Steps to reproduce:
- Open this test case in Firefox:
data:text/html,<body onkeydown="if (event.key == 'ArrowDown') { let oldActive = owner.getAttribute('aria-activedescendant'); let newActive = oldActive == 'item1' ? 'item2' : 'item1'; owner.setAttribute('aria-owns', newActive); owner.setAttribute('aria-activedescendant', newActive); }"><div role="listbox"><div id="item1" role="option"><div>item1</div></div><div id="item2" role="option"><div>item2</div></div></div><div id="owner" role="listbox" tabindex="0" aria-owns="item1" aria-activedescendant="item1"><div></div></div></body>
- Tab so that the list box option has focus.
- Switch to focus mode.
- Press down arrow. If no crash, press down arrow again.
Actual behavior:
Crash in VBufStorage_buffer_t::getLineOffsets. For example: https://crash-stats.mozilla.org/report/index/d669328d-964a-42e0-ac10-ea9420190909
Expected behavior:
No crash.
System configuration
NVDA installed/portable/running from source:
Installed.
NVDA version:
alpha-18290,7b5cd2d0
Windows version:
Windows 10 Version 1903 (OS Build 18362.10015)
Name and version of other software in use when reproducing the issue:
Firefox nightly 71.0a1 (2019-09-08) (64-bit)
Other questions
Does the issue still occur after restarting your PC?
Yes.
Have you tried any other versions of NVDA? If so, please report their behaviors.
No.
Additional info
I wrote this test case in attempting to distill an issue experienced on Gmail. The Gmail crash occurs in VBufStorage_buffer_t::deleteSubtree. While different, I'm guessing it's related; these are both to do with buffer corruption. I'm hoping a fix for the test case above will deal with the Gmail crash too. If not, I can file a separate bug for the Gmail crash.
The Gmail crash was reported by @MarcoZehe in https://bugzilla.mozilla.org/show_bug.cgi?id=1579610 . Here are the STR he provided (and I can immediately reproduce this too):
- Log into Gmail.
- Open a conversation.
- Open the More menu inside the conversation view, and choose "Filter hese messages".
- Accept whatever it presents you and choose the Create Filter link at the bottom.
- On the next page, check the box that says Apply Label.
- Tab once to the Choose Label dropdown, and choose a label by arrowing to it and pressing Enter.
- Expected: Focus should return to the closed dropdown where the label has been chosen.
- Actual: Either Firefox crashes, and NVDA keeps running, or Firefox and NVDA close down alltogether, and no crash reporter comes up. I had both happen to me, and one instance where only Firefox crashed, brought up the above crash report.
CC @michaelDCurran.
Steps to reproduce:
data:text/html,<body onkeydown="if (event.key == 'ArrowDown') { let oldActive = owner.getAttribute('aria-activedescendant'); let newActive = oldActive == 'item1' ? 'item2' : 'item1'; owner.setAttribute('aria-owns', newActive); owner.setAttribute('aria-activedescendant', newActive); }"><div role="listbox"><div id="item1" role="option"><div>item1</div></div><div id="item2" role="option"><div>item2</div></div></div><div id="owner" role="listbox" tabindex="0" aria-owns="item1" aria-activedescendant="item1"><div></div></div></body>Actual behavior:
Crash in VBufStorage_buffer_t::getLineOffsets. For example: https://crash-stats.mozilla.org/report/index/d669328d-964a-42e0-ac10-ea9420190909
Expected behavior:
No crash.
System configuration
NVDA installed/portable/running from source:
Installed.
NVDA version:
alpha-18290,7b5cd2d0
Windows version:
Windows 10 Version 1903 (OS Build 18362.10015)
Name and version of other software in use when reproducing the issue:
Firefox nightly 71.0a1 (2019-09-08) (64-bit)
Other questions
Does the issue still occur after restarting your PC?
Yes.
Have you tried any other versions of NVDA? If so, please report their behaviors.
No.
Additional info
I wrote this test case in attempting to distill an issue experienced on Gmail. The Gmail crash occurs in VBufStorage_buffer_t::deleteSubtree. While different, I'm guessing it's related; these are both to do with buffer corruption. I'm hoping a fix for the test case above will deal with the Gmail crash too. If not, I can file a separate bug for the Gmail crash.
The Gmail crash was reported by @MarcoZehe in https://bugzilla.mozilla.org/show_bug.cgi?id=1579610 . Here are the STR he provided (and I can immediately reproduce this too):
CC @michaelDCurran.