Bug 44149

Summary: AX: Images within anchors causes crash
Product: WebKit Reporter: Chris Guillory <ctguil>
Component: AccessibilityAssignee: chris fleizach <cfleizach>
Status: RESOLVED FIXED    
Severity: Normal CC: cfleizach, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
Layout Test
ctguil: review-
anchor-with-image-causes-crash-stderr.txt
none
Similar Layout Test - divs within anchors
none
Layout Tests that actually causes a crash
none
Patch none

Description Chris Guillory 2010-08-17 19:34:52 PDT 
Created attachment 64662 [details]
Layout Test

The chromium render is crashing:
http://code.google.com/p/chromium/issues/detail?id=52538

I've attached a layout test the reproduces the crash. This is looks similar to the crash from
https://bugs.webkit.org/show_bug.cgi?id=42309
Comment 1 chris fleizach 2010-08-18 12:36:16 PDT 
chris i'm not getting a crash with this test on ToT (on a Snow leopard mac). Can you attach the crash log
Comment 2 Chris Guillory 2010-08-20 13:39:36 PDT 
Created attachment 64986 [details]
anchor-with-image-causes-crash-stderr.txt

Hey Chris. Not sure how I missed your message in email. Is this file you wanted? I'm seeing the crash on Vista and my checkout is at r65572.
Comment 3 chris fleizach 2010-08-20 13:45:24 PDT 
ah, something caught by the new assert. might be a new case not properly handled. still doesn't explain why it didn't crash for me
Comment 4 Chris Guillory 2010-08-20 14:35:16 PDT 
Looking at this again I'm only seeing the assert being hit and no crash occurring (if I remove the assert) for the layout test. Can you see the assert being hit in debug mode?
Comment 5 chris fleizach 2010-08-20 14:39:10 PDT 
i was pretty sure i ran my unit test in debug mode, so it should have asserted there and crashed. i must have done something wrong
Comment 6 chris fleizach 2010-08-23 10:47:32 PDT 
crashing for me too now
Comment 7 chris fleizach 2010-09-10 18:02:51 PDT 
i've been looking at what could be related

when you have code like

<ul>
<li style="display: inline;"><a href="http:"><img style="display: block;" src="" width="200" height="100"></a></li>
<li style="display: inline;"><a href="http:"><img  style="display: block;" src=""  width="200" height="100"></a></li>
<li style="display: inline;"><a href="http:"><img  style="display: block;" src="" width="200" height="100"></a></li>
</ul>

the <ul> reports that it has four children. there's a continuation that points to the 2nd image. 

the problem is that i don't know if it's a logic error in nextSibling(), an unaccounted case, or there's an issue in how continuations are stored in renderers.
Comment 8 Chris Guillory 2010-09-13 14:10:42 PDT 
Created attachment 67469 [details]
Similar Layout Test - divs within anchors

Original URL: http://o.aolcdn.com/cdn.webmail.aol.com/mailtour/affinity/en-us/
Comment 9 Chris Guillory 2010-09-15 18:44:07 PDT 
Created attachment 67756 [details]
Layout Tests that actually causes a crash

This layout test actually causes a crash.
Comment 10 Dominic Mazzoni 2011-09-09 15:14:36 PDT 
Created attachment 106928 [details]
Patch
Comment 11 chris fleizach 2011-09-09 15:55:08 PDT 
Comment on attachment 106928 [details]
Patch

this looks ok to me, can you also check if this fixes
https://bugs.webkit.org/show_bug.cgi?id=58930
r=me
Comment 12 WebKit Review Bot 2011-09-09 16:23:30 PDT 
Comment on attachment 106928 [details]
Patch

Clearing flags on attachment: 106928

Committed r94888: <http://trac.webkit.org/changeset/94888>
Comment 13 WebKit Review Bot 2011-09-09 16:23:35 PDT 
All reviewed patches have been landed.  Closing bug.