Last Comment Bug 754377 - crash in nsDocAccessible::AttributeChangedImpl
: crash in nsDocAccessible::AttributeChangedImpl
Status: RESOLVED FIXED
[native-crash]
: crash
Product: Core
Classification: Components
Component: Disability Access APIs (show other bugs)
: Trunk
: ARM Android
: -- critical (vote)
: mozilla15
Assigned To: David Bolter [:davidb]
:
: alexander :surkov
Mentors:
Depends on:
Blocks: 414302
  Show dependency treegraph
 
Reported: 2012-05-11 11:16 PDT by Scoobidiver (away)
Modified: 2012-05-12 09:11 PDT (History)
3 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
trivial fix (1.07 KB, patch)
2012-05-11 11:45 PDT, David Bolter [:davidb]
tbsaunde+mozbugs: review+
Details | Diff | Splinter Review

Description Scoobidiver (away) 2012-05-11 11:16:13 PDT
There are 6 crashes from the same user in 15.0a1/20120509.

Signature 	nsDocAccessible::AttributeChangedImpl More Reports Search
UUID	69e4c3ae-fdb3-4ca4-b0cb-dd4052120511
Date Processed	2012-05-11 16:22:58
Uptime	148
Last Crash	2.5 minutes before submission
Install Age	2.2 days since version was first installed.
Install Time	2012-05-09 12:29:29
Product	FennecAndroid
Version	15.0a1
Build ID	20120509030514
Release Channel	nightly
OS	Linux
OS Version	0.0.0 Linux 3.0.8-gda6252b #1 SMP PREEMPT Fri Apr 13 11:35:09 PDT 2012 armv7l
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x0
App Notes 	
AdapterVendorID: tuna, AdapterDeviceID: Galaxy Nexus.
AdapterDescription: 'Model: 'Galaxy Nexus', Product: 'yakju', Manufacturer: 'samsung', Hardware: 'tuna''.
samsung Galaxy Nexus
google/yakju/maguro:4.0.4/IMM76I/330937:user/release-keys
Processor Notes 	This dump is too long and has triggered the automatic truncation routine
EMCheckCompatibility	True

Frame 	Module 	Signature 	Source
0 	libxul.so 	nsDocAccessible::AttributeChangedImpl 	accessible/src/base/nsDocAccessible.cpp:1087
1 	libxul.so 	nsDocAccessible::AttributeChanged 	accessible/src/base/nsDocAccessible.cpp:999
2 	libxul.so 	nsNodeUtils::AttributeChanged 	content/base/src/nsNodeUtils.cpp:138
3 	libxul.so 	nsGenericElement::SetAttrAndNotify 	content/base/src/nsGenericElement.cpp:5360
4 	libxul.so 	nsGenericElement::SetAttr 	content/base/src/nsGenericElement.cpp:5264
5 	libxul.so 	nsDOMAttributeMap::SetNamedItemInternal 	content/base/src/nsDOMAttributeMap.cpp:360
6 	libxul.so 	nsDOMAttributeMap::SetNamedItem 	content/base/src/nsDOMAttributeMap.cpp:254
7 	libxul.so 	nsGenericElement::SetAttributeNode 	content/base/src/nsGenericElement.cpp:2791
8 	libxul.so 	nsXULElement::SetAttributeNode 	content/xul/content/src/nsXULElement.h:519
9 	libxul.so 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:194
10 	libxul.so 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:3103
11 	libxul.so 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1541
12 	libxul.so 	libxul.so@0xd5f495 	
13 	libxul.so 	XPC_WN_GetterSetter 	js/xpconnect/src/xpcprivate.h:2753
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsDocAccessible%3A%3AAttributeChangedImpl
Comment 1 David Bolter [:davidb] 2012-05-11 11:45:26 PDT
Created attachment 623237 [details] [diff] [review]
trivial fix
Comment 2 David Bolter [:davidb] 2012-05-11 11:50:09 PDT
A lingering question is, what content can be selected but does not return an accessible?
Comment 3 Trevor Saunders (:tbsaunde) 2012-05-11 12:09:54 PDT
(In reply to David Bolter [:davidb] from comment #2)
> A lingering question is, what content can be selected but does not return an
> accessible?

in the general case it could be svg or mathml.  However I'm not really sure about this particular case, I thought fennic didn't have much xul in it...
Comment 4 David Bolter [:davidb] 2012-05-11 12:13:09 PDT
Not super happy about landing the null check while we have mystery.
Comment 6 David Bolter [:davidb] 2012-05-11 12:23:24 PDT
(Oops shouldn't have closed pre-merge - old habits)
Comment 7 Matt Brubeck (:mbrubeck) 2012-05-12 09:00:50 PDT
https://hg.mozilla.org/mozilla-central/rev/e8a8cbac81db
Comment 8 alexander :surkov 2012-05-12 09:10:30 PDT
(In reply to Trevor Saunders (:tbsaunde) from comment #3)
> (In reply to David Bolter [:davidb] from comment #2)
> > A lingering question is, what content can be selected but does not return an
> > accessible?
> 
> in the general case it could be svg or mathml.  However I'm not really sure
> about this particular case, I thought fennic didn't have much xul in it...

it's likely HTML body, if not then (in case of XUL for example) it's a document element.

It doesn't sound like it's valid usage of aria-selected (or selected attribute) but AttributeChangedImpl should take accessible object instead
Comment 9 alexander :surkov 2012-05-12 09:11:56 PDT
btw, testcase from bug 754473 is a great example of that.

Note You need to log in before you can comment on or make changes to this bug.