Closed
Bug 393141
Opened 17 years ago
Closed 17 years ago
Crash [@ nsAccessibilityService::GetAccessible] with display:none option inside optgroup
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: aaronlev)
References
Details
(4 keywords, Whiteboard: [sg:critical?] freed object ref)
Crash Data
Attachments
(3 files)
1.15 KB,
text/html
|
Details | |
2.16 KB,
patch
|
evan.yan
:
review+
damons
:
approval1.9+
|
Details | Diff | Splinter Review |
2.04 KB,
patch
|
samuel.sidler+old
:
approval1.8.1.12+
asac
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
See testcase, because of the used of enhanced privileges, you need to download the file to your desktop.
It also crashes branch builds, so marking security sensitive for now.
http://crash-stats.mozilla.com/report/index/df3d0fd9-5063-11dc-968c-001a4bd43ed6
0 xul.dll@0x59c62d
1 nsAccessibilityService::GetAccessible(nsIDOMNode*, nsIPresShell*, nsIWeakReference*, nsIFrame**, int*, nsIAccessible**) e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\base\nsAccessibilityService.cpp:1209
2 nsAccessibilityService::GetAccessibleInWeakShell(nsIDOMNode*, nsIWeakReference*, nsIAccessible**) e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\base\nsAccessibilityService.cpp:1143
3 nsHTMLSelectListAccessible::AccessibleForOption(nsIAccessibilityService*, nsIContent*, nsIAccessible*, int*) e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\html\nsHTMLSelectAccessible.cpp:367
4 nsHTMLSelectListAccessible::CacheOptSiblings(nsIAccessibilityService*, nsIContent*, nsIAccessible*, int*) e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\html\nsHTMLSelectAccessible.cpp:408
5 nsHTMLSelectListAccessible::CacheChildren() e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\html\nsHTMLSelectAccessible.cpp:445
6 nsAccessible::GetChildCount(int*) e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\base\nsAccessible.cpp:798
7 nsAccessible::GetFirstChild(nsIAccessible**) e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\base\nsAccessible.cpp:682
8 NS_InvokeByIndex_P e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp:101
9 AutoJSSuspendRequest::SuspendRequest() e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcprivate.h:3313
10 RtlFreeHeap
Assignee | ||
Comment 1•17 years ago
|
||
Attachment #281056 -
Flags: review?
Reporter | ||
Comment 2•17 years ago
|
||
Aaron, you forgot to set the mail address to ask review.
Assignee | ||
Updated•17 years ago
|
Attachment #281056 -
Flags: review? → review?(Evan.Yan)
Assignee | ||
Updated•17 years ago
|
Blocks: fox3access
Aaron, could you drop a line about and how it crashed and how the patch fixed the crash?
Assignee | ||
Comment 4•17 years ago
|
||
Evan, I don't know exactly how it crashed except that the cache was messed up. I had a hunch that the problem was in the special code that caches option and optgroup. I looked in the code and saw a mistake in it right away. Once I fixed that mistake, the crash went away.
Since it is clearly the correct thing to do and fixes the issue I felt it was not necessary to spend more time on it.
Attachment #281056 -
Flags: review?(Evan.Yan) → review+
Assignee | ||
Updated•17 years ago
|
Attachment #281056 -
Flags: approval1.9?
Updated•17 years ago
|
Attachment #281056 -
Flags: approval1.9? → approval1.9+
Assignee | ||
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 5•17 years ago
|
||
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a8pre) Gecko/2007091904 Minefield/3.0a8pre
Status: RESOLVED → VERIFIED
Updated•17 years ago
|
Flags: in-testsuite?
Comment 6•17 years ago
|
||
The 1.8 branch crashes on a deleted mFirstChild in nsAccessibilityService::GetAccessible.
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.12?
Whiteboard: [sg:critical?] freed object ref
Comment 7•17 years ago
|
||
Does this patch work for the 1.8 branch or do we need another? Please request approval on the appropriate patch
Flags: blocking1.8.1.12? → blocking1.8.1.12+
Comment 8•17 years ago
|
||
For reference: tb39990981
Comment 9•17 years ago
|
||
straightforward merge, IsContentOfType() instead of IsNodeOfType() and no aChildCount on two function calls.
Attachment #299679 -
Flags: approval1.8.1.12?
Comment 10•17 years ago
|
||
Comment on attachment 299679 [details] [diff] [review]
1.8 branch version
Approved to land on the branch for 1.8.1.12. a=ss
Attachment #299679 -
Flags: approval1.8.1.12? → approval1.8.1.12+
Comment 12•17 years ago
|
||
Verified in Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12pre) Gecko/2008012803 BonEcho/2.0.0.12pre. Crashes in 2.0.0.11 but no crash with nightly.
Keywords: fixed1.8.1.12 → verified1.8.1.12
Updated•17 years ago
|
Group: security
Comment 13•17 years ago
|
||
Comment on attachment 299679 [details] [diff] [review]
1.8 branch version
a=asac for 1.8.0.15
(unmodified distro patch).
Attachment #299679 -
Flags: approval1.8.0.15+
Updated•17 years ago
|
Flags: blocking1.8.0.15+
Comment 14•17 years ago
|
||
MOZILLA_1_8_0_BRANCH:
Checking in accessible/src/html/nsHTMLSelectAccessible.cpp;
/cvsroot/mozilla/accessible/src/html/nsHTMLSelectAccessible.cpp,v <-- nsHTMLSelectAccessible.cpp
new revision: 1.46.2.2.2.3; previous revision: 1.46.2.2.2.2
done
Keywords: fixed1.8.0.15
Updated•13 years ago
|
Crash Signature: [@ nsAccessibilityService::GetAccessible]
You need to log in
before you can comment on or make changes to this bug.
Description
•