Closed Bug 1420773 Opened 7 years ago Closed 4 years ago

stack-overflow [@ mozilla::a11y::Accessible::ARIATransformRole]

Categories

(Core :: Disability Access APIs, defect, P2)

Product:
Core
Component:
Disability Access APIs
Version:
59 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
88 Branch
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox-esr78 --- wontfix
firefox59 --- wontfix
firefox71 --- wontfix
firefox72 --- wontfix
firefox73 --- wontfix
firefox86 --- wontfix
firefox87 --- wontfix
firefox88 --- fixed

People

(Reporter: tsmith, Assigned: eeejay)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [a11y:crash][fuzzblocker])

Attachments

(2 files)

testcase.html
(deleted), text/html
Details
Bug 1420773 - Only return HTML captions as HTML table captions. r?morgan
(deleted), text/x-phabricator-request
Details
Attached file testcase.html (deleted) —
==2097==ERROR: AddressSanitizer: stack-overflow on address 0x7fffa6617fb8 (pc 0x0000004be4ae bp 0x7fffa6618810 sp 0x7fffa6617fc0 T0) #0 0x4be4ad in __asan_memset /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:27:3 #1 0x7ff11583a6d6 in DOMString /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/DOMString.h:50:7 #2 0x7ff11583a6d6 in mozilla::dom::Element::GetAttr(int, nsAtom*, nsTSubstring<char16_t>&) const /builds/worker/workspace/build/src/dom/base/Element.cpp:3055 #3 0x7ff11d8b9231 in mozilla::a11y::IDRefsIterator::IDRefsIterator(mozilla::a11y::DocAccessible*, nsIContent*, nsAtom*) /builds/worker/workspace/build/src/accessible/base/AccIterator.cpp:261:15 #4 0x7ff11d92e727 in nsTextEquivUtils::GetTextEquivFromIDRefs(mozilla::a11y::Accessible*, nsAtom*, nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/accessible/base/nsTextEquivUtils.cpp:65:18 #5 0x7ff11d93f760 in ARIAName /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1977:17 #6 0x7ff11d93f760 in mozilla::a11y::Accessible::Name(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:139 #7 0x7ff11d94d400 in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1438:5 #8 0x7ff11d94d9cb in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h #9 0x7ff11d94d9cb in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1474 #10 0x7ff11d9acbf1 in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h #11 0x7ff11d9acbf1 in mozilla::a11y::HTMLTableAccessible::Caption() const /builds/worker/workspace/build/src/accessible/html/HTMLTableAccessible.cpp:483 #12 0x7ff11d9ac124 in mozilla::a11y::HTMLTableAccessible::NativeName(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/html/HTMLTableAccessible.cpp:429:25 #13 0x7ff11d93f924 in mozilla::a11y::Accessible::Name(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:150:29 #14 0x7ff11d94d400 in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1438:5 #15 0x7ff11d94d9cb in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h #16 0x7ff11d94d9cb in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1474 #17 0x7ff11d9acbf1 in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h #18 0x7ff11d9acbf1 in mozilla::a11y::HTMLTableAccessible::Caption() const /builds/worker/workspace/build/src/accessible/html/HTMLTableAccessible.cpp:483 #19 0x7ff11d9ac124 in mozilla::a11y::HTMLTableAccessible::NativeName(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/html/HTMLTableAccessible.cpp:429:25 #20 0x7ff11d93f924 in mozilla::a11y::Accessible::Name(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:150:29 #21 0x7ff11d94d400 in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1438:5 #22 0x7ff11d94d9cb in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h #23 0x7ff11d94d9cb in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1474 #24 0x7ff11d9acbf1 in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h #25 0x7ff11d9acbf1 in mozilla::a11y::HTMLTableAccessible::Caption() const /builds/worker/workspace/build/src/accessible/html/HTMLTableAccessible.cpp:483 #26 0x7ff11d9ac124 in mozilla::a11y::HTMLTableAccessible::NativeName(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/html/HTMLTableAccessible.cpp:429:25 #27 0x7ff11d93f924 in mozilla::a11y::Accessible::Name(nsTString<char16_t>&) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:150:29 #28 0x7ff11d94d400 in mozilla::a11y::Accessible::ARIATransformRole(mozilla::a11y::roles::Role) /builds/worker/workspace/build/src/accessible/generic/Accessible.cpp:1438:5 #29 0x7ff11d94d9cb in Role /builds/worker/workspace/build/src/accessible/generic/Accessible-inl.h ...
Flags: in-testsuite?
Priority: -- → P2
Assignee: nobody → eitan
Looks like we are stuck in an endless cycle of role calculations between the table and its row..
Depends on: 1358462
Blocks: 1358462
No longer depends on: 1358462
(In reply to Eitan Isaacson [:eeejay] from comment #1) > Looks like we are stuck in an endless cycle of role calculations between the > table and its row.. do you have detailed explanation of what happens here? Is there something wrong with the hierarchy?
Eitan, pinging. If could dump out your findings here, it'd be helpful :)
Flags: needinfo?(eitan)
I'm unassigning myself because I don't want to hog this if someone else could fix it.. 1. Accessible::Role is on called table@role=region, it calls 2. Accessible::ARIATransformRole with "region" as the aria role to transform. Bug 1358462 added a change(i) that we need to know if the accessible has a name to determine the role in the case of role=region. 3. Because the element is a table, Accessible::Name calls HTMLTableAccessible::NativeName 4. HTMLTableAccessible::NativeName tries to determine the "table" name by retrieving the caption(ii). 5. HTMLTableAccessible::Caption checks to see if the table's first child is a caption(iii) 6. The first child is a tr@role=option, so Accessible::ARIATransformRole is called on it with a role of "option" 7. In order to know if the child should indeed have an "option" role, ARIATransformRole check's for the parent's role, which is table@role=region, so we end up in step 1(iv). i. https://hg.mozilla.org/mozilla-central/rev/2286518951eb ii. https://searchfox.org/mozilla-central/rev/2031c0f517185b2bd0e8f6f92f9491b3410c1f7f/accessible/html/HTMLTableAccessible.cpp#429 iii. https://searchfox.org/mozilla-central/rev/2031c0f517185b2bd0e8f6f92f9491b3410c1f7f/accessible/html/HTMLTableAccessible.cpp#483 iv. https://searchfox.org/mozilla-central/rev/2031c0f517185b2bd0e8f6f92f9491b3410c1f7f/accessible/generic/Accessible.cpp#1485
Assignee: eitan → nobody
Flags: needinfo?(eitan)
Whiteboard: a11y:crash

Marking as fuzzblocker because this is hit frequently by the fuzzers.

status-firefox72: affectedwontfix
status-firefox73: affectedwontfix
status-firefox86: --- → wontfix
status-firefox87: --- → affected
status-firefox88: --- → affected
status-firefox-esr68: affectedwontfix
status-firefox-esr78: --- → affected
Whiteboard: a11y:crash → [a11y:crash][fuzzblocker]
Assignee: nobody → eitan
Pushed by eisaacson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/bc4bc30be17e Only return HTML captions as HTML table captions. r=morgan

https://hg.mozilla.org/mozilla-central/rev/bc4bc30be17e

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox88: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch

The patch landed in nightly and beta is affected.
:eeejay, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(eitan)
status-firefox87: affectedwontfix
Flags: needinfo?(eitan)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: