Bug 96530

Summary: Assert hit in is multiSelectable()
Product: WebKit Reporter: chris fleizach <cfleizach>
Component: AccessibilityAssignee: Dominic Mazzoni <dmazzoni>
Severity: Normal CC: dmazzoni, zan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Description Flags
Patch cfleizach: review+

Description chris fleizach 2012-09-12 09:20:25 PDT
I think this is a regression from the recent node change made a few minutes ago

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x00000000bbadbeef
0x0000000103630d3e in WebCore::toHTMLSelectElement (node=0x7fe9882d4a00) at HTMLSelectElement.h:207
207	    ASSERT(!node || isHTMLSelectElement(node));
(gdb) bt
#0  0x0000000103630d3e in WebCore::toHTMLSelectElement (node=0x7fe9882d4a00) at HTMLSelectElement.h:207
#1  0x00000001036140b7 in WebCore::AccessibilityNodeObject::isMultiSelectable (this=0x7fe9838b32f0) at AccessibilityNodeObject.cpp:625
#2  0x000000010362829d in WebCore::AccessibilityRenderObject::ariaSelectedRows (this=0x7fe9838b32f0, result=@0x7fff5e4de0a0) at AccessibilityRenderObject.cpp:2820

Problem looks like we're not verifying that the node is a Select element

bool AccessibilityNodeObject::isMultiSelectable() const
    const AtomicString& ariaMultiSelectable = getAttribute(aria_multiselectableAttr);
    if (equalIgnoringCase(ariaMultiSelectable, "true"))
        return true;
    if (equalIgnoringCase(ariaMultiSelectable, "false"))
        return false;
    return node() && toHTMLSelectElement(node())->multiple();
Comment 1 chris fleizach 2012-09-12 09:21:35 PDT
Looks like we lost this

if (!m_renderer->isBoxModelObject() || !toRenderBoxModelObject(m_renderer)->isListBox())
713         return false;
Comment 2 Dominic Mazzoni 2012-09-12 09:34:22 PDT
I'll roll out and fix.
Comment 3 chris fleizach 2012-09-12 09:37:53 PDT
i would just fix this one rather than rolling out if you can get to it quickly enough
Comment 4 Dominic Mazzoni 2012-09-12 09:49:05 PDT
Created attachment 163650 [details]
Comment 5 chris fleizach 2012-09-12 09:50:24 PDT
Comment on attachment 163650 [details]

thanks for quick turn-around. you might want to mention in ChangeLog where this breakage came from (ie refactoring...)
Comment 6 Dominic Mazzoni 2012-09-12 09:56:43 PDT
Committed r128332: <http://trac.webkit.org/changeset/128332>
Comment 7 Dominic Mazzoni 2012-09-12 11:38:35 PDT
*** Bug 96534 has been marked as a duplicate of this bug. ***