User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2 <html> <body> <div id="crashid">crash me</div>. <script> try{ node = document.getElementById("crashid").firstChild; var acc = Components.classes["@mozilla.org/accessibilityService;1"] .createInstance(Components.interfaces.nsIAccessibilityService); var acc_node = acc.createHTMLTextAccessible(node); document.write(acc_node); } catch(e) {document.write(e);} </script> </body> </html> Open the above html page as chrome. Watch mozilla & firefox crash and burn. Reproducible: Always Steps to Reproduce: Actual Results: it crashes. Expected Results: it doesn't crash.

It doesn't crash here (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041109 Firefox/1.0). It returns: . Permission denied to get property UnnamedClass.classes

You have to install it as chrome so it has access to XPCOM.

steps: 1. open dom inspector 2. in the url field enter: data:text/html,<html><body><div id="crashid">crash me</div>.</body></html> 3. select the #document node. 4. select object - javascript object 5. right click target 6. click evaluate javascript 7. enter: var document=target; try{ node = document.getElementById("crashid").firstChild; var acc = Components.classes["@mozilla.org/accessibilityService;1"].createInstance(Components.interfaces.nsIAccessibilityService); var acc_node = acc.createHTMLTextAccessible(node); document.write(acc_node);} catch(e) {document.write(e);} 8. click evaluate

Stack Signature nsHTMLDocument::StartDocumentLoad dfdd1263 Product ID MozillaTrunk Build ID 2004110805 Trigger Time 2004-11-10 14:37:14.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module gklayout.dll + (000d82eb) URL visited data:text/html,<html><body><div id="crashid">crash me</div>.</body></html> User Comments inspect that url in domi. select the #document node. select javascript object. right click and evaluate javascript. enter: var document=target; try{ node = document.getElementById("crashid").firstChild; var acc = Since Last Crash 1658 sec Total Uptime 1676 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLDocument.cpp, line 695 Stack Trace nsHTMLDocument::StartDocumentLoad [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLDocument.cpp, line 695] nsAccessibilityService::GetInfo [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/accessible/src/base/nsAccessibilityService.cpp, line 226] nsAccessibilityService::CreateHTMLTextAccessible [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/accessible/src/base/nsAccessibilityService.cpp, line 828] XPTC_InvokeByIndex [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102] XPCWrappedNative::CallMethod [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2036] XPC_WN_CallMethod [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1288] js_Invoke [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1288] js_Interpret [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 3509] js_Invoke [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1307] js_InternalInvoke [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1430] JS_CallFunctionValue [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line 3758] nsJSContext::CallEventHandler [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1346] nsJSEventListener::HandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/events/nsJSEventListener.cpp, line 181] nsEventListenerManager::HandleEventSubType [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp, line 1513] nsEventListenerManager::HandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp, line 1589] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp, line 2820] PresShell::HandleDOMEventWithTarget [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 6037] nsButtonBoxFrame::MouseClicked [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsButtonBoxFrame.cpp, line 178] nsButtonBoxFrame::HandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsButtonBoxFrame.cpp, line 147] PresShell::HandleEventInternal [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 6008] PresShell::HandleEventWithTarget [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 5876] nsEventStateManager::CheckForAndDispatchClick [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp, line 2942] nsEventStateManager::PostHandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp, line 1936] PresShell::HandleEventInternal [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 6013] PresShell::HandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 5845] nsViewManager::HandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 2404] nsViewManager::DispatchEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 2133] HandleEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp, line 166] nsWindow::DispatchEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1078] nsWindow::DispatchWindowEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1095] nsWindow::DispatchMouseEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 5329] ChildWindow::DispatchMouseEvent [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 5581] nsWindow::ProcessMessage [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 4091] nsWindow::WindowProc [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1356] USER32.dll + 0x8709 (0x77d48709) USER32.dll + 0x87eb (0x77d487eb) USER32.dll + 0x89a5 (0x77d489a5) USER32.dll + 0x89e8 (0x77d489e8) nsAppShell::Run [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp, line 159] nsAppStartup::Run [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/components/startup/src/nsAppStartup.cpp, line 221] main1 [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1331] main [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1802] WinMain [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1828] WinMainCRTStartup() kernel32.dll + 0x16d4f (0x7c816d4f) stack trace does not look happy,

(In reply to comment #3) Ok, that's confirmed (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041109 Firefox/1.0)

The accessibility code doesn't seem to FlushPendingNotifications() anywhere. It should, if it's going to grab layout objects, imo.

This is an automated message, with ID "auto-resolve01". This bug has had no comments for a long time. Statistically, we have found that bug reports that have not been confirmed by a second user after three months are highly unlikely to be the source of a fix to the code. While your input is very important to us, our resources are limited and so we are asking for your help in focussing our efforts. If you can still reproduce this problem in the latest version of the product (see below for how to obtain a copy) or, for feature requests, if it's not present in the latest version and you still believe we should implement it, please visit the URL of this bug (given at the top of this mail) and add a comment to that effect, giving more reproduction information if you have it. If it is not a problem any longer, you need take no action. If this bug is not changed in any way in the next two weeks, it will be automatically resolved. Thank you for your help in this matter. The latest beta releases can be obtained from: Firefox: http://www.mozilla.org/projects/firefox/ Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html Seamonkey: http://www.mozilla.org/projects/seamonkey/

This testcase uses enhanced privileges, you only need to download it to your computer and open it to see the crash. Talkback ID: TB32163173G nsCOMPtr<nsIWritableVariant>::nsCOMPtr<nsIWritableVariant> [mozilla/dist/include/xpcom/nscomptr.h, line 627] nsAccessibilityService::CreateHTMLTextAccessible [mozilla/accessible/src/base/nsaccessibilityservice.cpp, line 813] NS_InvokeByIndex_P [mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102] XPCWrappedNative::CallMethod [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2245]

Actually, that interface shouldn't be scriptable. Only nsIAccessibleRetrieval neesd to be.

Comment on attachment 264886 [details] [diff] [review] Make nsIAccessibilityService not scriptable Doh, it does need to be scriptable becaue of XBL, but perhaps not all of the methods need to be.

Comment on attachment 264889 [details] [diff] [review] I was right the first time, but our XBL should be returning accessible type. Anything that needs an accessible should use nsIAccessibleRetrieval r=me, though I wonder does it actually fixes the bug. Does the crash happen when accessible is casted to string (I suppose document.write do it) or when accessible is created?.

Well, I don't really see any way that nsAccessibilityService::GetInfo() could call StartDocumentLoad() as the stack trace says. To me it looks like an interface mismatch -- it seems like the build should be made with distclean to be sure.

Okay the interface is no longer scriptable. Should I mark it fixed or should we figure out how this corruption is occuring where sAccessibilityService::GetInfo() is calling a method it doesn't even have.