Closed Bug 1838540 Opened 1 year ago Closed 1 year ago

stack-overflow in [@ mozilla::a11y::LocalAccessible::ApplyARIAState]

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
116 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- unaffected
firefox114 --- unaffected
firefox115 --- unaffected
firefox116 --- verified

People

(Reporter: tsmith, Assigned: Jamie)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [ctw-postship][bugmon:bisected,confirmed])

Attachments

(3 files)

testcase.html
(deleted), text/html
Details
prefs.js
(deleted), application/x-javascript
Details
Bug 1838540: Don't recurse in ApplyARIAState on a grid cell if the cell is also a table.
(deleted), text/x-phabricator-request
Details
Attached file testcase.html (deleted) —

Found while fuzzing m-c 20230608-256876c3862b (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

==83044==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe4c31cff8 (pc 0x7fce25b86fa8 bp 0x7ffe4c31d010 sp 0x7ffe4c31d000 T0)
    #0 0x7fce25b86fa8 in mozilla::span_details::span_iterator<mozilla::Span<AttrArray::InternalAttr const, 18446744073709551615ul>, false>::operator*() const /builds/worker/workspace/obj-build/dist/include/mozilla/Span.h:142
    #1 0x7fce25b86c5d in AttrArray::GetAttr(nsAtom const*, int) const /builds/worker/checkouts/gecko/dom/base/AttrArray.cpp:41:35
    #2 0x7fce25b8c7cb in AttrArray::FindAttrValueIn(int, nsAtom const*, nsStaticAtom* const*, nsCaseTreatment) const /builds/worker/checkouts/gecko/dom/base/AttrArray.cpp:531:28
    #3 0x7fce322a44e9 in mozilla::a11y::nsAccUtils::FindARIAAttrValueIn(mozilla::dom::Element*, nsAtom const*, nsStaticAtom* const*, nsCaseTreatment) /builds/worker/checkouts/gecko/accessible/base/nsAccUtils.cpp:613:29
    #4 0x7fce32252fa6 in MapEnumType(mozilla::dom::Element*, unsigned long*, EnumTypeData const&) /builds/worker/checkouts/gecko/accessible/base/ARIAStateMap.cpp:294:11
    #5 0x7fce32250044 in mozilla::a11y::aria::MapToState(mozilla::a11y::aria::EStateRule, mozilla::dom::Element*, unsigned long*) /builds/worker/checkouts/gecko/accessible/base/ARIAStateMap.cpp
    #6 0x7fce3224fc0b in mozilla::a11y::aria::UniversalStatesFor(mozilla::dom::Element*) /builds/worker/checkouts/gecko/accessible/base/ARIAMap.cpp:1504:10
    #7 0x7fce32311237 in mozilla::a11y::LocalAccessible::ApplyARIAState(unsigned long*) const /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:1543:14
    #8 0x7fce32311730 in mozilla::a11y::LocalAccessible::ApplyARIAState(unsigned long*) const /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:1615:13
    #9 0x7fce32311730 in mozilla::a11y::LocalAccessible::ApplyARIAState(unsigned long*) const /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:1615:13
    #10 0x7fce32311730 in mozilla::a11y::LocalAccessible::ApplyARIAState(unsigned long*) const /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:1615:13
Flags: in-testsuite?
Attached file prefs.js (deleted) —

prefs.js file for bugmon

Assignee: nobody → jteh
Severity: -- → S2
Keywords: regression
Regressed by: 1832228
Whiteboard: [ctw-postship]

Set release status flags based on info from the regressing bug 1832228

status-firefox114: --- → unaffected
status-firefox115: --- → unaffected
status-firefox-esr102: --- → unaffected

This can only happen due to authoring error; <table role=gridcell outside of an ARIA grid isn't valid.
Nevertheless, we would previously recurse infinitely in this case in ApplyARIAState.
Prevent this by not recursing if IsTable() is true.

Verified bug as reproducible on mozilla-central 20230615041042-ff79aa6f7ba8.
The bug appears to have been introduced in the following build range:

Start: c7b58ffeb92bc7c684aebb8f162b5816c8bc013b (20230608091506)
End: a86d5a3f177d480362c07a9ed34166ae41840ab6 (20230608105722)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c7b58ffeb92bc7c684aebb8f162b5816c8bc013b&tochange=a86d5a3f177d480362c07a9ed34166ae41840ab6

Whiteboard: [ctw-postship] → [ctw-postship][bugmon:bisected,confirmed]
Pushed by jteh@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ce515a51b915
Don't recurse in ApplyARIAState on a grid cell if the cell is also a table. r=nlapre

https://hg.mozilla.org/mozilla-central/rev/ce515a51b915

Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox116: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch

Verified bug as fixed on rev mozilla-central 20230616040643-6bc2d3f9b1aa.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox116: fixedverified
Keywords: bugmon

Set release status flags based on info from the regressing bug 1832228

status-firefox-esr115: --- → unaffected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: