Closed
Bug 397112
Opened 17 years ago
Closed 17 years ago
Crash [@ nsAccessible::GetFirstChild] moving text out of an option
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: surkov)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(5 files, 4 obsolete files)
1.43 KB,
text/html
|
Details | |
4.24 KB,
patch
|
aaronlev
:
review+
damons
:
approval1.9+
|
Details | Diff | Splinter Review |
2.01 KB,
patch
|
Details | Diff | Splinter Review | |
3.81 KB,
patch
|
aaronlev
:
review+
damons
:
approval1.9+
|
Details | Diff | Splinter Review |
1.21 KB,
patch
|
aaronlev
:
review+
damons
:
approval1.9+
|
Details | Diff | Splinter Review |
See testcase, which crashes current trunk build (today's build) after 1s or so. You need to download the testcase to your computer, because of the use of enhanced privileges. It doesn't seem to crash on branch (I used the branch specific code for that), but it doesn't seem to crash there, so it might be a regression, somehow. I can look for a regression range, if wanted. http://crash-stats.mozilla.com/report/index/4c411ca8-688d-11dc-ae5d-001a4bd46e84 0 nsAccessible::GetFirstChild(nsIAccessible**) mozilla/accessible/src/base/nsAccessible.cpp:659 1 NS_InvokeByIndex_P mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101 2 AutoJSSuspendRequest::SuspendRequest() mozilla/js/src/xpconnect/src/xpcprivate.h:3317 3 xul.dll@0x6aa947
Assignee | ||
Comment 1•17 years ago
|
||
crash is because mFirstChild is not addrefed and the object is destoyed.
Assignee: aaronleventhal → surkov.alexander
Status: NEW → ASSIGNED
Attachment #281932 -
Flags: review?(aaronleventhal)
Comment 2•17 years ago
|
||
Comment on attachment 281932 [details] [diff] [review] patch This isn't the right way to go IMHO. While holding a strong ref might prevent some crashes it's still referring to the wrong accessible, which can cause other obscure errors. The root cause for this crash is that the nsHTMLSelectOptionAccessible isn't notified that the child (nsHTMLTextAccessible) is removed. This crash is a recent regression, 2007082805 -- 2007082905, which points to bug 391846.
Comment 3•17 years ago
|
||
FWIW, this adds an assert that detects this condition.
Comment 4•17 years ago
|
||
FWIW, this makes the crash go away (and the asserts from the last patch too).
Updated•17 years ago
|
Blocks: 391846
Keywords: regression
Assignee | ||
Comment 5•17 years ago
|
||
(In reply to comment #4) > Created an attachment (id=282048) [details] > wip2 > > FWIW, this makes the crash go away (and the asserts from the last patch too). > I'm not 100% sure patch is correct but you pointed right reason. We're going to invalidate container accessible after timeout but before we'll do it accessible can move through the tree and therefore we invalidate wrong accessible.
Assignee | ||
Updated•17 years ago
|
Attachment #281932 -
Flags: review?(aaronleventhal)
Assignee | ||
Comment 6•17 years ago
|
||
Aaron, why do we need delayed events for hidden accessibles?
Comment 7•17 years ago
|
||
Surkov, because especially for style changes involving visibility: hidden , we get asynch notifications for every object in the subtree that's being hidden. We fire it delayed so the duplicate events can be removed from the event queue.
Assignee | ||
Comment 8•17 years ago
|
||
do not invalidate accessible tree until actual event firing
Attachment #282365 -
Flags: review?(aaronleventhal)
Assignee | ||
Comment 9•17 years ago
|
||
Attachment #281932 -
Attachment is obsolete: true
Attachment #282365 -
Attachment is obsolete: true
Attachment #282367 -
Flags: review?(aaronleventhal)
Attachment #282365 -
Flags: review?(aaronleventhal)
Assignee | ||
Comment 10•17 years ago
|
||
Comment on attachment 282047 [details] [diff] [review] wip1 I think it would be fine to have an assertion
Attachment #282047 -
Flags: review?(aaronleventhal)
Assignee | ||
Comment 11•17 years ago
|
||
use nsCOMPtr for nsIAccessible (pointer is cause of crash) and add an assertion if we get that accessible wasn't invalidated.
Attachment #282373 -
Flags: review?(aaronleventhal)
Updated•17 years ago
|
Attachment #282047 -
Attachment is obsolete: true
Attachment #282047 -
Flags: review?(aaronleventhal)
Assignee | ||
Comment 12•17 years ago
|
||
(In reply to comment #10) > (From update of attachment 282047 [details] [diff] [review]) > I think it would be fine to have an assertion > Aaron, why canceled review for this assertion patch?
Comment 13•17 years ago
|
||
Comment on attachment 282047 [details] [diff] [review] wip1 Okay, putting review flag back on, but "wip" usually means work in progress.
Attachment #282047 -
Attachment is obsolete: false
Attachment #282047 -
Flags: review?(aaronleventhal)
Assignee | ||
Comment 14•17 years ago
|
||
(In reply to comment #13) > (From update of attachment 282047 [details] [diff] [review]) > Okay, putting review flag back on, but "wip" usually means work in progress. > Just thought it's worth to have more assertions to see an errors.
Updated•17 years ago
|
Attachment #282047 -
Flags: review?(aaronleventhal) → review+
Comment 15•17 years ago
|
||
Comment on attachment 282373 [details] [diff] [review] comptr and assertion I think we will leak with circular references if a child and parent both point to each other with strong refs.
Attachment #282373 -
Flags: review?(aaronleventhal) → review-
Comment 16•17 years ago
|
||
Comment on attachment 282367 [details] [diff] [review] patch3 Surkov, can you explain why this patch works? Mats is right, we should be calling privateContainerAccessible->InvalidateChildren() even when just hiding a node. I'm not sure why I changed that with bug 391846 which is when this regression started happening.
Comment 17•17 years ago
|
||
Comment on attachment 282367 [details] [diff] [review] patch3 Actually, now I understand the patch better after thinking of it. We are still doing InvalidateChildren() when we hide the node.
Attachment #282367 -
Flags: review?(aaronleventhal)
Attachment #282367 -
Flags: review+
Attachment #282367 -
Flags: approval1.9?
Assignee | ||
Comment 18•17 years ago
|
||
(In reply to comment #15) > (From update of attachment 282373 [details] [diff] [review]) > I think we will leak with circular references if a child and parent both point > to each other with strong refs. > Ok, what if I say an assertion from the patch only?
Assignee | ||
Comment 19•17 years ago
|
||
(In reply to comment #18) > (In reply to comment #15) > > (From update of attachment 282373 [details] [diff] [review] [details]) > > I think we will leak with circular references if a child and parent both point > > to each other with strong refs. > > > > Ok, what if I say an assertion from the patch only? > s/say/save
Comment 20•17 years ago
|
||
Comment on attachment 282373 [details] [diff] [review] comptr and assertion Yes, I'll give r+ on the assertion but please post a clean patch for that. Also, is the static cast necessay?
Assignee | ||
Comment 21•17 years ago
|
||
Attachment #282373 -
Attachment is obsolete: true
Attachment #282533 -
Flags: review?(aaronleventhal)
Assignee | ||
Updated•17 years ago
|
Attachment #282047 -
Flags: approval1.9?
Assignee | ||
Comment 22•17 years ago
|
||
Attachment #282533 -
Attachment is obsolete: true
Attachment #282534 -
Flags: review?(aaronleventhal)
Attachment #282533 -
Flags: review?(aaronleventhal)
Updated•17 years ago
|
Attachment #282534 -
Flags: review?(aaronleventhal) → review+
Updated•17 years ago
|
Attachment #282534 -
Flags: approval1.9?
Updated•17 years ago
|
Attachment #282534 -
Flags: approval1.9? → approval1.9+
Updated•17 years ago
|
Attachment #282047 -
Flags: approval1.9? → approval1.9+
Comment 23•17 years ago
|
||
Checked in for Mats and Surkov.
Updated•17 years ago
|
Attachment #282367 -
Flags: approval1.9? → approval1.9+
Updated•17 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 24•17 years ago
|
||
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a9pre) Gecko/2007092904 Minefield/3.0a9pre
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Crash Signature: [@ nsAccessible::GetFirstChild]
You need to log in
before you can comment on or make changes to this bug.
Description
•