Bug 136333

Summary: AX: Safari at com.apple.WebCore: WebCore::AXObjectCache::clearTextMarkerNodesInUse
Product: WebKit Reporter: chris fleizach <cfleizach>
Component: AccessibilityAssignee: chris fleizach <cfleizach>
Status: RESOLVED FIXED    
Severity: Normal CC: aboxhall, apinheiro, commit-queue, dmazzoni, jcraig, jdiggs, mario, samuel_white, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
patch ddkilzer: review+, ddkilzer: commit-queue-

chris fleizach
Reported 2014-08-27 23:28:33 PDT
(lldb) bt * thread #1: tid = 0x12d68, 0x000000010adae22a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:329, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) * frame #0: 0x000000010adae22a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:329 frame #1: 0x000000010eb5f586 WebCore`WebCore::Node::treeScope(this=0x00007f9e4afcded0) const + 70 at Node.h:401 frame #2: 0x000000010eb5a603 WebCore`WebCore::Node::document(this=0x00007f9e4afcded0) const + 83 at Node.h:396 frame #3: 0x000000010eb2ebb5 WebCore`WebCore::AXObjectCache::clearTextMarkerNodesInUse(this=0x00007f9e3bc20b30, document=0x0000000000000000) + 149 at AXObjectCache.cpp:1051 frame #4: 0x000000010f3f2fa2 WebCore`WebCore::Frame::disconnectOwnerElement(this=0x00007f9e4b7af2f0) + 114 at Frame.cpp:814 frame #5: 0x000000010f3f2745 WebCore`WebCore::Frame::~Frame(this=0x00007f9e4b7af2f0) + 149 at Frame.cpp:224 frame #6: 0x000000010f3f3005 WebCore`WebCore::Frame::~Frame(this=0x00007f9e4b7af2f0) + 21 at Frame.cpp:214 frame #7: 0x000000010f3f3029 WebCore`WebCore::Frame::~Frame(this=0x00007f9e4b7af2f0) + 25 at Frame.cpp:214 frame #8: 0x000000010ebbd1f3 WebCore`WTF::RefCounted<WebCore::Frame>::deref(this=0x00007f9e4b7af2f8) + 83 at RefCounted.h:146 frame #9: 0x000000010ebbd18f WebCore`WTF::Ref<WebCore::Frame>::~Ref(this=0x00007fff556c6e58) + 31 at Ref.h:41 frame #10: 0x000000010ebb5fc5 WebCore`WTF::Ref<WebCore::Frame>::~Ref(this=0x00007fff556c6e58) + 21 at Ref.h:41 frame #11: 0x000000010f417e1f WebCore`WTF::VectorDestructor<true, WTF::Ref<WebCore::Frame> >::destruct(begin=0x00007fff556c6e58, end=0x00007fff556c6e70) + 47 at Vector.h:56 frame #12: 0x000000010f417ddd WebCore`WTF::VectorTypeOperations<WTF::Ref<WebCore::Frame> >::destruct(begin=0x00007fff556c6e58, end=0x00007fff556c6e70) + 29 at Vector.h:220 frame #13: 0x000000010f417d50 WebCore`WTF::Vector<WTF::Ref<WebCore::Frame>, 16ul, WTF::CrashOnOverflow>::shrink(this=0x00007fff556c6e48, size=0) + 128 at Vector.h:957 frame #14: 0x000000010f417cb4 WebCore`WTF::Vector<WTF::Ref<WebCore::Frame>, 16ul, WTF::CrashOnOverflow>::~Vector(this=0x00007fff556c6e48) + 52 at Vector.h:596 frame #15: 0x000000010f416535 WebCore`WTF::Vector<WTF::Ref<WebCore::Frame>, 16ul, WTF::CrashOnOverflow>::~Vector(this=0x00007fff556c6e48) + 21 at Vector.h:594 frame #16: 0x000000010f402055 WebCore`WebCore::FrameLoader::detachChildren(this=0x00007f9e435b0ff0) + 309 at FrameLoader.cpp:2415 <rdar://problem/17030054>
Attachments
patch (2.07 KB, patch)
2014-08-27 23:33 PDT, chris fleizach
ddkilzer: review+
ddkilzer: commit-queue-
chris fleizach
Comment 1 2014-08-27 23:33:16 PDT
David Kilzer (:ddkilzer)
Comment 2 2014-08-28 04:10:10 PDT
Comment on attachment 237294 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=237294&action=review r=me but please consider the comment below. > Source/WebCore/accessibility/AXObjectCache.cpp:1051 > + if (node->inDocument() && &(node)->document() == document) Is there a reason to keep nodes not in a document in m_textMarkerNodes? Just wondering if this condition should be || instead of && (and negated) since we might build up document-less nodes in the cache over time with the !document early return above: If (!node->inDocument() || &node->document() == document)
chris fleizach
Comment 3 2014-08-28 10:51:21 PDT
Comment on attachment 237294 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=237294&action=review >> Source/WebCore/accessibility/AXObjectCache.cpp:1051 >> + if (node->inDocument() && &(node)->document() == document) > > Is there a reason to keep nodes not in a document in m_textMarkerNodes? Just wondering if this condition should be || instead of && (and negated) since we might build up document-less nodes in the cache over time with the !document early return above: > > If (!node->inDocument() || &node->document() == document) I think your logic makes sense here. I'm gonna go in that direction
chris fleizach
Comment 4 2014-08-28 11:01:15 PDT
Note You need to log in before you can comment on or make changes to this bug.