Last Comment Bug 495555 - Crash [@ nsAttrValue::ToString] with aria-labelledby, observes and groupbox
: Crash [@ nsAttrValue::ToString] with aria-labelledby, observes and groupbox
: crash, regression, testcase
Product: Core
Classification: Components
Component: Disability Access APIs (show other bugs)
: Trunk
: x86 Windows XP
-- critical (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: alexander :surkov
Depends on:
  Show dependency treegraph
Reported: 2009-05-29 16:15 PDT by Martijn Wargers [:mwargers]
Modified: 2012-06-28 07:33 PDT (History)
7 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (uses enhanced privileges) (634 bytes, application/vnd.mozilla.xul+xml)
2009-05-29 16:15 PDT, Martijn Wargers [:mwargers]
no flags Details
patch 1 (1.38 KB, patch)
2009-06-01 08:12 PDT, David Bolter [:davidb]
no flags Details | Diff | Splinter Review
stack for testcase (104.65 KB, text/plain)
2009-06-01 19:06 PDT, alexander :surkov
no flags Details

Description User image Martijn Wargers [:mwargers] 2009-05-29 16:15:48 PDT
Created attachment 380539 [details]
testcase (uses enhanced privileges)

See testcase, which crashes current trunk build after 50ms. The testcase uses enhanced privileges, so you need to download it to your computer locally, probably, to be able to grant it the necessary privileges.
It doesn't crash in Firefox 3. I can look for a regression range, if wanted.
0  	xul.dll  	nsAttrValue::ToString  	 content/base/src/nsAttrValue.cpp:339
1 	xul.dll 	nsCoreUtils::GetElementsByIDRefsAttr 	accessible/src/base/nsCoreUtils.cpp:788
2 	xul.dll 	nsCoreUtils::GetRoleContent 	accessible/src/base/nsCoreUtils.cpp:242
Comment 1 User image Marco Zehe (:MarcoZ) 2009-05-29 22:51:33 PDT
This stack looks very weird, but the line in "1" points at our work on making anonymous content accessible (bug 483573). However, Martijn's testcase uses regular controls, no anonymous content here.
Comment 2 User image Martijn Wargers [:mwargers] 2009-05-30 05:17:58 PDT
Perhaps the patch from bug 391132 might give a clue on how to fix this.
Comment 3 User image David Bolter [:davidb] 2009-06-01 08:12:48 PDT
Created attachment 380823 [details] [diff] [review]
patch 1
Comment 4 User image David Bolter [:davidb] 2009-06-01 08:17:06 PDT
Comment on attachment 380823 [details] [diff] [review]
patch 1

Alex, I'm not sure if I'm correct in passing through to the 'described by' algorithm when there is no content. Thoughts?

(Maybe better just to bail out)
Comment 5 User image alexander :surkov 2009-06-01 18:57:31 PDT
David, me either I do not understand how nsHTMLTableCellAccessible might be related with XUL-based testcase.
Comment 6 User image alexander :surkov 2009-06-01 19:06:15 PDT
Created attachment 380984 [details]
stack for testcase

I think this bug is much similar with bug 391132. Here we get also stack overflow because of @observe attribute I think.
Comment 7 User image alexander :surkov 2009-06-01 19:06:49 PDT
Comment on attachment 380823 [details] [diff] [review]
patch 1

cancelling review
Comment 8 User image David Bolter [:davidb] 2009-06-01 19:14:24 PDT
Woah, yeah... stack overflow. Not sure what bug I was fixing there.
Comment 9 User image David Bolter [:davidb] 2009-08-27 12:53:58 PDT
At least one problem here is that we have mutual recursion between: nsXULGroupboxAccessible::GetNameInternal (calling label->GetName(aName)) and nsAccessible::GetName (calling GetNameInternal(aName)).

I believe this might be set up by the observes attribute.

I'm not sure we need to guard against this edge case, since we can control our XUL to not set up this relationship?
Comment 10 User image alexander :surkov 2009-08-27 22:20:03 PDT
(In reply to comment #9)

> I believe this might be set up by the observes attribute.


> I'm not sure we need to guard against this edge case, since we can control our
> XUL to not set up this relationship?

sory, few additional details for the idea please
Comment 11 User image David Bolter [:davidb] 2009-12-01 06:05:42 PST
I'm not sure where to go with this bug.
Comment 12 User image alexander :surkov 2011-03-11 05:56:00 PST
the testcase crashes on nightlies but I don't see a11y involved, the stack is:

 	[Frames below may be incorrect and/or missing, no symbols loaded for ntdll.dll]	
 	nspr4.dll!PR_GetThreadPrivate(unsigned int index)  Line 232 + 0x5 bytes	C
 	xul.dll!AssertActivityIsLegal()  Line 168 + 0x15 bytes	C++
 	xul.dll!NS_LogDtor_P(void * aPtr, const char * aType, unsigned int aInstanceSize)  Line 1151 + 0x5 bytes	C++
 	xul.dll!nsHashKey::~nsHashKey()  Line 145 + 0x10 bytes	C++
>	xul.dll!nsXBLPrototypeBinding::nsIIDKey::~nsIIDKey()  Line 247 + 0x18 bytes	C++

we need somebody from content to look at it.
Comment 13 User image alexander :surkov 2011-03-16 23:08:46 PDT
Olli, can you look at crash?
Comment 14 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2011-03-17 10:17:30 PDT
How do I test this on trunk?
Comment 15 User image alexander :surkov 2011-03-20 19:23:58 PDT
(In reply to comment #14)
> How do I test this on trunk?

I put the testcase into extension (like DOM inspector and run it as chrome://inspector/content/testcasefilename.xul).
Comment 17 User image David Bolter [:davidb] 2012-06-28 07:33:25 PDT
I don't see recent sigs. Maybe fixed by Bug 731813 but I didn't dig too deeply.

Note You need to log in before you can comment on or make changes to this bug.