stack-overflow in [@ mozilla::a11y::LocalAccessible::ApplyARIAState]
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr102 | --- | unaffected |
firefox-esr115 | --- | unaffected |
firefox114 | --- | unaffected |
firefox115 | --- | unaffected |
firefox116 | --- | verified |
People
(Reporter: tsmith, Assigned: Jamie)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [ctw-postship][bugmon:bisected,confirmed])
Attachments
(3 files)
Found while fuzzing m-c 20230608-256876c3862b (--enable-address-sanitizer --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
==83044==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe4c31cff8 (pc 0x7fce25b86fa8 bp 0x7ffe4c31d010 sp 0x7ffe4c31d000 T0)
#0 0x7fce25b86fa8 in mozilla::span_details::span_iterator<mozilla::Span<AttrArray::InternalAttr const, 18446744073709551615ul>, false>::operator*() const /builds/worker/workspace/obj-build/dist/include/mozilla/Span.h:142
#1 0x7fce25b86c5d in AttrArray::GetAttr(nsAtom const*, int) const /builds/worker/checkouts/gecko/dom/base/AttrArray.cpp:41:35
#2 0x7fce25b8c7cb in AttrArray::FindAttrValueIn(int, nsAtom const*, nsStaticAtom* const*, nsCaseTreatment) const /builds/worker/checkouts/gecko/dom/base/AttrArray.cpp:531:28
#3 0x7fce322a44e9 in mozilla::a11y::nsAccUtils::FindARIAAttrValueIn(mozilla::dom::Element*, nsAtom const*, nsStaticAtom* const*, nsCaseTreatment) /builds/worker/checkouts/gecko/accessible/base/nsAccUtils.cpp:613:29
#4 0x7fce32252fa6 in MapEnumType(mozilla::dom::Element*, unsigned long*, EnumTypeData const&) /builds/worker/checkouts/gecko/accessible/base/ARIAStateMap.cpp:294:11
#5 0x7fce32250044 in mozilla::a11y::aria::MapToState(mozilla::a11y::aria::EStateRule, mozilla::dom::Element*, unsigned long*) /builds/worker/checkouts/gecko/accessible/base/ARIAStateMap.cpp
#6 0x7fce3224fc0b in mozilla::a11y::aria::UniversalStatesFor(mozilla::dom::Element*) /builds/worker/checkouts/gecko/accessible/base/ARIAMap.cpp:1504:10
#7 0x7fce32311237 in mozilla::a11y::LocalAccessible::ApplyARIAState(unsigned long*) const /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:1543:14
#8 0x7fce32311730 in mozilla::a11y::LocalAccessible::ApplyARIAState(unsigned long*) const /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:1615:13
#9 0x7fce32311730 in mozilla::a11y::LocalAccessible::ApplyARIAState(unsigned long*) const /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:1615:13
#10 0x7fce32311730 in mozilla::a11y::LocalAccessible::ApplyARIAState(unsigned long*) const /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:1615:13
Reporter | ||
Comment 1•1 year ago
|
||
prefs.js file for bugmon
Assignee | ||
Updated•1 year ago
|
Comment 2•1 year ago
|
||
Set release status flags based on info from the regressing bug 1832228
Assignee | ||
Comment 3•1 year ago
|
||
This can only happen due to authoring error; <table role=gridcell outside of an ARIA grid isn't valid.
Nevertheless, we would previously recurse infinitely in this case in ApplyARIAState.
Prevent this by not recursing if IsTable() is true.
Comment 4•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20230615041042-ff79aa6f7ba8.
The bug appears to have been introduced in the following build range:
Start: c7b58ffeb92bc7c684aebb8f162b5816c8bc013b (20230608091506)
End: a86d5a3f177d480362c07a9ed34166ae41840ab6 (20230608105722)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c7b58ffeb92bc7c684aebb8f162b5816c8bc013b&tochange=a86d5a3f177d480362c07a9ed34166ae41840ab6
Pushed by jteh@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ce515a51b915 Don't recurse in ApplyARIAState on a grid cell if the cell is also a table. r=nlapre
Comment 6•1 year ago
|
||
bugherder |
Comment 7•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20230616040643-6bc2d3f9b1aa.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Comment 8•1 year ago
|
||
Set release status flags based on info from the regressing bug 1832228
Description
•