Closed Bug 393141 Opened 12 years ago Closed 12 years ago

Crash [@ nsAccessibilityService::GetAccessible] with display:none option inside optgroup

Categories

(Core :: Disability Access APIs, defect, critical)

x86
Windows XP
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: aaronlev)

References

Details

(4 keywords, Whiteboard: [sg:critical?] freed object ref)

Crash Data

Attachments

(3 files)

Attached file testcase
See testcase, because of the used of enhanced privileges, you need to download the file to your desktop.

It also crashes branch builds, so marking security sensitive for now.

http://crash-stats.mozilla.com/report/index/df3d0fd9-5063-11dc-968c-001a4bd43ed6
0  	xul.dll@0x59c62d  	
1 	nsAccessibilityService::GetAccessible(nsIDOMNode*, nsIPresShell*, nsIWeakReference*, nsIFrame**, int*, nsIAccessible**) 	e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\base\nsAccessibilityService.cpp:1209
2 	nsAccessibilityService::GetAccessibleInWeakShell(nsIDOMNode*, nsIWeakReference*, nsIAccessible**) 	e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\base\nsAccessibilityService.cpp:1143
3 	nsHTMLSelectListAccessible::AccessibleForOption(nsIAccessibilityService*, nsIContent*, nsIAccessible*, int*) 	e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\html\nsHTMLSelectAccessible.cpp:367
4 	nsHTMLSelectListAccessible::CacheOptSiblings(nsIAccessibilityService*, nsIContent*, nsIAccessible*, int*) 	e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\html\nsHTMLSelectAccessible.cpp:408
5 	nsHTMLSelectListAccessible::CacheChildren() 	e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\html\nsHTMLSelectAccessible.cpp:445
6 	nsAccessible::GetChildCount(int*) 	e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\base\nsAccessible.cpp:798
7 	nsAccessible::GetFirstChild(nsIAccessible**) 	e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\accessible\src\base\nsAccessible.cpp:682
8 	NS_InvokeByIndex_P 	e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp:101
9 	AutoJSSuspendRequest::SuspendRequest() 	e:\builds\tinderbox\fx-trunk-newref\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcprivate.h:3313
10 	RtlFreeHeap
Aaron, you forgot to set the mail address to ask review.
Attachment #281056 - Flags: review? → review?(Evan.Yan)
Blocks: fox3access
Aaron, could you drop a line about and how it crashed and how the patch fixed the crash?
Evan, I don't know exactly how it crashed except that the cache was messed up. I had a hunch that the problem was in the special code that caches option and optgroup. I looked in the code and saw a mistake in it right away. Once I fixed that mistake, the crash went away.

Since it is clearly the correct thing to do and fixes the issue I felt it was not necessary to spend more time on it.
Attachment #281056 - Flags: review?(Evan.Yan) → review+
Attachment #281056 - Flags: approval1.9?
Attachment #281056 - Flags: approval1.9? → approval1.9+
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a8pre) Gecko/2007091904 Minefield/3.0a8pre
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
The 1.8 branch crashes on a deleted mFirstChild in  nsAccessibilityService::GetAccessible.
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.12?
Whiteboard: [sg:critical?] freed object ref
Does this patch work for the 1.8 branch or do we need another? Please request approval on the appropriate patch
Flags: blocking1.8.1.12? → blocking1.8.1.12+
For reference: tb39990981
straightforward merge, IsContentOfType() instead of IsNodeOfType() and no aChildCount on two function calls.
Attachment #299679 - Flags: approval1.8.1.12?
Comment on attachment 299679 [details] [diff] [review]
1.8 branch version

Approved to land on the branch for 1.8.1.12. a=ss
Attachment #299679 - Flags: approval1.8.1.12? → approval1.8.1.12+
patch checked in on 1.8 branch
Keywords: fixed1.8.1.12
Verified in Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12pre) Gecko/2008012803 BonEcho/2.0.0.12pre. Crashes in 2.0.0.11 but no crash with nightly.
Group: security
Comment on attachment 299679 [details] [diff] [review]
1.8 branch version

a=asac for 1.8.0.15

(unmodified distro patch).
Attachment #299679 - Flags: approval1.8.0.15+
Flags: blocking1.8.0.15+
MOZILLA_1_8_0_BRANCH:

Checking in accessible/src/html/nsHTMLSelectAccessible.cpp;
/cvsroot/mozilla/accessible/src/html/nsHTMLSelectAccessible.cpp,v  <--  nsHTMLSelectAccessible.cpp
new revision: 1.46.2.2.2.3; previous revision: 1.46.2.2.2.2
done
Keywords: fixed1.8.0.15
Crash Signature: [@ nsAccessibilityService::GetAccessible]
You need to log in before you can comment on or make changes to this bug.