Bug 109524

Summary: AX: crash when accessing AccessibilityScrollbar after page has been unloaded
Product: WebKit Reporter: chris fleizach <cfleizach>
Component: AccessibilityAssignee: chris fleizach <cfleizach>
Status: RESOLVED FIXED    
Severity: Normal CC: aboxhall, apinheiro, dmazzoni, jdiggs, rniwa, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch
none
patch rniwa: review+

Description chris fleizach 2013-02-11 17:09:45 PST 
1. start Voiceover 
2. navigate to http://www.w3.org/Math/testsuite/build/main/Characters/Blocks/00000_C0_Controls_and_Basic_Latin-full.xhtml
3. make sure you are interacted with the web page 
4. turn off quicknav 
5. press right arrow to go to the next test in the suite 
6. after no more than two or three presses of right arrow safari gives the attached crash


Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000010b316370 WebCore::AccessibilityScrollbar::document() const + 80 (AccessibilityScrollbar.cpp:63)
1   com.apple.WebCore             	0x000000010b304439 WebCore::AccessibilityObject::updateBackingStore() + 25 (AccessibilityObject.cpp:1132)
2   com.apple.WebCore             	0x000000010ce134b9 -[WebAccessibilityObjectWrapper updateObjectBackingStore] + 121 (WebAccessibilityObjectWrapper.mm:398)
3   com.apple.WebCore             	0x000000010ce1b766 -[WebAccessibilityObjectWrapper accessibilityAttributeValue:] + 54 (WebAccessibilityObjectWrapper.mm:2045)
4   com.apple.AppKit              	0x00007fff88abb18e -[NSObject(NSAccessibilityInternal) _accessibilityValueForAttribute:clientError:] + 228
5   com.apple.AppKit              	0x00007fff88abee46 CopyAppKitUIElementAttributeValueNoCatch + 53
6   com.apple.AppKit              	0x00007fff88abc521 CopyAttributeValue + 359
7   com.apple.HIServices          	0x00007fff8353e90d _AXXMIGCopyAttributeValue + 221
8   com.apple.HIServices          	0x00007fff8354516a _XCopyAttributeValue + 333
9   com.apple.HIServices          	0x00007fff83523f4e mshMIGPerform + 443
10  com.apple.CoreFoundation      	0x00007fff8a2e5d09 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__ + 41
11  com.apple.CoreFoundation      	0x00007fff8a2e5a49 __CFRunLoopDoSource1 + 153
12  com.apple.CoreFoundation      	0x00007fff8a318c02 __CFRunLoopRun + 1826
13  com.apple.CoreFoundation      	0x00007fff8a3180e2 CFRunLoopRunSpecific + 290
14  com.apple.HIToolbox           	0x00007fff8d41eeb4 RunCurrentEventLoopInMode + 209
15  com.apple.HIToolbox           	0x00007fff8d41ec52 ReceiveNextEventCommon + 356
16  com.apple.HIToolbox           	0x00007fff8d41eae3 BlockUntilNextEventMatchingListInMode + 62
17  com.apple.AppKit              	0x00007fff88889563 _DPSNextEvent + 685
18  com.apple.AppKit              	0x00007fff88888e22 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
19  com.apple.AppKit              	0x00007fff888801d3 -[NSApplication run] + 517
20  com.apple.WebCore             	0x000000010ca22b89 WebCore::RunLoop::run() + 105 (RunLoopMac.mm:44)
21  com.apple.WebKit2             	0x00000001090e0265 int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebContentProcessMainDelegate>(int, char**) + 917 (ChildProcessMain.h:98)
22  com.apple.WebKit2             	0x00000001090dfebb WebContentProcessMain + 27 (WebContentProcessMain.mm:179)
23  com.apple.WebProcess          	0x0000000108e77c5a main + 58 (WebContentProcessMainBootstrapper.cpp:31)
24  libdyld.dylib                 	0x00007fff863ca7e1 start + 1
Comment 1 chris fleizach 2013-02-11 17:12:24 PST 
Created attachment 187732 [details]
patch
Comment 2 chris fleizach 2013-02-11 17:23:51 PST 
I tried very hard to get a test case, but it just didn't work. 

I wanted to remove an iframe with scrollers from the dom, and then access the scrollbar again, but no matter what I tried the scroll area was still valid.
Comment 3 chris fleizach 2013-02-12 17:36:12 PST 
Created attachment 187977 [details]
patch
Comment 4 Ryosuke Niwa 2013-02-12 17:41:46 PST 
Comment on attachment 187977 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=187977&action=review

> Source/WebCore/ChangeLog:12
> +        Reviewed by NOBODY (OOPS!).

This should appear before the long description but after the bug url.
Comment 5 chris fleizach 2013-02-12 22:18:11 PST 
http://trac.webkit.org/changeset/142721