Closed
Bug 1178817
Opened 9 years ago
Closed 9 years ago
Reliable segfault in mozilla::a11y::HTMLTableRowAccessible::GroupPosition() in Nightly
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
RESOLVED
FIXED
mozilla42
People
(Reporter: jdiggs, Assigned: fredw)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
|
1010 bytes,
patch
|
MarcoZ
:
review+
ritu
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
Steps to reproduce:
1. Load "data:text/html,<math><mtable><mtr><mtd><mi>x</mi></mtd></mtr></mtable></math>" in Nightly
2. In a python console do the following:
$ python3
>>> import pyatspi
>>> firefox = [app for app in pyatspi.Registry.getDesktop(0) if app.name == 'Firefox'][0]
>>> rows = pyatspi.utils.findAllDescendants(firefox, lambda x: x and x.getRole() == pyatspi.ROLE_TABLE_ROW)
>>>>>> for row in rows: print(row.getAttributes())
Expected result: Nightly would not crash.
Actual result: Nightly crashes reliably. See below.
I'm pretty sure this is a very recent regression. I'll try to pin that down next. Also, it doesn't seem to happen for regular tables; just MathML tables.
(gdb) bt
#0 0x00007ffff2cff8c2 in mozilla::a11y::HTMLTableRowAccessible::GroupPosition() () at /home/jd/Downloads/foxes/firefox/libxul.so
#1 0x00007ffff2cf2470 in mozilla::a11y::Accessible::NativeAttributes() () at /home/jd/Downloads/foxes/firefox/libxul.so
#2 0x00007ffff2cee63a in mozilla::a11y::Accessible::Attributes() () at /home/jd/Downloads/foxes/firefox/libxul.so
#3 0x00007ffff2cca9a7 in GetAttributeSet(mozilla::a11y::Accessible*) () at /home/jd/Downloads/foxes/firefox/libxul.so
#4 0x00007ffff2ccc280 in getAttributesCB () at /home/jd/Downloads/foxes/firefox/libxul.so
#5 0x00007fffdf56eb10 in impl_GetAttributes () at /lib64/libatk-bridge-2.0.so.0
#6 0x00007fffdf56d07a in handle_message () at /lib64/libatk-bridge-2.0.so.0
#7 0x00007fffef49a663 in _dbus_object_tree_dispatch_and_unlock () at /lib64/libdbus-1.so.3
#8 0x00007fffef48c104 in dbus_connection_dispatch () at /lib64/libdbus-1.so.3
#9 0x00007fffdf33b085 in message_queue_dispatch () at /lib64/libatspi.so.0
#10 0x00007fffeef39a8a in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#11 0x00007fffeef39e20 in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#12 0x00007fffeef39ecc in g_main_context_iteration () at /lib64/libglib-2.0.so.0
#13 0x00007ffff14af47f in nsAppShell::ProcessNextNativeEvent(bool) () at /home/jd/Downloads/foxes/firefox/libxul.so
#14 0x00007ffff287183d in nsBaseAppShell::DoProcessNextNativeEvent(bool, unsigned int) ()
at /home/jd/Downloads/foxes/firefox/libxul.so
#15 0x00007ffff14aeb05 in nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool, unsigned int) ()
at /home/jd/Downloads/foxes/firefox/libxul.so
#16 0x00007ffff143a2a6 in nsThread::ProcessNextEvent(bool, bool*) () at /home/jd/Downloads/foxes/firefox/libxul.so
#17 0x00007ffff143fe9e in NS_ProcessNextEvent(nsIThread*, bool) () at /home/jd/Downloads/foxes/firefox/libxul.so
#18 0x00007ffff14511af in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ()
at /home/jd/Downloads/foxes/firefox/libxul.so
#19 0x00007ffff18bb8e3 in MessageLoop::Run() () at /home/jd/Downloads/foxes/firefox/libxul.so
#20 0x00007ffff286be78 in nsBaseAppShell::Run() () at /home/jd/Downloads/foxes/firefox/libxul.so
#21 0x00007ffff2e3b39c in nsAppStartup::Run() () at /home/jd/Downloads/foxes/firefox/libxul.so
#22 0x00007ffff2e78be7 in XREMain::XRE_mainRun() () at /home/jd/Downloads/foxes/firefox/libxul.so
#23 0x00007ffff2e7b26d in XREMain::XRE_main(int, char**, nsXREAppData const*) () at /home/jd/Downloads/foxes/firefox/libxul.so
#24 0x00007ffff2e7b51c in XRE_main () at /home/jd/Downloads/foxes/firefox/libxul.so
#25 0x0000000000408ce6 in do_main(int, char**, nsIFile*) ()
#26 0x00000000004052cb in main ()
|
Reporter | |
Comment 1•9 years ago
|
||
41.0a1 (2015-06-29) - Doesn't crash 42.0a1 (2015-06-30) - Crashes
|
Assignee | |
Comment 2•9 years ago
|
||
It seems that this code was added in bug 1177268 and merge to mozilla-central on 2015-06-30. Probably some special checks should be done for MathML tables.
|
|
Assignee | |
Comment 3•9 years ago
|
||
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8628224 -
Flags: review?(mzehe)
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → fred.wang
Status: NEW → ASSIGNED
|
||
Comment 4•9 years ago
|
||
Comment on attachment 8628224 [details] [diff] [review] Patch r=me. Sorry I overlooked this when reviewing the original patch!
Attachment #8628224 -
Flags: review?(mzehe) → review+
|
|
Assignee | |
Comment 5•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=af72943d393f
Keywords: checkin-needed
|
||
Comment 7•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/dcf40cb0dc96
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
|
|
||
Updated•9 years ago
|
status-firefox41:
--- → affected
|
|
||
Comment 8•9 years ago
|
||
Comment on attachment 8628224 [details] [diff] [review] Patch Approval Request Comment [Feature/regressing bug #]: bug 1177268 [User impact if declined]: Reproducible crash. [Describe test coverage new/current, TreeHerder]: TreeHerder, manual. [Risks and why]: None, fixes crash. [String/UUID change made/needed]: None.
Attachment #8628224 -
Flags: approval-mozilla-aurora?
Comment on attachment 8628224 [details] [diff] [review] Patch Approving for uplift to Aurora. Patch reviewed, seems safe and stable as it has been in m-c for a few days already.
Attachment #8628224 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Joanmarie, could you please verify that the fix works for you? If it does, please change the status to "Verified". Thanks!
Flags: needinfo?(jdiggs)
|
|
Reporter | |
Updated•9 years ago
|
Flags: needinfo?(jdiggs)
You need to log in
before you can comment on or make changes to this bug.
Description
•