Bug 42652

Summary:

CrashTracer: [USER] 300 crashes in Safari at com.apple.WebCore: WebCore::AccessibilityTable::isTableExposableThroughAccessibility + 573

Product:

WebKit

Reporter:

chris fleizach <cfleizach>

Component:

Accessibility

Assignee:

chris fleizach <cfleizach>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bdakin

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

OS:

OS X 10.5

Attachments:

Description	Flags
Patch	bdakin: review+

Description chris fleizach 2010-07-20 10:45:17 PDT

55 com.apple.WebCore:  WebCore::AccessibilityTable::AccessibilityTable + 94 <==
          55 com.apple.WebCore:  WebCore::AccessibilityTable::create + 50
            55 com.apple.WebCore:  WebCore::AXObjectCache::getOrCreate + 1066
              28 com.apple.WebCore:  WebCore::AccessibilityTableCell::isTableCell const + 13
              | 28 com.apple.WebCore:  WebCore::AccessibilityTableCell::roleValue const + 21
              |   28 com.apple.WebCore:  WebCore::AccessibilityRenderObject::ariaLiveRegionStatus const + 96
              |     28 com.apple.WebCore:  WebCore::AccessibilityObject::supportsARIALiveRegion const + 18
              |       28 com.apple.WebCore:  WebCore::AccessibilityRenderObject::contentChanged + 72
              |         28 com.apple.WebCore:  WebCore::StyledElement::attributeChanged + 331
              |           28 com.apple.WebCore:  WebCore::NamedNodeMap::addAttribute + 119
              |             26 com.apple.WebCore:  WebCore::Element::setAttribute + 594
              |             | 26 com.apple.WebCore:  WebCore::Element::setAttribute + 17
              |             |   26 com.apple.WebCore:  WebCore::setJSHTMLElementTitle + 102
              |             |     26 com.apple.WebCore:  WebCore::JSHTMLElement::put + 186
              |             |       26 com.apple.WebCore:  WebCore::JSHTMLTableCellElement::put + 133

Comment 1 chris fleizach 2010-07-20 10:46:49 PDT

this can happen when  you remove a row from a table, then add a row, then modify an attribute on the new row.

That will cause the AccessibilityTable to see if it should be exposed as a table.  That in turn will look at its grid of cells, accessing the row that was removed. 

the solution is that we cannot use getOrCreate in contentChanged(). we can only access AX elements already created.

Comment 2 chris fleizach 2010-07-20 12:19:57 PDT

Actually a better solution is that the table cell should not getOrCreate its parent. it should only get it's parent.

There's no real user cases where a table cell will be created in AX, before its AXTable is created

Comment 3 chris fleizach 2010-07-20 12:24:05 PDT

Created attachment 62099 [details]
Patch

Comment 4 Beth Dakin 2010-07-20 14:09:07 PDT

Comment on attachment 62099 [details]
Patch

r=me!

Comment 5 chris fleizach 2010-07-20 14:35:40 PDT

http://trac.webkit.org/changeset/63774