Last Comment Bug 495555 - Crash [@ nsAttrValue::ToString] with aria-labelledby, observes and groupbox
: Crash [@ nsAttrValue::ToString] with aria-labelledby, observes and groupbox
Status: RESOLVED FIXED
[bk1]
: crash, regression, testcase
Product: Core
Classification: Components
Component: Disability Access APIs (show other bugs)
: Trunk
: x86 Windows XP
: -- critical (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-29 16:15 PDT by Martijn Wargers [:mwargers] (not working for Mozilla)
Modified: 2012-06-28 07:33 PDT (History)
7 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (uses enhanced privileges) (634 bytes, application/vnd.mozilla.xul+xml)
2009-05-29 16:15 PDT, Martijn Wargers [:mwargers] (not working for Mozilla)
no flags Details
patch 1 (1.38 KB, patch)
2009-06-01 08:12 PDT, David Bolter [:davidb]
no flags Details | Diff | Splinter Review
stack for testcase (104.65 KB, text/plain)
2009-06-01 19:06 PDT, alexander :surkov
no flags Details

Description Martijn Wargers [:mwargers] (not working for Mozilla) 2009-05-29 16:15:48 PDT
Created attachment 380539 [details]
testcase (uses enhanced privileges)

See testcase, which crashes current trunk build after 50ms. The testcase uses enhanced privileges, so you need to download it to your computer locally, probably, to be able to grant it the necessary privileges.
It doesn't crash in Firefox 3. I can look for a regression range, if wanted.

http://crash-stats.mozilla.com/report/index/d389801c-72bc-464e-a642-13cc12090529?p=1
0  	xul.dll  	nsAttrValue::ToString  	 content/base/src/nsAttrValue.cpp:339
1 	xul.dll 	nsCoreUtils::GetElementsByIDRefsAttr 	accessible/src/base/nsCoreUtils.cpp:788
2 	xul.dll 	nsCoreUtils::GetRoleContent 	accessible/src/base/nsCoreUtils.cpp:242
Comment 1 Marco Zehe (:MarcoZ) 2009-05-29 22:51:33 PDT
This stack looks very weird, but the line in "1" points at our work on making anonymous content accessible (bug 483573). However, Martijn's testcase uses regular controls, no anonymous content here.
Comment 2 Martijn Wargers [:mwargers] (not working for Mozilla) 2009-05-30 05:17:58 PDT
Perhaps the patch from bug 391132 might give a clue on how to fix this.
Comment 3 David Bolter [:davidb] 2009-06-01 08:12:48 PDT
Created attachment 380823 [details] [diff] [review]
patch 1
Comment 4 David Bolter [:davidb] 2009-06-01 08:17:06 PDT
Comment on attachment 380823 [details] [diff] [review]
patch 1

Alex, I'm not sure if I'm correct in passing through to the 'described by' algorithm when there is no content. Thoughts?

(Maybe better just to bail out)
Comment 5 alexander :surkov 2009-06-01 18:57:31 PDT
David, me either I do not understand how nsHTMLTableCellAccessible might be related with XUL-based testcase.
Comment 6 alexander :surkov 2009-06-01 19:06:15 PDT
Created attachment 380984 [details]
stack for testcase

I think this bug is much similar with bug 391132. Here we get also stack overflow because of @observe attribute I think.
Comment 7 alexander :surkov 2009-06-01 19:06:49 PDT
Comment on attachment 380823 [details] [diff] [review]
patch 1

cancelling review
Comment 8 David Bolter [:davidb] 2009-06-01 19:14:24 PDT
Woah, yeah... stack overflow. Not sure what bug I was fixing there.
Comment 9 David Bolter [:davidb] 2009-08-27 12:53:58 PDT
At least one problem here is that we have mutual recursion between: nsXULGroupboxAccessible::GetNameInternal (calling label->GetName(aName)) and nsAccessible::GetName (calling GetNameInternal(aName)).

I believe this might be set up by the observes attribute.

I'm not sure we need to guard against this edge case, since we can control our XUL to not set up this relationship?
Comment 10 alexander :surkov 2009-08-27 22:20:03 PDT
(In reply to comment #9)

> I believe this might be set up by the observes attribute.

right

> I'm not sure we need to guard against this edge case, since we can control our
> XUL to not set up this relationship?

sory, few additional details for the idea please
Comment 11 David Bolter [:davidb] 2009-12-01 06:05:42 PST
I'm not sure where to go with this bug.
Comment 12 alexander :surkov 2011-03-11 05:56:00 PST
the testcase crashes on nightlies but I don't see a11y involved, the stack is:

 	ntdll.dll!77a1defe() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for ntdll.dll]	
 	ntdll.dll!77a1e275() 	
 	ntdll.dll!77a1e0f2() 	
 	msvcr90d.dll!69caff0e() 	
 	nspr4.dll!PR_GetThreadPrivate(unsigned int index)  Line 232 + 0x5 bytes	C
 	xul.dll!AssertActivityIsLegal()  Line 168 + 0x15 bytes	C++
 	xul.dll!NS_LogDtor_P(void * aPtr, const char * aType, unsigned int aInstanceSize)  Line 1151 + 0x5 bytes	C++
 	xul.dll!nsHashKey::~nsHashKey()  Line 145 + 0x10 bytes	C++
>	xul.dll!nsXBLPrototypeBinding::nsIIDKey::~nsIIDKey()  Line 247 + 0x18 bytes	C++
 	073d5788()	

we need somebody from content to look at it.
Comment 13 alexander :surkov 2011-03-16 23:08:46 PDT
Olli, can you look at crash?
Comment 14 Olli Pettay [:smaug] (vacation Aug 25-28) 2011-03-17 10:17:30 PDT
How do I test this on trunk?
Comment 15 alexander :surkov 2011-03-20 19:23:58 PDT
(In reply to comment #14)
> How do I test this on trunk?

I put the testcase into extension (like DOM inspector and run it as chrome://inspector/content/testcasefilename.xul).
Comment 17 David Bolter [:davidb] 2012-06-28 07:33:25 PDT
I don't see recent sigs. Maybe fixed by Bug 731813 but I didn't dig too deeply.

Note You need to log in before you can comment on or make changes to this bug.