Closed Bug 1194859 Opened 9 years ago Closed 9 years ago

crash in mozilla::a11y::ARIAGridCellAccessible::GroupPosition()

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Version:
41 Branch
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla43
Tracking Flags:
Tracking Status
firefox40 --- unaffected
firefox41 + fixed
firefox42 + fixed
firefox43 --- fixed

People

(Reporter: away, Assigned: surkov)

References

Details

(Keywords: crash)

Crash Data

Attachments

(2 files)

patch
1.79 KB, patch
MarcoZ
: review+
Sylvestre
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-beta+
Details | Diff | Splinter Review
patch2
1.65 KB, patch
MarcoZ
: review+
Sylvestre
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-beta+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-199b1006-4e4d-4751-bbfc-dcb2a2150813.
=============================================================

This signature spiked in 41b1 (because this code is new to 41).

Frame 	Module 	Signature 	Source
0 	xul.dll 	mozilla::a11y::ARIAGridCellAccessible::GroupPosition() 	accessible/generic/ARIAGridAccessible.cpp
1 	xul.dll 	mozilla::a11y::Accessible::NativeAttributes() 	accessible/generic/Accessible.cpp
2 	xul.dll 	mozilla::a11y::HyperTextAccessible::NativeAttributes() 	accessible/generic/HyperTextAccessible.cpp
3 	xul.dll 	mozilla::a11y::ARIAGridCellAccessible::NativeAttributes() 	accessible/generic/ARIAGridAccessible.cpp
4 	xul.dll 	mozilla::a11y::Accessible::Attributes() 	accessible/generic/Accessible.cpp
5 	xul.dll 	mozilla::a11y::ia2Accessible::get_attributes(wchar_t**) 	accessible/windows/ia2/ia2Accessible.cpp
[Tracking Requested - why for this release]: topcrash on 41
Crash Signature: [@ mozilla::a11y::ARIAGridCellAccessible::GroupPosition()] → [@ mozilla::a11y::ARIAGridCellAccessible::GroupPosition()] [@ mozilla::a11y::HTMLTableCellAccessible::GroupPosition() ]
status-firefox40: --- → unaffected
status-firefox41: --- → affected
status-firefox42: --- → affected
status-firefox43: --- → affected
tracking-firefox41: --- → ?
http://hg.mozilla.org/releases/mozilla-beta/annotate/be2423a7ec20/accessible/generic/ARIAGridAccessible.cpp#l693

Something in this chain is null: Table()->AsAccessible()->GetContent().
I think it is the |Table()|.
Flags: needinfo?(surkov.alexander)
Attached patch patchSplinter Review 
Assignee: nobody → surkov.alexander
Flags: needinfo?(surkov.alexander)

        Attachment #8649278 -
        Flags: review?(mzehe)

    
    

    
  
Comment on attachment 8649278 [details] [diff] [review]
patch

r=me. Do we have other places in our table code where we have similar constructs that could bite us in the future?

        Attachment #8649278 -
        Flags: review?(mzehe) → review+

    
    

    
  
(In reply to Marco Zehe (:MarcoZ) from comment #5)
> Comment on attachment 8649278 [details] [diff] [review]
> patch
> 
> r=me. Do we have other places in our table code where we have similar
> constructs that could bite us in the future?

it seems no other places.

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/2e89ce960e5f
Status: NEW → RESOLVED
Closed: 9 years ago

          status-firefox43:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla43

    
    

    
  
Alexander, given that this was a top crash for 41, do you want to request uplift to Beta on this patch? It looks safe to me but you are the best judge. Thanks!
Flags: needinfo?(surkov.alexander)

    
    

    
  
Comment on attachment 8649278 [details] [diff] [review]
patch

Approval Request Comment
[Feature/regressing bug #]: bug 1177268
[User impact if declined]: assistive technologies users keep crashing
[Describe test coverage new/current, TreeHerder]: not covered
[Risks and why]: no risk, a null check
[String/UUID change made/needed]: no
Flags: needinfo?(surkov.alexander)

        Attachment #8649278 -
        Flags: approval-mozilla-beta?

        Attachment #8649278 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Comment on attachment 8649278 [details] [diff] [review]
patch

Fix a top crash, taking it.

        Attachment #8649278 -
        Flags: approval-mozilla-beta?

        Attachment #8649278 -
        Flags: approval-mozilla-beta+

        Attachment #8649278 -
        Flags: approval-mozilla-aurora?

        Attachment #8649278 -
        Flags: approval-mozilla-aurora+

    
    

    
  
This crash is still seen on all channels where the patch landed. Looking at the disassembly of beta4, I'm pretty certain the null pointer is |Table()|, not |table|.
Status: RESOLVED → REOPENED

          status-firefox41:
          fixedaffected

          status-firefox42:
          fixedaffected

          status-firefox43:
          fixedaffected
Flags: needinfo?(surkov.alexander)
Resolution: FIXED → ---

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch2Splinter Review
      

    


  
Flags: needinfo?(surkov.alexander)

        Attachment #8653627 -
        Flags: review?(mzehe)

    
    

    
  
Comment on attachment 8653627 [details] [diff] [review]
patch2

Review of attachment 8653627 [details] [diff] [review]:
-----------------------------------------------------------------

Yikes! *That* is where it failed! OK, let's hope that we've now kicked it into obedience! Thanks! r=me.

    
    

    
  
Comment on attachment 8653627 [details] [diff] [review]
patch2

Umm ... I said: r=me!

        Attachment #8653627 -
        Flags: review?(mzehe) → review+

    
    

    
  
Comment on attachment 8653627 [details] [diff] [review]
patch2

Review of attachment 8653627 [details] [diff] [review]:
-----------------------------------------------------------------

::: accessible/generic/ARIAGridAccessible.cpp
@@ +690,5 @@
>  ARIAGridCellAccessible::GroupPosition()
>  {
>    int32_t count = 0, index = 0;
> +  Accessible* table = Table();
> +  if (table && nsCoreUtils::GetUIntAttr(table->->AsAccessible()->GetContent(),

There's a double arrow here.

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/eb84e5f9c664
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago

          status-firefox43:
          affectedfixed
Resolution: --- → FIXED

    
    

    
  
Please request Aurora/Beta approval on this when you get a chance.
Flags: needinfo?(surkov.alexander)

    
    

    
  
Comment on attachment 8653627 [details] [diff] [review]
patch2

Approval Request Comment
[Feature/regressing bug #]: bug 1177268
[User impact if declined]: Crashes.
[Describe test coverage new/current, TreeHerder]: On Central, follow-up/corrected patch to previous one from this bug.
[Risks and why]: Null check.
[String/UUID change made/needed]: None.
Flags: needinfo?(surkov.alexander)

        Attachment #8653627 -
        Flags: approval-mozilla-beta?

        Attachment #8653627 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Comment on attachment 8653627 [details] [diff] [review]
patch2

> [Risks and why]: Null check.
I don't see a risk evaluation here?! Please be more explicit for future uplift requests.

        Attachment #8653627 -
        Flags: approval-mozilla-beta?

        Attachment #8653627 -
        Flags: approval-mozilla-beta+

        Attachment #8653627 -
        Flags: approval-mozilla-aurora?

        Attachment #8653627 -
        Flags: approval-mozilla-aurora+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: