75279 2011-12-27 16:43:21 -0800 Crash in the WebKit accessibility code while attempting to retrieve the title UI element. 2011-12-27 21:48:26 -0800 1 1 1 Unclassified WebKit Accessibility 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 ananta webkit-unassigned cfleizach rniwa webkit.review.bot oldest_to_newest 527503 0 ananta 2011-12-27 16:43:21 -0800 We have been seeing this crash in Chromium with accessibility enabled. The chromium bug is here http://crbug.com/108508(Logged against Chromeframe tests which enable webkit accessibility). Debugging revealed that the crash occurs in the AccessibilityRenderObject::titleUIElement method because of a NULL node being returned by the underlying RenderObject. Debugging this function revealed that the RenderObject can return a NULL node pointer at times(if it is anonymous). We should check for a NULL node here. Will upload a patch in a bit 527538 1 120629 ananta 2011-12-27 19:55:28 -0800 Created attachment 120629 proposed patch 527540 2 120629 rniwa 2011-12-27 20:02:05 -0800 Comment on attachment 120629 proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=120629&action=review > Source/WebCore/ChangeLog:3 > + https://bugs.webkit.org/show_bug.cgi?id=75279 You need to have a bug summary "Crash in the WebKit accessibility code while attempting to retrieve the title UI element." directly above the bug url. See other change log entries. > Source/WebCore/ChangeLog:5 > + Fix a crash in the the WebKit accessibility code which occurs while retrieving > + the title UI clement. The fix is to NULL check the RenderObject::node return value. This line should appear below "Reviewed by" followed by a blank line. See other change log entries. > Source/WebCore/ChangeLog:10 > + No tests added as other functions in the AccessibilityRenderObject class NULL check > + the RenderObject::node return value. Please explain why you're not adding a test instead of saying you're mimicking other null checks. 527541 3 120630 ananta 2011-12-27 20:03:28 -0800 Created attachment 120630 proposed patch with description updated 527542 4 120631 ananta 2011-12-27 20:08:07 -0800 Created attachment 120631 Patch with review comments addressed 527550 5 120631 cfleizach 2011-12-27 21:15:00 -0800 Comment on attachment 120631 Patch with review comments addressed why is there no layout test for this one? 527551 6 cfleizach 2011-12-27 21:17:27 -0800 you should be able to make this happen by inserting some html that will create an anonymous render block, and then ask for the title ui element of that anonymous element. i'm tempted to review- this because there is no layout test 527553 7 120631 webkit.review.bot 2011-12-27 21:29:19 -0800 Comment on attachment 120631 Patch with review comments addressed Clearing flags on attachment: 120631 Committed r103757: <http://trac.webkit.org/changeset/103757> 527554 8 webkit.review.bot 2011-12-27 21:29:23 -0800 All reviewed patches have been landed. Closing bug. 527557 9 rniwa 2011-12-27 21:48:26 -0800 (In reply to comment #5) > (From update of attachment 120631 [details]) > why is there no layout test for this one? This was causing some Chromium UI tests to fail but we didn't have a reduction in the form of a layout test. Ananta told me he's looking into creating a layout test next year. 120629 2011-12-27 19:55:28 -0800 2011-12-27 20:03:28 -0800 proposed patch patch.txt text/plain 1627 ananta SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDEwMzc1NCkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE3IEBACisyMDExLTEyLTI3ICBBbmFudGFu YXJheWFuYW4gRyBJeWVuZ2FyICA8YW5hbnRhQGNocm9taXVtLm9yZz4KKworICAgICAgICBodHRw czovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NzUyNzkKKyAgICAgICAgRml4IGEg Y3Jhc2ggaW4gdGhlIHRoZSBXZWJLaXQgYWNjZXNzaWJpbGl0eSBjb2RlIHdoaWNoIG9jY3VycyB3 aGlsZSByZXRyaWV2aW5nCisgICAgICAgIHRoZSB0aXRsZSBVSSBjbGVtZW50LiBUaGUgZml4IGlz IHRvIE5VTEwgY2hlY2sgdGhlIFJlbmRlck9iamVjdDo6bm9kZSByZXR1cm4gdmFsdWUuCisKKyAg ICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgTm8gdGVzdHMgYWRk ZWQgYXMgb3RoZXIgZnVuY3Rpb25zIGluIHRoZSBBY2Nlc3NpYmlsaXR5UmVuZGVyT2JqZWN0IGNs YXNzIE5VTEwgY2hlY2sKKyAgICAgICAgdGhlIFJlbmRlck9iamVjdDo6bm9kZSByZXR1cm4gdmFs dWUuCisKKyAgICAgICAgKiBhY2Nlc3NpYmlsaXR5L0FjY2Vzc2liaWxpdHlSZW5kZXJPYmplY3Qu Y3BwOgorICAgICAgICAoV2ViQ29yZTo6QWNjZXNzaWJpbGl0eVJlbmRlck9iamVjdDo6dGl0bGVV SUVsZW1lbnQpOgorCiAyMDExLTEyLTI3ICBEb21pbmljIENvb25leSAgPGRvbWluaWNjQGNocm9t aXVtLm9yZz4KIAogICAgICAgICBSZW1vdmUgaW5pdFdlYktpdEFuaW1hdGlvbkV2ZW50IG1ldGhv ZApJbmRleDogU291cmNlL1dlYkNvcmUvYWNjZXNzaWJpbGl0eS9BY2Nlc3NpYmlsaXR5UmVuZGVy T2JqZWN0LmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2ViQ29yZS9hY2Nlc3NpYmlsaXR5L0Fj Y2Vzc2liaWxpdHlSZW5kZXJPYmplY3QuY3BwCShyZXZpc2lvbiAxMDM3NDEpCisrKyBTb3VyY2Uv V2ViQ29yZS9hY2Nlc3NpYmlsaXR5L0FjY2Vzc2liaWxpdHlSZW5kZXJPYmplY3QuY3BwCSh3b3Jr aW5nIGNvcHkpCkBAIC0xNzA2LDYgKzE3MDYsOCBAQCBBY2Nlc3NpYmlsaXR5T2JqZWN0KiBBY2Nl c3NpYmlsaXR5UmVuZGVyCiAgICAgICAgIHJldHVybiBheE9iamVjdENhY2hlKCktPmdldE9yQ3Jl YXRlKHRvUmVuZGVyRmllbGRzZXQobV9yZW5kZXJlciktPmZpbmRMZWdlbmQoKSk7CiAgICAgCiAg ICAgTm9kZSogZWxlbWVudCA9IG1fcmVuZGVyZXItPm5vZGUoKTsKKyAgICBpZiAoIWVsZW1lbnQp CisgICAgICAgIHJldHVybiAwOwogICAgIEhUTUxMYWJlbEVsZW1lbnQqIGxhYmVsID0gbGFiZWxG b3JFbGVtZW50KHN0YXRpY19jYXN0PEVsZW1lbnQqPihlbGVtZW50KSk7CiAgICAgaWYgKGxhYmVs ICYmIGxhYmVsLT5yZW5kZXJlcigpKQogICAgICAgICByZXR1cm4gYXhPYmplY3RDYWNoZSgpLT5n ZXRPckNyZWF0ZShsYWJlbC0+cmVuZGVyZXIoKSk7Cg== 120630 2011-12-27 20:03:28 -0800 2011-12-27 20:08:07 -0800 proposed patch with description updated patch.txt text/plain 1652 ananta SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDEwMzc1NCkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE3IEBACisyMDExLTEyLTI3ICBBbmFudGFu YXJheWFuYW4gRyBJeWVuZ2FyICA8YW5hbnRhQGNocm9taXVtLm9yZz4KKworICAgICAgICBodHRw czovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NzUyNzkKKyAgICAgICAgRml4IGEg Y3Jhc2ggaW4gdGhlIHRoZSBXZWJLaXQgYWNjZXNzaWJpbGl0eSBjb2RlIHdoaWNoIG9jY3VycyB3 aGlsZSByZXRyaWV2aW5nCisgICAgICAgIHRoZSB0aXRsZSBVSSBjbGVtZW50LiBUaGUgZml4IGlz IHRvIE5VTEwgY2hlY2sgdGhlIFJlbmRlck9iamVjdDo6bm9kZSByZXR1cm4gdmFsdWUuCisKKyAg ICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgTm8gdGVzdCBhZGRl ZCBhcyB0aGVyZSBpcyBubyByZWR1Y3Rpb24uIFRoaXMgY2hhbmdlIG1pcnJvcnMgdGhlIE5VTEwg Y2hlY2tzIGluCisgICAgICAgIHRoZSBvdGhlciBwdWJsaWMgZnVuY3Rpb25zIGluIHRoZSBBY2Nl c3NpYmlsaXR5UmVuZGVyT2JqZWN0IGNsYXNzLgorCisgICAgICAgICogYWNjZXNzaWJpbGl0eS9B Y2Nlc3NpYmlsaXR5UmVuZGVyT2JqZWN0LmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkFjY2Vzc2li aWxpdHlSZW5kZXJPYmplY3Q6OnRpdGxlVUlFbGVtZW50KToKKwogMjAxMS0xMi0yNyAgRG9taW5p YyBDb29uZXkgIDxkb21pbmljY0BjaHJvbWl1bS5vcmc+CiAKICAgICAgICAgUmVtb3ZlIGluaXRX ZWJLaXRBbmltYXRpb25FdmVudCBtZXRob2QKSW5kZXg6IFNvdXJjZS9XZWJDb3JlL2FjY2Vzc2li aWxpdHkvQWNjZXNzaWJpbGl0eVJlbmRlck9iamVjdC5jcHAKPT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNl L1dlYkNvcmUvYWNjZXNzaWJpbGl0eS9BY2Nlc3NpYmlsaXR5UmVuZGVyT2JqZWN0LmNwcAkocmV2 aXNpb24gMTAzNzQxKQorKysgU291cmNlL1dlYkNvcmUvYWNjZXNzaWJpbGl0eS9BY2Nlc3NpYmls aXR5UmVuZGVyT2JqZWN0LmNwcAkod29ya2luZyBjb3B5KQpAQCAtMTcwNiw2ICsxNzA2LDggQEAg QWNjZXNzaWJpbGl0eU9iamVjdCogQWNjZXNzaWJpbGl0eVJlbmRlcgogICAgICAgICByZXR1cm4g YXhPYmplY3RDYWNoZSgpLT5nZXRPckNyZWF0ZSh0b1JlbmRlckZpZWxkc2V0KG1fcmVuZGVyZXIp LT5maW5kTGVnZW5kKCkpOwogICAgIAogICAgIE5vZGUqIGVsZW1lbnQgPSBtX3JlbmRlcmVyLT5u b2RlKCk7CisgICAgaWYgKCFlbGVtZW50KQorICAgICAgICByZXR1cm4gMDsKICAgICBIVE1MTGFi ZWxFbGVtZW50KiBsYWJlbCA9IGxhYmVsRm9yRWxlbWVudChzdGF0aWNfY2FzdDxFbGVtZW50Kj4o ZWxlbWVudCkpOwogICAgIGlmIChsYWJlbCAmJiBsYWJlbC0+cmVuZGVyZXIoKSkKICAgICAgICAg cmV0dXJuIGF4T2JqZWN0Q2FjaGUoKS0+Z2V0T3JDcmVhdGUobGFiZWwtPnJlbmRlcmVyKCkpOwo= 120631 2011-12-27 20:08:07 -0800 2011-12-27 21:29:18 -0800 Patch with review comments addressed patch.txt text/plain 1638 ananta SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDEwMzc1NCkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE4IEBACisyMDExLTEyLTI3ICBBbmFudGFu YXJheWFuYW4gRyBJeWVuZ2FyICA8YW5hbnRhQGNocm9taXVtLm9yZz4KKworICAgICAgICBDcmFz aCBpbiB0aGUgV2ViS2l0IGFjY2Vzc2liaWxpdHkgY29kZSB3aGlsZSBhdHRlbXB0aW5nIHRvIHJl dHJpZXZlIHRoZSB0aXRsZSBVSSBlbGVtZW50LgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0 Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NzUyNzkKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkg KE9PUFMhKS4KKworICAgICAgICBGaXggYSBjcmFzaCBpbiB0aGUgdGhlIFdlYktpdCBhY2Nlc3Np YmlsaXR5IGNvZGUgd2hpY2ggb2NjdXJzIHdoaWxlIHJldHJpZXZpbmcKKyAgICAgICAgdGhlIHRp dGxlIFVJIGNsZW1lbnQuIFRoZSBmaXggaXMgdG8gTlVMTCBjaGVjayB0aGUgUmVuZGVyT2JqZWN0 Ojpub2RlIHJldHVybiB2YWx1ZS4KKworICAgICAgICBObyB0ZXN0IGFkZGVkIGFzIHRoZXJlIGlz IG5vIHJlZHVjdGlvbi4KKworICAgICAgICAqIGFjY2Vzc2liaWxpdHkvQWNjZXNzaWJpbGl0eVJl bmRlck9iamVjdC5jcHA6CisgICAgICAgIChXZWJDb3JlOjpBY2Nlc3NpYmlsaXR5UmVuZGVyT2Jq ZWN0Ojp0aXRsZVVJRWxlbWVudCk6CisKIDIwMTEtMTItMjcgIERvbWluaWMgQ29vbmV5ICA8ZG9t aW5pY2NAY2hyb21pdW0ub3JnPgogCiAgICAgICAgIFJlbW92ZSBpbml0V2ViS2l0QW5pbWF0aW9u RXZlbnQgbWV0aG9kCkluZGV4OiBTb3VyY2UvV2ViQ29yZS9hY2Nlc3NpYmlsaXR5L0FjY2Vzc2li aWxpdHlSZW5kZXJPYmplY3QuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJDb3JlL2FjY2Vz c2liaWxpdHkvQWNjZXNzaWJpbGl0eVJlbmRlck9iamVjdC5jcHAJKHJldmlzaW9uIDEwMzc0MSkK KysrIFNvdXJjZS9XZWJDb3JlL2FjY2Vzc2liaWxpdHkvQWNjZXNzaWJpbGl0eVJlbmRlck9iamVj dC5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTE3MDYsNiArMTcwNiw4IEBAIEFjY2Vzc2liaWxpdHlP YmplY3QqIEFjY2Vzc2liaWxpdHlSZW5kZXIKICAgICAgICAgcmV0dXJuIGF4T2JqZWN0Q2FjaGUo KS0+Z2V0T3JDcmVhdGUodG9SZW5kZXJGaWVsZHNldChtX3JlbmRlcmVyKS0+ZmluZExlZ2VuZCgp KTsKICAgICAKICAgICBOb2RlKiBlbGVtZW50ID0gbV9yZW5kZXJlci0+bm9kZSgpOworICAgIGlm ICghZWxlbWVudCkKKyAgICAgICAgcmV0dXJuIDA7CiAgICAgSFRNTExhYmVsRWxlbWVudCogbGFi ZWwgPSBsYWJlbEZvckVsZW1lbnQoc3RhdGljX2Nhc3Q8RWxlbWVudCo+KGVsZW1lbnQpKTsKICAg ICBpZiAobGFiZWwgJiYgbGFiZWwtPnJlbmRlcmVyKCkpCiAgICAgICAgIHJldHVybiBheE9iamVj dENhY2hlKCktPmdldE9yQ3JlYXRlKGxhYmVsLT5yZW5kZXJlcigpKTsK