Bug 109524

Summary: AX: crash when accessing AccessibilityScrollbar after page has been unloaded
Product: WebKit Reporter: chris fleizach <cfleizach>
Component: AccessibilityAssignee: chris fleizach <cfleizach>
Status: RESOLVED FIXED    
Severity: Normal CC: aboxhall, apinheiro, dmazzoni, jdiggs, rniwa, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch
none
patch rniwa: review+

chris fleizach
Reported 2013-02-11 17:09:45 PST
1. start Voiceover 2. navigate to http://www.w3.org/Math/testsuite/build/main/Characters/Blocks/00000_C0_Controls_and_Basic_Latin-full.xhtml 3. make sure you are interacted with the web page 4. turn off quicknav 5. press right arrow to go to the next test in the suite 6. after no more than two or three presses of right arrow safari gives the attached crash Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010b316370 WebCore::AccessibilityScrollbar::document() const + 80 (AccessibilityScrollbar.cpp:63) 1 com.apple.WebCore 0x000000010b304439 WebCore::AccessibilityObject::updateBackingStore() + 25 (AccessibilityObject.cpp:1132) 2 com.apple.WebCore 0x000000010ce134b9 -[WebAccessibilityObjectWrapper updateObjectBackingStore] + 121 (WebAccessibilityObjectWrapper.mm:398) 3 com.apple.WebCore 0x000000010ce1b766 -[WebAccessibilityObjectWrapper accessibilityAttributeValue:] + 54 (WebAccessibilityObjectWrapper.mm:2045) 4 com.apple.AppKit 0x00007fff88abb18e -[NSObject(NSAccessibilityInternal) _accessibilityValueForAttribute:clientError:] + 228 5 com.apple.AppKit 0x00007fff88abee46 CopyAppKitUIElementAttributeValueNoCatch + 53 6 com.apple.AppKit 0x00007fff88abc521 CopyAttributeValue + 359 7 com.apple.HIServices 0x00007fff8353e90d _AXXMIGCopyAttributeValue + 221 8 com.apple.HIServices 0x00007fff8354516a _XCopyAttributeValue + 333 9 com.apple.HIServices 0x00007fff83523f4e mshMIGPerform + 443 10 com.apple.CoreFoundation 0x00007fff8a2e5d09 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__ + 41 11 com.apple.CoreFoundation 0x00007fff8a2e5a49 __CFRunLoopDoSource1 + 153 12 com.apple.CoreFoundation 0x00007fff8a318c02 __CFRunLoopRun + 1826 13 com.apple.CoreFoundation 0x00007fff8a3180e2 CFRunLoopRunSpecific + 290 14 com.apple.HIToolbox 0x00007fff8d41eeb4 RunCurrentEventLoopInMode + 209 15 com.apple.HIToolbox 0x00007fff8d41ec52 ReceiveNextEventCommon + 356 16 com.apple.HIToolbox 0x00007fff8d41eae3 BlockUntilNextEventMatchingListInMode + 62 17 com.apple.AppKit 0x00007fff88889563 _DPSNextEvent + 685 18 com.apple.AppKit 0x00007fff88888e22 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 19 com.apple.AppKit 0x00007fff888801d3 -[NSApplication run] + 517 20 com.apple.WebCore 0x000000010ca22b89 WebCore::RunLoop::run() + 105 (RunLoopMac.mm:44) 21 com.apple.WebKit2 0x00000001090e0265 int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebContentProcessMainDelegate>(int, char**) + 917 (ChildProcessMain.h:98) 22 com.apple.WebKit2 0x00000001090dfebb WebContentProcessMain + 27 (WebContentProcessMain.mm:179) 23 com.apple.WebProcess 0x0000000108e77c5a main + 58 (WebContentProcessMainBootstrapper.cpp:31) 24 libdyld.dylib 0x00007fff863ca7e1 start + 1
Attachments
patch (1.66 KB, patch)
2013-02-11 17:12 PST, chris fleizach 		no flags
DetailsFormatted DiffDiff
patch (1.66 KB, patch)
2013-02-12 17:36 PST, chris fleizach 		rniwa: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
chris fleizach
Comment 1 2013-02-11 17:12:24 PST
Created attachment 187732 [details] patch
chris fleizach
Comment 2 2013-02-11 17:23:51 PST
I tried very hard to get a test case, but it just didn't work. I wanted to remove an iframe with scrollers from the dom, and then access the scrollbar again, but no matter what I tried the scroll area was still valid.
chris fleizach
Comment 3 2013-02-12 17:36:12 PST
Created attachment 187977 [details] patch
Ryosuke Niwa
Comment 4 2013-02-12 17:41:46 PST
Comment on attachment 187977 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=187977&action=review > Source/WebCore/ChangeLog:12 > + Reviewed by NOBODY (OOPS!). This should appear before the long description but after the bug url.
chris fleizach
Comment 5 2013-02-12 22:18:11 PST
http://trac.webkit.org/changeset/142721
Note You need to log in before you can comment on or make changes to this bug.