Bug 45927

Summary: AX: CrashTracer: 1,382 crashes in Safari at com.apple.WebCore: WebCore::VisiblePosition::canonicalPosition + 78
Product: WebKit Reporter: chris fleizach <cfleizach>
Component: AccessibilityAssignee: chris fleizach <cfleizach>
Status: RESOLVED FIXED    
Severity: Normal CC: bdakin, eric, rniwa, simon.fraser, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
patch
none
patch
eric: review-
patch bdakin: review+

chris fleizach
Reported 2010-09-16 15:41:53 PDT
A lot of crashes for this one. What happens is when someone holds onto a AXTextMarker and then tries to do something with it after the node that the text marker references is deallocated. we need a way to know whether a node is gone or not before trying to make a VisiblePosition out of it
Attachments
patch (29.39 KB, patch)
2010-09-16 15:50 PDT, chris fleizach 		no flags
DetailsFormatted DiffDiff
patch (29.38 KB, patch)
2010-09-16 16:00 PDT, chris fleizach 		eric: review-
DetailsFormatted DiffDiff
patch (29.45 KB, patch)
2010-09-20 10:09 PDT, chris fleizach 		bdakin: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
chris fleizach
Comment 1 2010-09-16 15:50:46 PDT
Created attachment 67850 [details] patch The solution in this patch is: The AXObjectCache instance now keeps a HashSet of Node's being used. When a node becomes deallocated, it removes itself from the HashSet. When creating a VisiblePosition from an AXTextMarker, the cache can then check if the node is valid before proceeding.
WebKit Review Bot
Comment 2 2010-09-16 15:57:30 PDT
Attachment 67850 [details] did not pass style-queue: Failed to run "['WebKitTools/Scripts/check-webkit-style']" exit_code: 1 WebCore/dom/Node.cpp:30: Alphabetical sorting problem. [build/include_order] [4] Total errors found: 1 in 10 files If any of these errors are false positives, please file a bug against check-webkit-style.
chris fleizach
Comment 3 2010-09-16 16:00:36 PDT
Created attachment 67852 [details] patch
Eric Seidel (no email)
Comment 4 2010-09-18 23:22:33 PDT
The mac EWS hung processing this patch. Suggesting it failed to build (we have a subprocess problem with our python, wherby if the subprocess -- in this case buildw-ebkit -- produces to much output, we deadlock. Workign on a fix.)
Eric Seidel (no email)
Comment 5 2010-09-20 01:04:42 PDT
Comment on attachment 67852 [details] patch The EWS is hanging on this patch, suggesting it's a build failure. I'm still trying to diagnose the EWS hang and get you a build log, but for now i'm setting r- to not hang the queue overnight. If this builds fine on your mac, feel free to set r? again and if the queue hangs that's my fault and I'll deal. :)
Eric Seidel (no email)
Comment 6 2010-09-20 01:04:59 PDT
FYI the Mac EWS is currently Mac Leopard.
chris fleizach
Comment 7 2010-09-20 01:06:13 PDT
(In reply to comment #5) > (From update of attachment 67852 [details]) > The EWS is hanging on this patch, suggesting it's a build failure. I'm still trying to diagnose the EWS hang and get you a build log, but for now i'm setting r- to not hang the queue overnight. > > If this builds fine on your mac, feel free to set r? again and if the queue hangs that's my fault and I'll deal. :) SnowLeopard was building for me. Possible it was leopard related.
chris fleizach
Comment 8 2010-09-20 10:09:41 PDT
Created attachment 68101 [details] patch had no problems compiling this morning after updating. let's see if this compiles.
chris fleizach
Comment 9 2010-09-20 11:14:25 PDT
looks like it built on mac alright now
Simon Fraser (smfr)
Comment 10 2010-09-27 17:55:53 PDT
Comment on attachment 68101 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=68101&action=review > WebCore/dom/Node.cpp:386 > + m_document->axObjectCache()->removeNodeForUse(this); What's the performance impact of this? For whom is AXObjectCache::accessibilityEnabled() true?
chris fleizach
Comment 11 2010-09-27 18:01:33 PDT
(In reply to comment #10) > (From update of attachment 68101 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=68101&action=review > > > WebCore/dom/Node.cpp:386 > > + m_document->axObjectCache()->removeNodeForUse(this); > > What's the performance impact of this? For whom is AXObjectCache::accessibilityEnabled() true? Non that was noticeable. We're already doing the same thing for all RenderObjects, which hasn't proved to be a perf. bottleneck. so at worse this will be 2x what the RenderObject code imposes, but most likely will be less, since we don't need to actually store very many Nodes, so that HashMap will generally be small accessibilityEnabled() only turns on when someone is using VoiceOver (or a screen reader) or using something accessing the accessibility info. so for the vast majority of customers, this is a no-op.
chris fleizach
Comment 12 2010-09-28 10:59:58 PDT
http://trac.webkit.org/changeset/68541
Note You need to log in before you can comment on or make changes to this bug.