Closed Bug 393141 Opened 17 years ago Closed 17 years ago

Crash [@ nsAccessibilityService::GetAccessible] with display:none option inside optgroup

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: aaronlev)

References

Details

(4 keywords, Whiteboard: [sg:critical?] freed object ref)

Crash Data

Attachments

(3 files)

testcase
1.15 KB, text/html
Details
Don't set lastGoodAccessible if AccessibleForOption() fails or CacheOptSiblings() returns null, otherwise we can't exit the method properly
2.16 KB, patch
evan.yan
: review+
damons
: approval1.9+
Details | Diff | Splinter Review
1.8 branch version
2.04 KB, patch
samuel.sidler+old
: approval1.8.1.12+
asac
: approval1.8.0.next+
Details | Diff | Splinter Review
Attached file testcase 
See testcase, because of the used of enhanced privileges, you need to download the file to your desktop.

It also crashes branch builds, so marking security sensitive for now.

http://crash-stats.mozilla.com/report/index/df3d0fd9-5063-11dc-968c-001a4bd43ed6
0  	xul.dll@0x59c62d  	
1 	nsAccessibilityService::GetAccessible(nsIDOMNode*, nsIPresShell*, nsIWeakReference*, nsIFrame**, int*, nsIAccessible**) 	e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\base\nsAccessibilityService.cpp:1209
2 	nsAccessibilityService::GetAccessibleInWeakShell(nsIDOMNode*, nsIWeakReference*, nsIAccessible**) 	e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\base\nsAccessibilityService.cpp:1143
3 	nsHTMLSelectListAccessible::AccessibleForOption(nsIAccessibilityService*, nsIContent*, nsIAccessible*, int*) 	e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\html\nsHTMLSelectAccessible.cpp:367
4 	nsHTMLSelectListAccessible::CacheOptSiblings(nsIAccessibilityService*, nsIContent*, nsIAccessible*, int*) 	e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\html\nsHTMLSelectAccessible.cpp:408
5 	nsHTMLSelectListAccessible::CacheChildren() 	e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\html\nsHTMLSelectAccessible.cpp:445
6 	nsAccessible::GetChildCount(int*) 	e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\base\nsAccessible.cpp:798
7 	nsAccessible::GetFirstChild(nsIAccessible**) 	e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\base\nsAccessible.cpp:682
8 	NS_InvokeByIndex_P 	e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp:101
9 	AutoJSSuspendRequest::SuspendRequest() 	e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcprivate.h:3313
10 	RtlFreeHeap
Aaron, you forgot to set the mail address to ask review.
Attachment #281056 - Flags: review? → review?(Evan.Yan)
Blocks: fox3access
Aaron, could you drop a line about and how it crashed and how the patch fixed the crash?
Evan, I don't know exactly how it crashed except that the cache was messed up. I had a hunch that the problem was in the special code that caches option and optgroup. I looked in the code and saw a mistake in it right away. Once I fixed that mistake, the crash went away.

Since it is clearly the correct thing to do and fixes the issue I felt it was not necessary to spend more time on it.
Attachment #281056 - Flags: review?(Evan.Yan) → review+
Attachment #281056 - Flags: approval1.9?
Attachment #281056 - Flags: approval1.9? → approval1.9+
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a8pre) Gecko/2007091904 Minefield/3.0a8pre
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
The 1.8 branch crashes on a deleted mFirstChild in  nsAccessibilityService::GetAccessible.
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.12?
Whiteboard: [sg:critical?] freed object ref
Does this patch work for the 1.8 branch or do we need another? Please request approval on the appropriate patch
Flags: blocking1.8.1.12? → blocking1.8.1.12+
For reference: tb39990981
straightforward merge, IsContentOfType() instead of IsNodeOfType() and no aChildCount on two function calls.
Attachment #299679 - Flags: approval1.8.1.12?
Comment on attachment 299679 [details] [diff] [review]
1.8 branch version

Approved to land on the branch for 1.8.1.12. a=ss
Attachment #299679 - Flags: approval1.8.1.12? → approval1.8.1.12+
patch checked in on 1.8 branch
Keywords: fixed1.8.1.12
Verified in Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12pre) Gecko/2008012803 BonEcho/2.0.0.12pre. Crashes in 2.0.0.11 but no crash with nightly.
Keywords: fixed1.8.1.12verified1.8.1.12
Group: security
Comment on attachment 299679 [details] [diff] [review]
1.8 branch version

a=asac for 1.8.0.15

(unmodified distro patch).
Attachment #299679 - Flags: approval1.8.0.15+
Flags: blocking1.8.0.15+
MOZILLA_1_8_0_BRANCH:

Checking in accessible/src/html/nsHTMLSelectAccessible.cpp;
/cvsroot/mozilla/accessible/src/html/nsHTMLSelectAccessible.cpp,v  <--  nsHTMLSelectAccessible.cpp
new revision: 1.46.2.2.2.3; previous revision: 1.46.2.2.2.2
done
Keywords: fixed1.8.0.15
Crash Signature: [@ nsAccessibilityService::GetAccessible]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: