22340 2008-11-18 12:00:28 -0800 Crash at WebCore::AccessibilityTable::isTableExposableThroughAccessibility() when a table changes 2009-05-18 11:32:33 -0700 1 1 1 Unclassified WebKit Accessibility 528+ (Nightly build) Mac OS X 10.5 RESOLVED DUPLICATE 24143 P2 Normal --- 1 cfleizach webkit-unassigned oldest_to_newest 99198 0 cfleizach 2008-11-18 12:00:28 -0800 WebCore can crash when a table is modified through the DOM because of stale information 99199 1 25243 cfleizach 2008-11-18 12:01:35 -0800 Created attachment 25243 patch to stop from crashing I was not able to make a LayoutTest that could trigger this problem. I did however verify that the case mentioned did not crash 99200 2 cfleizach 2008-11-18 12:01:50 -0800 1. Launch TOT (r38371, r20843) and go to http://mail.google.com/mail/#inbox 2. Type some text in the message body . Select one of the words and click the link toolbar 3. Type a URL and press return to apply the link dialog 4. After link dialog, a crash occurs. 99206 3 25243 darin 2008-11-18 12:29:08 -0800 Comment on attachment 25243 patch to stop from crashing I don't think this is the right fix. It makes no sense for AccessibilityTable to call setNeedsSectionRecalc; any recalculation should be set up by the DOM tree or CSS manipulation that makes the recalculation necessary. Similarly, AccessibilityTable should not be responsible for calling recalcSectionsIfNeeded. Instead the render tree functions used to get at the sections should take care of that. It does make sense to make a call to update layout before trying to work with the render tree, but this is not a table-specific requirement. Layout will call recalcSectionsIfNeeded as appropriate. We need to get to the bottom of what's happening here and not just land this, which is a workaround or band-aid for the real problem. 99209 4 cfleizach 2008-11-18 12:38:05 -0800 Thread 0 Crashed: 0 com.apple.WebCore 0x92dbd804 WebCore::AccessibilityTable::isTableExposableThroughAccessibility() + 500 1 com.apple.WebCore 0x92dbdb68 WebCore::AccessibilityTable::AccessibilityTable(WebCore::RenderObject*) + 104 2 com.apple.WebCore 0x92dbdbbc WebCore::AccessibilityTable::create(WebCore::RenderObject*) + 44 3 com.apple.WebCore 0x92869a08 WebCore::AXObjectCache::get(WebCore::RenderObject*) + 312 4 com.apple.WebCore 0x92d9fc9d WebCore::AccessibilityRenderObject::parentObject() const + 125 5 com.apple.WebCore 0x92d9a33b WebCore::AccessibilityRenderObject::isPresentationalChildOfAriaRole() const + 43 6 com.apple.WebCore 0x92d9cdbb WebCore::AccessibilityRenderObject::accessibilityIsIgnored() const + 75 7 com.apple.WebCore 0x92d9a450 WebCore::AccessibilityRenderObject::childrenChanged() + 32 8 com.apple.WebCore 0x9286b5da WebCore::AXObjectCache::childrenChanged(WebCore::RenderObject*) + 106 9 com.apple.WebCore 0x9278f632 WebCore::RenderContainer::removeChildNode(WebCore::RenderObject*, bool) + 226 10 com.apple.WebCore 0x9278f46e WebCore::RenderContainer::removeChild(WebCore::RenderObject*) + 46 11 com.apple.WebCore 0x9278f1ce WebCore::RenderBlock::removeChild(WebCore::RenderObject*) + 78 12 com.apple.WebCore 0x9278f0d2 WebCore::RenderObject::destroy() + 114 13 com.apple.WebCore 0x9278ef6d WebCore::RenderBox::destroy() + 93 14 com.apple.WebCore 0x9278ee67 WebCore::RenderContainer::destroyLeftoverChildren() + 135 15 com.apple.WebCore 0x9278ecec WebCore::RenderFlow::destroy() + 44 16 com.apple.WebCore 0x9278ec6a WebCore::Node::detach() + 42 17 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 18 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 19 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 20 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 21 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 22 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 23 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 24 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 25 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 26 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 27 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 28 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 29 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 30 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 31 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 32 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 33 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 34 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 35 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 36 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 37 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 38 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 39 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 40 com.apple.WebCore 0x927a21dd WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 1005 41 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 42 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 43 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 44 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 45 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 46 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 47 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 48 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 49 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 50 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 51 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 52 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 53 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 54 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 55 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 56 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 57 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 58 com.apple.WebCore 0x92753dc2 WebCore::Document::recalcStyle(WebCore::Node::StyleChange) + 162 59 com.apple.WebCore 0x9278c3cf WebCore::Document::updateRendering() + 79 60 com.apple.WebCore 0x928a918d WebCore::Document::updateLayout() + 45 61 com.apple.WebCore 0x928041fe WebCore::Document::updateLayoutIgnorePendingStylesheets() + 46 62 com.apple.WebCore 0x92859db5 WebCore::HTMLBodyElement::scrollLeft() const + 21 63 com.apple.WebCore 0x92b4afeb WebCore::jsHTMLBodyElementScrollLeft(JSC::ExecState*, JSC::Identifier const&, JSC::PropertySlot const&) + 27 64 com.apple.JavaScriptCore 0x90eb4033 JSC::Machine::cti_op_get_by_val(void*, ...) + 1267 99210 5 cfleizach 2008-11-18 12:39:52 -0800 the DOM tree does not have a chance to update the sections because as soon as detach is called, that kicks off a chain that goes straight to code that asks for children, which have just been detached. if the accessibility children changed could be fired on the next iteration of the run loop, that would probably also solve the problem 121814 6 cfleizach 2009-05-18 11:26:37 -0700 this was fixed... not sure where the duplicate bug is 121815 7 cfleizach 2009-05-18 11:32:33 -0700 *** This bug has been marked as a duplicate of 24143 *** 25243 2008-11-18 12:01:35 -0800 2008-11-18 12:29:08 -0800 patch to stop from crashing patch.txt text/plain 1375 cfleizach SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiAzODU3MSkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTIgQEAKKzIwMDgtMTEtMTggIENocmlzIEZsZWl6YWNoICA8Y2ZsZWl6YWNoQGFw cGxlLmNvbT4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAg ICA8cmRhcjovL3Byb2JsZW0vNjM3MjQ4MT4gSW4gR21haWwsIGEgY3Jhc2ggb2NjdXJzIGF0IFdl YkNvcmU6OkFjY2Vzc2liaWxpdHlUYWJsZTo6aXNUYWJsZUV4cG9zYWJsZVRocm91Z2hBY2Nlc3Np YmlsaXR5KCkgd2hlbiBhdHRlbXB0aW5nIHRvIGNyZWF0ZSBhIGxpbmsgaW4gYSByaWNoIHRleHQg bWVzc2FnZQorCisgICAgICAgICogcGFnZS9BY2Nlc3NpYmlsaXR5VGFibGUuY3BwOgorICAgICAg ICAoV2ViQ29yZTo6QWNjZXNzaWJpbGl0eVRhYmxlOjppc1RhYmxlRXhwb3NhYmxlVGhyb3VnaEFj Y2Vzc2liaWxpdHkpOgorCiAyMDA4LTExLTE4ICBBbGV4ZXkgUHJvc2t1cnlha292ICA8YXBAd2Vi a2l0Lm9yZz4KIAogICAgICAgICBXaW5kb3dzIGJ1aWxkIGZpeC4KSW5kZXg6IFdlYkNvcmUvcGFn ZS9BY2Nlc3NpYmlsaXR5VGFibGUuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvcGFnZS9BY2Nl c3NpYmlsaXR5VGFibGUuY3BwCShyZXZpc2lvbiAzODU2OCkKKysrIFdlYkNvcmUvcGFnZS9BY2Nl c3NpYmlsaXR5VGFibGUuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC04OSw2ICs4OSwxMSBAQCBib29s IEFjY2Vzc2liaWxpdHlUYWJsZTo6aXNUYWJsZUV4cG9zYWJsCiAgICAgICAgIHJldHVybiBmYWxz ZTsKICAgICAKICAgICBSZW5kZXJUYWJsZSogdGFibGUgPSBzdGF0aWNfY2FzdDxSZW5kZXJUYWJs ZSo+KG1fcmVuZGVyZXIpOworICAgCisgICAgLy8gcmVjYWxjdWxhdGUgdGhlIHNlY3Rpb25zIGlu IGNhc2Ugb3VyIGNlbGxzIGNoYW5nZWQgYW5kIHdlcmUgCisgICAgLy8gcmVtb3ZlZCAod2hpY2gg Y2FuIGxlYWQgdG8gYSBjcmFzaCkKKyAgICB0YWJsZS0+c2V0TmVlZHNTZWN0aW9uUmVjYWxjKCk7 CisgICAgdGFibGUtPnJlY2FsY1NlY3Rpb25zSWZOZWVkZWQoKTsKICAgICAKICAgICAvLyB0aGlz IGVtcGxveXMgYSBoZXVyaXN0aWMgdG8gZGV0ZXJtaW5lIGlmIHRoaXMgdGFibGUgc2hvdWxkIGFw cGVhci4gCiAgICAgLy8gT25seSAiZGF0YSIgdGFibGVzIHNob3VsZCBiZSBleHBvc2VkIGFzIHRh Ymxlcy4gCg==