Bug 75279

Summary: Crash in the WebKit accessibility code while attempting to retrieve the title UI element.
Product: WebKit Reporter: Ananta Iyengar <ananta>
Component: AccessibilityAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: cfleizach, rniwa, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
proposed patch
none
proposed patch with description updated
none
Patch with review comments addressed none

Ananta Iyengar
Reported 2011-12-27 16:43:21 PST
We have been seeing this crash in Chromium with accessibility enabled. The chromium bug is here http://crbug.com/108508(Logged against Chromeframe tests which enable webkit accessibility). Debugging revealed that the crash occurs in the AccessibilityRenderObject::titleUIElement method because of a NULL node being returned by the underlying RenderObject. Debugging this function revealed that the RenderObject can return a NULL node pointer at times(if it is anonymous). We should check for a NULL node here. Will upload a patch in a bit
Attachments
proposed patch (1.59 KB, patch)
2011-12-27 19:55 PST, Ananta Iyengar 		no flags
DetailsFormatted DiffDiff
proposed patch with description updated (1.61 KB, patch)
2011-12-27 20:03 PST, Ananta Iyengar 		no flags
DetailsFormatted DiffDiff
Patch with review comments addressed (1.60 KB, patch)
2011-12-27 20:08 PST, Ananta Iyengar 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Ananta Iyengar
Comment 1 2011-12-27 19:55:28 PST
Created attachment 120629 [details] proposed patch
Ryosuke Niwa
Comment 2 2011-12-27 20:02:05 PST
Comment on attachment 120629 [details] proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=120629&action=review > Source/WebCore/ChangeLog:3 > + https://bugs.webkit.org/show_bug.cgi?id=75279 You need to have a bug summary "Crash in the WebKit accessibility code while attempting to retrieve the title UI element." directly above the bug url. See other change log entries. > Source/WebCore/ChangeLog:5 > + Fix a crash in the the WebKit accessibility code which occurs while retrieving > + the title UI clement. The fix is to NULL check the RenderObject::node return value. This line should appear below "Reviewed by" followed by a blank line. See other change log entries. > Source/WebCore/ChangeLog:10 > + No tests added as other functions in the AccessibilityRenderObject class NULL check > + the RenderObject::node return value. Please explain why you're not adding a test instead of saying you're mimicking other null checks.
Ananta Iyengar
Comment 3 2011-12-27 20:03:28 PST
Created attachment 120630 [details] proposed patch with description updated
Ananta Iyengar
Comment 4 2011-12-27 20:08:07 PST
Created attachment 120631 [details] Patch with review comments addressed
chris fleizach
Comment 5 2011-12-27 21:15:00 PST
Comment on attachment 120631 [details] Patch with review comments addressed why is there no layout test for this one?
chris fleizach
Comment 6 2011-12-27 21:17:27 PST
you should be able to make this happen by inserting some html that will create an anonymous render block, and then ask for the title ui element of that anonymous element. i'm tempted to review- this because there is no layout test
WebKit Review Bot
Comment 7 2011-12-27 21:29:19 PST
Comment on attachment 120631 [details] Patch with review comments addressed Clearing flags on attachment: 120631 Committed r103757: <http://trac.webkit.org/changeset/103757>
WebKit Review Bot
Comment 8 2011-12-27 21:29:23 PST
All reviewed patches have been landed. Closing bug.
Ryosuke Niwa
Comment 9 2011-12-27 21:48:26 PST
(In reply to comment #5) > (From update of attachment 120631 [details]) > why is there no layout test for this one? This was causing some Chromium UI tests to fail but we didn't have a reduction in the form of a layout test. Ananta told me he's looking into creating a layout test next year.
Note You need to log in before you can comment on or make changes to this bug.