109524 2013-02-11 17:09:45 -0800 AX: crash when accessing AccessibilityScrollbar after page has been unloaded 2013-02-12 22:18:11 -0800 1 1 1 Unclassified WebKit Accessibility 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 cfleizach cfleizach aboxhall apinheiro dmazzoni jdiggs rniwa webkit.review.bot oldest_to_newest 830356 0 cfleizach 2013-02-11 17:09:45 -0800 1. start Voiceover 2. navigate to http://www.w3.org/Math/testsuite/build/main/Characters/Blocks/00000_C0_Controls_and_Basic_Latin-full.xhtml 3. make sure you are interacted with the web page 4. turn off quicknav 5. press right arrow to go to the next test in the suite 6. after no more than two or three presses of right arrow safari gives the attached crash Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010b316370 WebCore::AccessibilityScrollbar::document() const + 80 (AccessibilityScrollbar.cpp:63) 1 com.apple.WebCore 0x000000010b304439 WebCore::AccessibilityObject::updateBackingStore() + 25 (AccessibilityObject.cpp:1132) 2 com.apple.WebCore 0x000000010ce134b9 -[WebAccessibilityObjectWrapper updateObjectBackingStore] + 121 (WebAccessibilityObjectWrapper.mm:398) 3 com.apple.WebCore 0x000000010ce1b766 -[WebAccessibilityObjectWrapper accessibilityAttributeValue:] + 54 (WebAccessibilityObjectWrapper.mm:2045) 4 com.apple.AppKit 0x00007fff88abb18e -[NSObject(NSAccessibilityInternal) _accessibilityValueForAttribute:clientError:] + 228 5 com.apple.AppKit 0x00007fff88abee46 CopyAppKitUIElementAttributeValueNoCatch + 53 6 com.apple.AppKit 0x00007fff88abc521 CopyAttributeValue + 359 7 com.apple.HIServices 0x00007fff8353e90d _AXXMIGCopyAttributeValue + 221 8 com.apple.HIServices 0x00007fff8354516a _XCopyAttributeValue + 333 9 com.apple.HIServices 0x00007fff83523f4e mshMIGPerform + 443 10 com.apple.CoreFoundation 0x00007fff8a2e5d09 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__ + 41 11 com.apple.CoreFoundation 0x00007fff8a2e5a49 __CFRunLoopDoSource1 + 153 12 com.apple.CoreFoundation 0x00007fff8a318c02 __CFRunLoopRun + 1826 13 com.apple.CoreFoundation 0x00007fff8a3180e2 CFRunLoopRunSpecific + 290 14 com.apple.HIToolbox 0x00007fff8d41eeb4 RunCurrentEventLoopInMode + 209 15 com.apple.HIToolbox 0x00007fff8d41ec52 ReceiveNextEventCommon + 356 16 com.apple.HIToolbox 0x00007fff8d41eae3 BlockUntilNextEventMatchingListInMode + 62 17 com.apple.AppKit 0x00007fff88889563 _DPSNextEvent + 685 18 com.apple.AppKit 0x00007fff88888e22 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 19 com.apple.AppKit 0x00007fff888801d3 -[NSApplication run] + 517 20 com.apple.WebCore 0x000000010ca22b89 WebCore::RunLoop::run() + 105 (RunLoopMac.mm:44) 21 com.apple.WebKit2 0x00000001090e0265 int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebContentProcessMainDelegate>(int, char**) + 917 (ChildProcessMain.h:98) 22 com.apple.WebKit2 0x00000001090dfebb WebContentProcessMain + 27 (WebContentProcessMain.mm:179) 23 com.apple.WebProcess 0x0000000108e77c5a main + 58 (WebContentProcessMainBootstrapper.cpp:31) 24 libdyld.dylib 0x00007fff863ca7e1 start + 1 830359 1 187732 cfleizach 2013-02-11 17:12:24 -0800 Created attachment 187732 patch 830374 2 cfleizach 2013-02-11 17:23:51 -0800 I tried very hard to get a test case, but it just didn't work. I wanted to remove an iframe with scrollers from the dom, and then access the scrollbar again, but no matter what I tried the scroll area was still valid. 831473 3 187977 cfleizach 2013-02-12 17:36:12 -0800 Created attachment 187977 patch 831477 4 187977 rniwa 2013-02-12 17:41:46 -0800 Comment on attachment 187977 patch View in context: https://bugs.webkit.org/attachment.cgi?id=187977&action=review > Source/WebCore/ChangeLog:12 > + Reviewed by NOBODY (OOPS!). This should appear before the long description but after the bug url. 831637 5 cfleizach 2013-02-12 22:18:11 -0800 http://trac.webkit.org/changeset/142721 187732 2013-02-11 17:12:24 -0800 2013-02-12 17:36:12 -0800 patch patch text/plain 1695 cfleizach SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDE0MjU1NSkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDIxIEBACisyMDEzLTAyLTExICBDaHJpcyBG bGVpemFjaCAgPGNmbGVpemFjaEBhcHBsZS5jb20+CisKKyAgICAgICAgQVg6IGNyYXNoIHdoZW4g YWNjZXNzaW5nIEFjY2Vzc2liaWxpdHlTY3JvbGxiYXIgYWZ0ZXIgcGFnZSBoYXMgYmVlbiB1bmxv YWRlZAorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTA5 NTI0CisKKyAgICAgICAgQVggY2xpZW50cyBjYW4gaG9sZCBvbnRvIEFjY2VzaWJpbGl0eVNjcm9s bGJhciByZWZlcmVuY2VzIHRoYXQgcmVmZXJlbmNlIHBhcmVudCAKKyAgICAgICAgQWNjZXNzaWJp bGl0eVNjcm9sbFZpZXdzIHRoYXQgaGF2ZSBhbHJlYWR5IGdvbmUgYXdheS4KKworICAgICAgICBB Y2Nlc3NpYmlsaXR5U2Nyb2xsVmlldyBpcyBub3QgY2FsbGluZyBkZXRhY2hGcm9tUGFyZW50IGFm dGVyIGl0IGlzIHJlbW92ZWQsIHdoaWNoCisgICAgICAgIGxlYWRzIHRvIGEgY3Jhc2guIFRoZSBm aXggaXMgdG8gY2xlYXJDaGlsZHJlbigpIHdoZW4gYW4gb2JqZWN0IGlzIGRlYWxsb2NhdGVkLgor CisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIENvdWxkIG5v dCBjcmVhdGUgYSB0ZXN0IGJlY2F1c2UgdGhlIGNyYXNoIG9ubHkgbWFuaWZlc3RzIG92ZXIgbXVs dGlwbGUgcGFnZSBsb2Fkcy4KKyAgICAgIAorICAgICAgICAqIGFjY2Vzc2liaWxpdHkvQWNjZXNz aWJpbGl0eU9iamVjdC5jcHA6CisgICAgICAgIChXZWJDb3JlOjpBY2Nlc3NpYmlsaXR5T2JqZWN0 OjpkZXRhY2gpOgorCiAyMDEzLTAyLTExICBBZGFtIEJhcnRoICA8YWJhcnRoQHdlYmtpdC5vcmc+ CiAKICAgICAgICAgTG9hZCBldmVudCBmaXJlcyB0b28gZWFybHkgd2l0aCB0aHJlYWRlZCBIVE1M IHBhcnNlciAodGFrZSAyKQpJbmRleDogU291cmNlL1dlYkNvcmUvYWNjZXNzaWJpbGl0eS9BY2Nl c3NpYmlsaXR5T2JqZWN0LmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2ViQ29yZS9hY2Nlc3Np YmlsaXR5L0FjY2Vzc2liaWxpdHlPYmplY3QuY3BwCShyZXZpc2lvbiAxNDI0OTMpCisrKyBTb3Vy Y2UvV2ViQ29yZS9hY2Nlc3NpYmlsaXR5L0FjY2Vzc2liaWxpdHlPYmplY3QuY3BwCSh3b3JraW5n IGNvcHkpCkBAIC05MCw2ICs5MCwxMCBAQAogCiB2b2lkIEFjY2Vzc2liaWxpdHlPYmplY3Q6OmRl dGFjaCgpCiB7CisgICAgLy8gQ2xlYXIgYW55IGNoaWxkcmVuIGFuZCBjYWxsIGRldGFjaEZyb21Q YXJlbnQgb24gdGhlbSBzbyB0aGF0CisgICAgLy8gbm8gY2hpbGRyZW4gYXJlIGxlZnQgd2l0aCBk YW5nbGluZyBwb2ludGVycyB0byB0aGVpciBwYXJlbnQuCisgICAgY2xlYXJDaGlsZHJlbigpOwor CiAjaWYgSEFWRShBQ0NFU1NJQklMSVRZKSAmJiBQTEFURk9STShDSFJPTUlVTSkKICAgICBtX2Rl dGFjaGVkID0gdHJ1ZTsKICNlbGlmIEhBVkUoQUNDRVNTSUJJTElUWSkK 187977 2013-02-12 17:36:12 -0800 2013-02-12 17:41:46 -0800 patch p text/plain 1695 cfleizach SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDE0MjU1NSkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDIxIEBACisyMDEzLTAyLTExICBDaHJpcyBG bGVpemFjaCAgPGNmbGVpemFjaEBhcHBsZS5jb20+CisKKyAgICAgICAgQVg6IGNyYXNoIHdoZW4g YWNjZXNzaW5nIEFjY2Vzc2liaWxpdHlTY3JvbGxiYXIgYWZ0ZXIgcGFnZSBoYXMgYmVlbiB1bmxv YWRlZAorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTA5 NTI0CisKKyAgICAgICAgQVggY2xpZW50cyBjYW4gaG9sZCBvbnRvIEFjY2VzaWJpbGl0eVNjcm9s bGJhciByZWZlcmVuY2VzIHRoYXQgcmVmZXJlbmNlIHBhcmVudCAKKyAgICAgICAgQWNjZXNzaWJp bGl0eVNjcm9sbFZpZXdzIHRoYXQgaGF2ZSBhbHJlYWR5IGdvbmUgYXdheS4KKworICAgICAgICBB Y2Nlc3NpYmlsaXR5U2Nyb2xsVmlldyBpcyBub3QgY2FsbGluZyBkZXRhY2hGcm9tUGFyZW50IGFm dGVyIGl0IGlzIHJlbW92ZWQsIHdoaWNoCisgICAgICAgIGxlYWRzIHRvIGEgY3Jhc2guIFRoZSBm aXggaXMgdG8gY2xlYXJDaGlsZHJlbigpIHdoZW4gYW4gb2JqZWN0IGlzIGRlYWxsb2NhdGVkLgor CisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIENvdWxkIG5v dCBjcmVhdGUgYSB0ZXN0IGJlY2F1c2UgdGhlIGNyYXNoIG9ubHkgbWFuaWZlc3RzIG92ZXIgbXVs dGlwbGUgcGFnZSBsb2Fkcy4KKyAgICAgIAorICAgICAgICAqIGFjY2Vzc2liaWxpdHkvQWNjZXNz aWJpbGl0eU9iamVjdC5jcHA6CisgICAgICAgIChXZWJDb3JlOjpBY2Nlc3NpYmlsaXR5T2JqZWN0 OjpkZXRhY2gpOgorCiAyMDEzLTAyLTExICBBZGFtIEJhcnRoICA8YWJhcnRoQHdlYmtpdC5vcmc+ CiAKICAgICAgICAgTG9hZCBldmVudCBmaXJlcyB0b28gZWFybHkgd2l0aCB0aHJlYWRlZCBIVE1M IHBhcnNlciAodGFrZSAyKQpJbmRleDogU291cmNlL1dlYkNvcmUvYWNjZXNzaWJpbGl0eS9BY2Nl c3NpYmlsaXR5T2JqZWN0LmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2ViQ29yZS9hY2Nlc3Np YmlsaXR5L0FjY2Vzc2liaWxpdHlPYmplY3QuY3BwCShyZXZpc2lvbiAxNDI0OTMpCisrKyBTb3Vy Y2UvV2ViQ29yZS9hY2Nlc3NpYmlsaXR5L0FjY2Vzc2liaWxpdHlPYmplY3QuY3BwCSh3b3JraW5n IGNvcHkpCkBAIC05MCw2ICs5MCwxMCBAQAogCiB2b2lkIEFjY2Vzc2liaWxpdHlPYmplY3Q6OmRl dGFjaCgpCiB7CisgICAgLy8gQ2xlYXIgYW55IGNoaWxkcmVuIGFuZCBjYWxsIGRldGFjaEZyb21Q YXJlbnQgb24gdGhlbSBzbyB0aGF0CisgICAgLy8gbm8gY2hpbGRyZW4gYXJlIGxlZnQgd2l0aCBk YW5nbGluZyBwb2ludGVycyB0byB0aGVpciBwYXJlbnQuCisgICAgY2xlYXJDaGlsZHJlbigpOwor CiAjaWYgSEFWRShBQ0NFU1NJQklMSVRZKSAmJiBQTEFURk9STShDSFJPTUlVTSkKICAgICBtX2Rl dGFjaGVkID0gdHJ1ZTsKICNlbGlmIEhBVkUoQUNDRVNTSUJJTElUWSkK