Created attachment 380539 [details] testcase (uses enhanced privileges) See testcase, which crashes current trunk build after 50ms. The testcase uses enhanced privileges, so you need to download it to your computer locally, probably, to be able to grant it the necessary privileges. It doesn't crash in Firefox 3. I can look for a regression range, if wanted. http://crash-stats.mozilla.com/report/index/d389801c-72bc-464e-a642-13cc12090529?p=1 0 xul.dll nsAttrValue::ToString content/base/src/nsAttrValue.cpp:339 1 xul.dll nsCoreUtils::GetElementsByIDRefsAttr accessible/src/base/nsCoreUtils.cpp:788 2 xul.dll nsCoreUtils::GetRoleContent accessible/src/base/nsCoreUtils.cpp:242
This stack looks very weird, but the line in "1" points at our work on making anonymous content accessible (bug 483573). However, Martijn's testcase uses regular controls, no anonymous content here.
Perhaps the patch from bug 391132 might give a clue on how to fix this.
Created attachment 380823 [details] [diff] [review] patch 1
Comment on attachment 380823 [details] [diff] [review] patch 1 Alex, I'm not sure if I'm correct in passing through to the 'described by' algorithm when there is no content. Thoughts? (Maybe better just to bail out)
David, me either I do not understand how nsHTMLTableCellAccessible might be related with XUL-based testcase.
Created attachment 380984 [details] stack for testcase I think this bug is much similar with bug 391132. Here we get also stack overflow because of @observe attribute I think.
Woah, yeah... stack overflow. Not sure what bug I was fixing there.
At least one problem here is that we have mutual recursion between: nsXULGroupboxAccessible::GetNameInternal (calling label->GetName(aName)) and nsAccessible::GetName (calling GetNameInternal(aName)). I believe this might be set up by the observes attribute. I'm not sure we need to guard against this edge case, since we can control our XUL to not set up this relationship?
(In reply to comment #9) > I believe this might be set up by the observes attribute. right > I'm not sure we need to guard against this edge case, since we can control our > XUL to not set up this relationship? sory, few additional details for the idea please
I'm not sure where to go with this bug.
the testcase crashes on nightlies but I don't see a11y involved, the stack is: ntdll.dll!77a1defe() [Frames below may be incorrect and/or missing, no symbols loaded for ntdll.dll] ntdll.dll!77a1e275() ntdll.dll!77a1e0f2() msvcr90d.dll!69caff0e() nspr4.dll!PR_GetThreadPrivate(unsigned int index) Line 232 + 0x5 bytes C xul.dll!AssertActivityIsLegal() Line 168 + 0x15 bytes C++ xul.dll!NS_LogDtor_P(void * aPtr, const char * aType, unsigned int aInstanceSize) Line 1151 + 0x5 bytes C++ xul.dll!nsHashKey::~nsHashKey() Line 145 + 0x10 bytes C++ > xul.dll!nsXBLPrototypeBinding::nsIIDKey::~nsIIDKey() Line 247 + 0x18 bytes C++ 073d5788() we need somebody from content to look at it.
Olli, can you look at crash?
How do I test this on trunk?
(In reply to comment #14) > How do I test this on trunk? I put the testcase into extension (like DOM inspector and run it as chrome://inspector/content/testcasefilename.xul).
Seems to be still happening on Windows. Today several crash reports on various Windows version in various Firefox versions. See: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=nsAttrValue::ToString&reason_type=contains&date=11/01/2011%2007:17:02&range_value=1&range_unit=weeks&hang_type=crash&process_type=any&do_query=1&signature=nsAttrValue::ToString%28nsAString_internal%26%29
I don't see recent sigs. Maybe fixed by Bug 731813 but I didn't dig too deeply.