Flags: approval1.9? → approval1.9+

    
    

    
  
/cvsroot/mozilla/accessible/src/base/nsAccessible.cpp,v  <--  nsAccessible.cpp
new revision: 1.326; previous revision: 1.325
done
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED

    
    

    
  
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a9pre) Gecko/2007101504 Minefield/3.0a9pre
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsAttrValue::ToString]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: