Closed
Bug 488562
Opened 15 years ago
Closed 15 years ago
Crash [@ nsRootAccessible::FireAccessibleFocusEvent] on reload with DOMAttrModified removing window and accessibility
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: martijn.martijn, Assigned: davidb)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(3 files, 1 obsolete file)
783 bytes,
application/zip
|
Details | |
2.21 KB,
patch
|
surkov
:
review+
|
Details | Diff | Splinter Review |
2.16 KB,
patch
|
Details | Diff | Splinter Review |
See zipped up testcase, which crashes current trunk build and Firefox3.0.7 (so marking security sensitive, just to be sure). The testcase uses enhanced privileges for the accessible nodes retrieval. To reproduce, open the file named 'parenframe.htm', then reload. http://crash-stats.mozilla.com/report/index/1991cd32-c8ee-46b3-a19d-eba0b2090415?p=1 0 xul.dll nsRootAccessible::FireAccessibleFocusEvent accessible/src/base/nsRootAccessible.cpp:533 1 xul.dll nsCOMPtr_base::assign_from_qi obj-firefox/xpcom/build/nsCOMPtr.cpp:96 2 MSCTF.dll OnShellLanguage Firefox3.0.7 crash stack: http://crash-stats.mozilla.com/report/index/3a7ff6c7-3aeb-46f9-8675-e1bcd2090415?p=1 0 xul.dll nsRootAccessible::FireAccessibleFocusEvent mozilla/accessible/src/base/nsRootAccessible.cpp:528 1 xul.dll nsRootAccessible::HandleEventWithTarget mozilla/accessible/src/base/nsRootAccessible.cpp:823 2 xul.dll nsRootAccessible::HandleEvent mozilla/accessible/src/base/nsRootAccessible.cpp:591 3 xul.dll nsEventListenerManager::HandleEventSubType mozilla/content/events/src/nsEventListenerManager.cpp:1080 4 xul.dll nsEventListenerManager::HandleEvent mozilla/content/events/src/nsEventListenerManager.cpp:1185 5 xul.dll nsEventTargetChainItem::HandleEventTargetChain mozilla/content/events/src/nsEventDispatcher.cpp:241 6 xul.dll nsCOMPtr_base::assign_with_AddRef nsCOMPtr.cpp:88 Perhaps this is related to bug 488505, where there is also a case where the accessibility code seems to set an attribute at an unsafe time or something like that? Also, perhaps this is related to bug 422524?
Assignee | ||
Comment 1•15 years ago
|
||
Proposed fix in nsRootAccessible::FireAccessibleFocusEvent: nsCOMPtr<nsIContent> focusContent = do_QueryInterface(gLastFocusedNode); nsIFrame *focusFrame = nsnull; if (focusContent) { nsCOMPtr<nsIPresShell> shell = nsAccessNode::GetPresShellFor(gLastFocusedNode); + if (!shell) + return PR_FALSE; focusFrame = shell->GetRealPrimaryFrameFor(focusContent); Can someone compile and test this easily? I don't have a 1.9.0 tree handy.
Reporter | ||
Comment 2•15 years ago
|
||
(In reply to comment #1) > Can someone compile and test this easily? I don't have a 1.9.0 tree handy. It is also crashing on trunk.
Assignee | ||
Comment 3•15 years ago
|
||
OK (I was thrown by bug 422524 comment 1)
Assignee | ||
Comment 4•15 years ago
|
||
Adding a dependency (bug 423737) so we can possibly undo any workaround here when that bug resolves.
Depends on: 423737
Assignee | ||
Comment 5•15 years ago
|
||
Martijn, this patch fixes the bug locally, can you confirm?
Assignee: nobody → david.bolter
Attachment #373174 -
Flags: review?(martijn.martijn)
Comment 6•15 years ago
|
||
David, does it makes sense to keep gLastFocusedNode if it hasn't presshell?
Assignee | ||
Comment 7•15 years ago
|
||
(In reply to comment #6) > David, does it makes sense to keep gLastFocusedNode if it hasn't presshell? Nope. Thanks Alex, what do you think of this patch?
Attachment #373174 -
Attachment is obsolete: true
Attachment #373351 -
Flags: review?(surkov.alexander)
Attachment #373174 -
Flags: review?(martijn.martijn)
Comment 8•15 years ago
|
||
Comment on attachment 373351 [details] [diff] [review] bailout fix 2 I don't understand why fix #1 doesn't fix the problem, but fix #2 does. Is it stacktrace after fix #1 is different than original one? Does it related we save node without presshell in gLastFocusNode? I would like to see an assertion to assert when presshell is null. It's not expected I think. But the patch looks safe, r=me.
Attachment #373351 -
Flags: review?(surkov.alexander) → review+
Assignee | ||
Comment 9•15 years ago
|
||
Assignee | ||
Updated•15 years ago
|
Status: NEW → ASSIGNED
Comment 10•15 years ago
|
||
Pushed on David's behalf in changeset: http://hg.mozilla.org/mozilla-central/rev/370bac6b036d
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ nsRootAccessible::FireAccessibleFocusEvent]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•