Closed Bug 668946 Opened 14 years ago Closed 12 years ago

Crash [@ nsDocAccessible::UpdateTree] with SVG, iframe

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files, 1 obsolete file)

stack trace
69.78 KB, text/plain
Details
wip
2.98 KB, patch
Details | Diff | Splinter Review
updated testcase
790 bytes, image/svg+xml
Details
1. Enable accessibility, e.g. by pasting the following into the js console: Components.classes["@mozilla.org/accessibilityService;1"] .getService(Components.interfaces.nsIAccessibleRetrieval); 2. Load the testcase. Result: Crash [@ nsDocAccessible::UpdateTree]
Severity: normal → critical
Attached file stack trace
so before we crash we do nsDocAccessible::RecreateAccessible(nsIContent* aContent) { nsIContent* parentContent = aContent->GetParent(); if (parentContent && parentContent->IsInDoc()) { nsINode* currNode = aNode; nsAccessible* accessible = nsnull; while (!(accessible = GetAccessible(currNode)) && (currNode = currNode->GetNodeParent())); nsAccTreeWalker walker(mWeakShell, aChildNode, aContainer->GetAllowsAnonChildAccessibles(), true); ... so, I'm pretty sure we crash when trying to read the pointer to the vtable for nsAccessible, especially because I believe its the first element of the object in memory and the address we crash at is 0x0. This seems to mean that although parentContent has the in document flag set in its flags bitfield we can't find a parent of the content that has an accessible. which seems pretty odd, I'd really expect to see us find at least a document accessible.
the problem here is the element triggers accessibility processing and then it's moved to inaccessible document. This particular case is easy to fix but this problem in general can lead to different kinds of crashes.
Attached patch wipSplinter Review
while it fixes crash (though mochitest doesn't work), we should make sure here we don't rely on non empty result from GetAccessibleOrContainer where it's not safe.
(In reply to alexander :surkov from comment #3) > the problem here is the element triggers accessibility processing and then > it's moved to inaccessible document. This particular case is easy to fix but > this problem in general can lead to different kinds of crashes. Including Bug 763819 perhaps? It would be good to tackle this class of bugs asap.
Attached image updated testcase
WFM?
Attachment #543567 - Attachment is obsolete: true
(In reply to Jesse Ruderman from comment #6) > Created attachment 717533 [details] > updated testcase > > WFM? I just need to run it on trunk, right? I don't see a crash.
You still need the steps in comment 0.
(In reply to Jesse Ruderman from comment #8) > You still need the steps in comment 0. same, a11y is enabled, no crash
Closing WFM based on comments 6 7 and 9.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: