112525 – AXObjectCache gets recreated during document tear-down

RESOLVED FIXED112525

AXObjectCache gets recreated during document tear-down

https://bugs.webkit.org/show_bug.cgi?id=112525

Summary AXObjectCache gets recreated during document tear-down

Simon Fraser (smfr)

Reported 2013-03-17 16:22:05 PDT

Was debugging LayoutTests/accessibility/accessibility-node-reparent.html in DRT. Document::detach() does: if (this == topDocument()) clearAXObjectCache(); [Aside: why doesn't it unconditionally clear it? Only the top document should have one, so if this isn't the top document, it shouldn't have had one anyway] A few lines down, it then does: ContainerNode::detach(); which makes a new AXObjectCache frame #0: 0x0000000101aa59f2 WebCore`WebCore::AXObjectCache::AXObjectCache(WebCore::Document const*) + 210 at AXObjectCache.cpp:110 frame #1: 0x0000000101aa590d WebCore`WebCore::AXObjectCache::AXObjectCache(WebCore::Document const*) + 29 at AXObjectCache.cpp:111 frame #2: 0x0000000101f2efd1 WebCore`WebCore::Document::axObjectCache() const + 209 at Document.cpp:2225 frame #3: 0x000000010305f92b WebCore`WebCore::RenderObject::willBeDestroyed() + 283 at RenderObject.cpp:2421 frame #4: 0x000000010301e6a2 WebCore`WebCore::RenderLayerModelObject::willBeDestroyed() + 162 at RenderLayerModelObject.cpp:90 frame #5: 0x0000000102f420c9 WebCore`WebCore::RenderBoxModelObject::willBeDestroyed() + 153 at RenderBoxModelObject.cpp:339 frame #6: 0x0000000102f1b6cd WebCore`WebCore::RenderBox::willBeDestroyed() + 61 at RenderBox.cpp:167 frame #7: 0x0000000102e94042 WebCore`WebCore::RenderBlock::willBeDestroyed() + 578 at RenderBlock.cpp:303 frame #8: 0x00000001030600dd WebCore`WebCore::RenderObject::destroy() + 29 at RenderObject.cpp:2575 frame #9: 0x000000010305fff6 WebCore`WebCore::RenderObject::destroyAndCleanupAnonymousWrappers() + 54 at RenderObject.cpp:2553 frame #10: 0x0000000102da5bf5 WebCore`WebCore::Node::detach() + 149 at Node.cpp:1114 frame #11: 0x0000000101cf01ab WebCore`WebCore::ContainerNode::detach() + 43 at ContainerNode.cpp:834 frame #12: 0x0000000102145f40 WebCore`WebCore::Element::detach() + 288 at Element.cpp:1310 frame #13: 0x0000000101cf2e07 WebCore`WebCore::ContainerNode::detachChildren() + 55 at ContainerNode.h:219 frame #14: 0x0000000101cf0199 WebCore`WebCore::ContainerNode::detach() + 25 at ContainerNode.cpp:832 frame #15: 0x0000000102145f40 WebCore`WebCore::Element::detach() + 288 at Element.cpp:1310 frame #16: 0x0000000101cf2e07 WebCore`WebCore::ContainerNode::detachChildren() + 55 at ContainerNode.h:219 frame #17: 0x0000000101cf0199 WebCore`WebCore::ContainerNode::detach() + 25 at ContainerNode.cpp:832 frame #18: 0x0000000102145f40 WebCore`WebCore::Element::detach() + 288 at Element.cpp:1310 frame #19: 0x0000000101cf2e07 WebCore`WebCore::ContainerNode::detachChildren() + 55 at ContainerNode.h:219 frame #20: 0x0000000101cf0199 WebCore`WebCore::ContainerNode::detach() + 25 at ContainerNode.cpp:832 frame #21: 0x0000000102145f40 WebCore`WebCore::Element::detach() + 288 at Element.cpp:1310 frame #22: 0x0000000101cf2e07 WebCore`WebCore::ContainerNode::detachChildren() + 55 at ContainerNode.h:219 frame #23: 0x0000000101cf0199 WebCore`WebCore::ContainerNode::detach() + 25 at ContainerNode.cpp:832 frame #24: 0x0000000101f2e9fd WebCore`WebCore::Document::detach() + 637 at Document.cpp:2152 Maybe this explains the crashes (bug 112523).

Attachments
patch (26.74 KB, patch) 2013-03-18 10:17 PDT, chris fleizach	no flags	Details Formatted Diff Diff
patch (26.72 KB, patch) 2013-03-18 10:21 PDT, chris fleizach	abarth: review-	Details Formatted Diff Diff
patch (37.55 KB, patch) 2013-03-18 15:12 PDT, chris fleizach	no flags	Details Formatted Diff Diff
patch (37.55 KB, patch) 2013-03-18 15:30 PDT, chris fleizach	simon.fraser: review+ webkit.review.bot: commit-queue-	Details Formatted Diff Diff
patch (40.49 KB, patch) 2013-03-18 17:46 PDT, chris fleizach	webkit.review.bot: commit-queue-	Details Formatted Diff Diff
patch (40.48 KB, patch) 2013-03-18 22:40 PDT, chris fleizach	webkit.review.bot: commit-queue-	Details Formatted Diff Diff
patch (40.53 KB, patch) 2013-03-18 23:40 PDT, chris fleizach	webkit.review.bot: commit-queue-	Details Formatted Diff Diff
patch (37.64 KB, patch) 2013-03-21 08:45 PDT, chris fleizach	webkit.review.bot: commit-queue-	Details Formatted Diff Diff
Archive of layout-test-results from gce-cr-linux-07 (524.10 KB, application/zip) 2013-03-21 10:18 PDT, WebKit Review Bot	no flags	Details
patch (37.73 KB, patch) 2013-03-21 12:33 PDT, chris fleizach	webkit.review.bot: commit-queue-	Details Formatted Diff Diff
Archive of layout-test-results from gce-cr-linux-03 (985.48 KB, application/zip) 2013-03-21 14:10 PDT, WebKit Review Bot	no flags	Details
patch (38.30 KB, patch) 2013-03-21 15:38 PDT, chris fleizach	webkit.review.bot: commit-queue-	Details Formatted Diff Diff
Archive of layout-test-results from gce-cr-linux-03 (918.26 KB, application/zip) 2013-03-21 17:16 PDT, WebKit Review Bot	no flags	Details
patch (38.29 KB, patch) 2013-03-21 17:31 PDT, chris fleizach	webkit.review.bot: commit-queue-	Details Formatted Diff Diff
Archive of layout-test-results from gce-cr-linux-01 (8.03 MB, application/zip) 2013-03-21 18:51 PDT, WebKit Review Bot	no flags	Details
Archive of layout-test-results from gce-cr-linux-04 (876.20 KB, application/zip) 2013-03-21 20:14 PDT, WebKit Review Bot	no flags	Details
patch (40.45 KB, patch) 2013-03-22 17:58 PDT, chris fleizach	no flags	Details Formatted Diff Diff
Show Obsolete (11) View All Add attachment proposed patch, testcase, etc.

chris fleizach

Comment 1 2013-03-17 23:03:03 PDT

(In reply to comment #0) > Was debugging LayoutTests/accessibility/accessibility-node-reparent.html in DRT. > > Document::detach() does: > if (this == topDocument()) > clearAXObjectCache(); > > [Aside: why doesn't it unconditionally clear it? Only the top document should have one, so if this isn't the top document, it shouldn't have had one anyway] > It looks like clearAXObjectCache() does topDocument()->m_axObjectCache.release(); So we wouldn't want to do that for every document that is detached. > A few lines down, it then does: > ContainerNode::detach(); > which makes a new AXObjectCache > > frame #0: 0x0000000101aa59f2 WebCore`WebCore::AXObjectCache::AXObjectCache(WebCore::Document const*) + 210 at AXObjectCache.cpp:110 > frame #1: 0x0000000101aa590d WebCore`WebCore::AXObjectCache::AXObjectCache(WebCore::Document const*) + 29 at AXObjectCache.cpp:111 > frame #2: 0x0000000101f2efd1 WebCore`WebCore::Document::axObjectCache() const + 209 at Document.cpp:2225 > frame #3: 0x000000010305f92b WebCore`WebCore::RenderObject::willBeDestroyed() + 283 at RenderObject.cpp:2421 > frame #4: 0x000000010301e6a2 WebCore`WebCore::RenderLayerModelObject::willBeDestroyed() + 162 at RenderLayerModelObject.cpp:90 > frame #5: 0x0000000102f420c9 WebCore`WebCore::RenderBoxModelObject::willBeDestroyed() + 153 at RenderBoxModelObject.cpp:339 > frame #6: 0x0000000102f1b6cd WebCore`WebCore::RenderBox::willBeDestroyed() + 61 at RenderBox.cpp:167 > frame #7: 0x0000000102e94042 WebCore`WebCore::RenderBlock::willBeDestroyed() + 578 at RenderBlock.cpp:303 > frame #8: 0x00000001030600dd WebCore`WebCore::RenderObject::destroy() + 29 at RenderObject.cpp:2575 > frame #9: 0x000000010305fff6 WebCore`WebCore::RenderObject::destroyAndCleanupAnonymousWrappers() + 54 at RenderObject.cpp:2553 > frame #10: 0x0000000102da5bf5 WebCore`WebCore::Node::detach() + 149 at Node.cpp:1114 > frame #11: 0x0000000101cf01ab WebCore`WebCore::ContainerNode::detach() + 43 at ContainerNode.cpp:834 > frame #12: 0x0000000102145f40 WebCore`WebCore::Element::detach() + 288 at Element.cpp:1310 > frame #13: 0x0000000101cf2e07 WebCore`WebCore::ContainerNode::detachChildren() + 55 at ContainerNode.h:219 > frame #14: 0x0000000101cf0199 WebCore`WebCore::ContainerNode::detach() + 25 at ContainerNode.cpp:832 > frame #15: 0x0000000102145f40 WebCore`WebCore::Element::detach() + 288 at Element.cpp:1310 > frame #16: 0x0000000101cf2e07 WebCore`WebCore::ContainerNode::detachChildren() + 55 at ContainerNode.h:219 > frame #17: 0x0000000101cf0199 WebCore`WebCore::ContainerNode::detach() + 25 at ContainerNode.cpp:832 > frame #18: 0x0000000102145f40 WebCore`WebCore::Element::detach() + 288 at Element.cpp:1310 > frame #19: 0x0000000101cf2e07 WebCore`WebCore::ContainerNode::detachChildren() + 55 at ContainerNode.h:219 > frame #20: 0x0000000101cf0199 WebCore`WebCore::ContainerNode::detach() + 25 at ContainerNode.cpp:832 > frame #21: 0x0000000102145f40 WebCore`WebCore::Element::detach() + 288 at Element.cpp:1310 > frame #22: 0x0000000101cf2e07 WebCore`WebCore::ContainerNode::detachChildren() + 55 at ContainerNode.h:219 > frame #23: 0x0000000101cf0199 WebCore`WebCore::ContainerNode::detach() + 25 at ContainerNode.cpp:832 > frame #24: 0x0000000101f2e9fd WebCore`WebCore::Document::detach() + 637 at Document.cpp:2152 > > Maybe this explains the crashes (bug 112523). (In reply to comment #0) > Was debugging LayoutTests/accessibility/accessibility-node-reparent.html in DRT. > > Document::detach() does: > if (this == topDocument()) > clearAXObjectCache(); > > [Aside: why doesn't it unconditionally clear it? Only the top document should have one, so if this isn't the top document, it shouldn't have had one anyway] > > A few lines down, it then does: > ContainerNode::detach(); > which makes a new AXObjectCache > > frame #0: 0x0000000101aa59f2 WebCore`WebCore::AXObjectCache::AXObjectCache(WebCore::Document const*) + 210 at AXObjectCache.cpp:110 > frame #1: 0x0000000101aa590d WebCore`WebCore::AXObjectCache::AXObjectCache(WebCore::Document const*) + 29 at AXObjectCache.cpp:111 > frame #2: 0x0000000101f2efd1 WebCore`WebCore::Document::axObjectCache() const + 209 at Document.cpp:2225 > frame #3: 0x000000010305f92b WebCore`WebCore::RenderObject::willBeDestroyed() + 283 at RenderObject.cpp:2421 > frame #4: 0x000000010301e6a2 WebCore`WebCore::RenderLayerModelObject::willBeDestroyed() + 162 at RenderLayerModelObject.cpp:90 > frame #5: 0x0000000102f420c9 WebCore`WebCore::RenderBoxModelObject::willBeDestroyed() + 153 at RenderBoxModelObject.cpp:339 > frame #6: 0x0000000102f1b6cd WebCore`WebCore::RenderBox::willBeDestroyed() + 61 at RenderBox.cpp:167 > frame #7: 0x0000000102e94042 WebCore`WebCore::RenderBlock::willBeDestroyed() + 578 at RenderBlock.cpp:303 > frame #8: 0x00000001030600dd WebCore`WebCore::RenderObject::destroy() + 29 at RenderObject.cpp:2575 > frame #9: 0x000000010305fff6 WebCore`WebCore::RenderObject::destroyAndCleanupAnonymousWrappers() + 54 at RenderObject.cpp:2553 > frame #10: 0x0000000102da5bf5 WebCore`WebCore::Node::detach() + 149 at Node.cpp:1114 > frame #11: 0x0000000101cf01ab WebCore`WebCore::ContainerNode::detach() + 43 at ContainerNode.cpp:834 > frame #12: 0x0000000102145f40 WebCore`WebCore::Element::detach() + 288 at Element.cpp:1310 > frame #13: 0x0000000101cf2e07 WebCore`WebCore::ContainerNode::detachChildren() + 55 at ContainerNode.h:219 > frame #14: 0x0000000101cf0199 WebCore`WebCore::ContainerNode::detach() + 25 at ContainerNode.cpp:832 > frame #15: 0x0000000102145f40 WebCore`WebCore::Element::detach() + 288 at Element.cpp:1310 > frame #16: 0x0000000101cf2e07 WebCore`WebCore::ContainerNode::detachChildren() + 55 at ContainerNode.h:219 > frame #17: 0x0000000101cf0199 WebCore`WebCore::ContainerNode::detach() + 25 at ContainerNode.cpp:832 > frame #18: 0x0000000102145f40 WebCore`WebCore::Element::detach() + 288 at Element.cpp:1310 > frame #19: 0x0000000101cf2e07 WebCore`WebCore::ContainerNode::detachChildren() + 55 at ContainerNode.h:219 > frame #20: 0x0000000101cf0199 WebCore`WebCore::ContainerNode::detach() + 25 at ContainerNode.cpp:832 > frame #21: 0x0000000102145f40 WebCore`WebCore::Element::detach() + 288 at Element.cpp:1310 > frame #22: 0x0000000101cf2e07 WebCore`WebCore::ContainerNode::detachChildren() + 55 at ContainerNode.h:219 > frame #23: 0x0000000101cf0199 WebCore`WebCore::ContainerNode::detach() + 25 at ContainerNode.cpp:832 > frame #24: 0x0000000101f2e9fd WebCore`WebCore::Document::detach() + 637 at Document.cpp:2152 > > Maybe this explains the crashes (bug 112523).

Simon Fraser (smfr)

Comment 2 2013-03-18 08:34:14 PDT

And here's a hang under the accessibility notification firing: http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r146065%20(7868)/svg/wicd/sizing-flakiness-sample.txt

chris fleizach

Comment 3 2013-03-18 10:17:49 PDT

Created attachment 193595 [details] patch

WebKit Review Bot

Comment 4 2013-03-18 10:20:24 PDT

Attachment 193595 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/WebCore/ChangeLog', u'Source/WebCore/dom/Document.cpp', u'Source/WebCore/dom/Element.cpp', u'Source/WebCore/editing/DeleteFromTextNodeCommand.cpp', u'Source/WebCore/editing/Editor.cpp', u'Source/WebCore/editing/InsertIntoTextNodeCommand.cpp', u'Source/WebCore/editing/InsertNodeBeforeCommand.cpp', u'Source/WebCore/editing/mac/FrameSelectionMac.mm', u'Source/WebCore/html/HTMLInputElement.cpp', u'Source/WebCore/html/HTMLSelectElement.cpp', u'Source/WebCore/html/HTMLTextFormControlElement.cpp', u'Source/WebCore/html/InputType.cpp', u'Source/WebCore/html/RangeInputType.cpp', u'Source/WebCore/loader/FrameLoader.cpp', u'Source/WebCore/page/FocusController.cpp', u'Source/WebCore/page/FrameView.cpp', u'Source/WebCore/platform/ScrollView.cpp', u'Source/WebCore/platform/Scrollbar.cpp', u'Source/WebCore/platform/Scrollbar.h', u'Source/WebCore/rendering/RenderBlock.cpp', u'Source/WebCore/rendering/RenderListBox.cpp', u'Source/WebCore/rendering/RenderMenuList.cpp', u'Source/WebCore/rendering/RenderObject.cpp', u'Source/WebCore/rendering/RenderObjectChildList.cpp', u'Source/WebCore/rendering/RenderWidget.cpp']" exit_code: 1 Source/WebCore/platform/Scrollbar.h:178: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] Total errors found: 1 in 25 files If any of these errors are false positives, please file a bug against check-webkit-style.

Adam Barth

Comment 5 2013-03-18 10:21:17 PDT

Comment on attachment 193595 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=193595&action=review > Source/WebCore/dom/Document.cpp:2214 > + if (!topDocument()->renderer()) > + return false; This doesn't seem like the right thing to check here.

chris fleizach

Comment 6 2013-03-18 10:21:35 PDT

Created attachment 193597 [details] patch

Adam Barth

Comment 7 2013-03-18 10:22:23 PDT

Comment on attachment 193597 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=193597&action=review > Source/WebCore/dom/Document.cpp:2214 > + if (!topDocument()->renderer()) > + return false; Same comment as before. I think you want to check whether the Document is detached from the Frame.

Simon Fraser (smfr)

Comment 8 2013-03-18 10:32:12 PDT

Comment on attachment 193597 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=193597&action=review > Source/WebCore/dom/Document.cpp:2209 > // Clear the cache member variable before calling delete because attempts > // are made to access it during destruction. > - topDocument()->m_axObjectCache.release(); > + topDocument()->m_axObjectCache.clear(); > } Can we rename this entire function, or never call it on the non-top document? It's really confusing that it can clear the cache on a doc that may not be this one. > Source/WebCore/dom/Document.cpp:2211 > bool Document::axObjectCacheExists() const Maybe rename/change this one too. > Source/WebCore/dom/Element.cpp:879 > + if (AXObjectCache::accessibilityEnabled() && document()->axObjectCacheExists()) > document()->axObjectCache()->handleAttributeChanged(name, this); Another way to handle this is something like: if (AXObjectCache* cache = document()->existingAXObjectCache()) ... where existingAXObjectCache() does not create. I think that would be cleaner.

chris fleizach

Comment 9 2013-03-18 15:12:58 PDT

Created attachment 193670 [details] patch

chris fleizach

Comment 10 2013-03-18 15:13:24 PDT

(In reply to comment #9) > Created an attachment (id=193670) [details] > patch This patch makes provides a way to get the existing AX object cache, instead of always creating a new one. 12 It moves the accessibilityEnabled() checks into the axObjectCache retrieval for easier readability. 13 It adds a number of ASSERTS so that we can make sure only the right document is used in cache manipulation (ie. the top document).

WebKit Review Bot

Comment 11 2013-03-18 15:15:45 PDT

Attachment 193670 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/WebCore/ChangeLog', u'Source/WebCore/dom/ContainerNode.cpp', u'Source/WebCore/dom/Document.cpp', u'Source/WebCore/dom/Document.h', u'Source/WebCore/dom/Element.cpp', u'Source/WebCore/dom/Node.cpp', u'Source/WebCore/editing/AppendNodeCommand.cpp', u'Source/WebCore/editing/DeleteFromTextNodeCommand.cpp', u'Source/WebCore/editing/Editor.cpp', u'Source/WebCore/editing/InsertIntoTextNodeCommand.cpp', u'Source/WebCore/editing/InsertNodeBeforeCommand.cpp', u'Source/WebCore/editing/mac/FrameSelectionMac.mm', u'Source/WebCore/html/HTMLInputElement.cpp', u'Source/WebCore/html/HTMLSelectElement.cpp', u'Source/WebCore/html/HTMLTextFormControlElement.cpp', u'Source/WebCore/html/InputType.cpp', u'Source/WebCore/html/RangeInputType.cpp', u'Source/WebCore/loader/FrameLoader.cpp', u'Source/WebCore/page/FocusController.cpp', u'Source/WebCore/page/Frame.cpp', u'Source/WebCore/page/FrameView.cpp', u'Source/WebCore/platform/ScrollView.cpp', u'Source/WebCore/platform/Scrollbar.cpp', u'Source/WebCore/platform/Scrollbar.h', u'Source/WebCore/rendering/RenderBlock.cpp', u'Source/WebCore/rendering/RenderListBox.cpp', u'Source/WebCore/rendering/RenderMenuList.cpp', u'Source/WebCore/rendering/RenderObject.cpp', u'Source/WebCore/rendering/RenderObjectChildList.cpp', u'Source/WebCore/rendering/RenderText.cpp', u'Source/WebCore/rendering/RenderWidget.cpp']" exit_code: 1 Source/WebCore/page/FrameView.cpp:2508: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] Source/WebCore/html/InputType.cpp:1017: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] Total errors found: 2 in 31 files If any of these errors are false positives, please file a bug against check-webkit-style.

chris fleizach

Comment 12 2013-03-18 15:30:00 PDT

Created attachment 193672 [details] patch

Simon Fraser (smfr)

Comment 13 2013-03-18 15:54:23 PDT

Comment on attachment 193672 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=193672&action=review > Source/WebCore/dom/ContainerNode.cpp:144 > + if (documentInternal()) { > + if (AXObjectCache* cache = documentInternal()->existingAXObjectCache()) > + cache->remove(this); > + } The destructor seems very late to do this. Why not ContainerNode::detach()? I assume that AXObjectCache doesn't hold refs to Node, otherwise there would be a ref cycle. > Source/WebCore/dom/Document.cpp:3488 > #if PLATFORM(MAC) || PLATFORM(WIN) || PLATFORM(GTK) || PLATFORM(CHROMIUM) Why just these?

WebKit Review Bot

Comment 14 2013-03-18 16:20:45 PDT

Comment on attachment 193672 [details] patch Attachment 193672 [details] did not pass chromium-ews (chromium-xvfb): Output: http://webkit-commit-queue.appspot.com/results/17136532 New failing tests: accessibility/disabled-controls-not-focusable.html accessibility/aria-hidden-update.html accessibility/canvas-fallback-content-2.html accessibility/canvas-accessibilitynodeobject.html accessibility/aria-readonly.html accessibility/canvas-description-and-role.html accessibility/canvas-fallback-content.html accessibility/aria-labelledby-on-input.html accessibility/color-well.html accessibility/crash-determining-aria-role-when-label-present.html accessibility/accessibility-node-reparent.html accessibility/button-title-uses-inner-img-alt.html accessibility/contenteditable-hidden-div.html accessibility/accessibility-object-detached.html accessibility/aria-labelledby-overrides-label.html accessibility/aria-link-supports-press.html accessibility/aria-labelledby-stay-within.html accessibility/aria-toggle-button-with-title.html accessibility/aria-slider-value.html accessibility/aria-hidden-updates-alldescendants.html accessibility/aria-scrollbar-role.html accessibility/aria-labelledby-overrides-aria-label.html accessibility/aria-describedby-on-input.html accessibility/aria-roles.html accessibility/accessibility-node-memory-management.html accessibility/aria-fallback-roles.html accessibility/dimensions-include-descendants.html accessibility/button-press-action.html accessibility/aria-help.html accessibility/aria-text-role.html

Adam Barth

Comment 15 2013-03-18 17:29:45 PDT

Comment on attachment 193672 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=193672&action=review > Source/WebCore/dom/Document.cpp:2215 > + if (!UNLIKELY(AXObjectCache::accessibilityEnabled())) Does this UNLIKELY affect any performance measurements? If not, we should remove it. > Source/WebCore/dom/Document.cpp:2226 > + if (!UNLIKELY(AXObjectCache::accessibilityEnabled())) ditto > Source/WebCore/dom/Document.cpp:2237 > + ASSERT(topDocument->frame()); > + if (!topDocument->frame()) There's no reason to both ASSERT a condition and then handle its negation. Either the condition can occur or it can't. If it can, the ASSERT shouldn't be there. If it cannot, then the if-statement shouldn't be there.

chris fleizach

Comment 16 2013-03-18 17:35:03 PDT

(In reply to comment #13) > (From update of attachment 193672 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=193672&action=review > > > Source/WebCore/dom/ContainerNode.cpp:144 > > + if (documentInternal()) { > > + if (AXObjectCache* cache = documentInternal()->existingAXObjectCache()) > > + cache->remove(this); > > + } > > The destructor seems very late to do this. Why not ContainerNode::detach()? > From the history I see https://bugs.webkit.org/show_bug.cgi?id=98073 "Calls axObjectCache()->remove(this) in ~ContainerNode so that the AX tree doesn't try to access the container node while walking up the parent chain from one of the container node's children." > I assume that AXObjectCache doesn't hold refs to Node, otherwise there would be a ref cycle. > > > Source/WebCore/dom/Document.cpp:3488 > > #if PLATFORM(MAC) || PLATFORM(WIN) || PLATFORM(GTK) || PLATFORM(CHROMIUM) > I don't know. I'm inclined to remove it. These are all the platforms that support accessibility, but it's not different than any other ax object cache call. > Why just these?

chris fleizach

Comment 17 2013-03-18 17:46:25 PDT

Created attachment 193705 [details] patch patch addresses Simon and Adam's latest comments Speculative fix for chromium

WebKit Review Bot

Comment 18 2013-03-18 18:36:25 PDT

Comment on attachment 193705 [details] patch Attachment 193705 [details] did not pass chromium-ews (chromium-xvfb): Output: http://webkit-commit-queue.appspot.com/results/17235094

WebKit Review Bot

Comment 19 2013-03-18 18:43:11 PDT

Comment on attachment 193705 [details] patch Attachment 193705 [details] did not pass cr-linux-debug-ews (chromium-xvfb): Output: http://webkit-commit-queue.appspot.com/results/17201751

Peter Beverloo (cr-android ews)

Comment 20 2013-03-18 19:00:21 PDT

Comment on attachment 193705 [details] patch Attachment 193705 [details] did not pass cr-android-ews (chromium-android): Output: http://webkit-commit-queue.appspot.com/results/17221365

Peter Beverloo (cr-android ews)

Comment 21 2013-03-18 19:52:25 PDT

Comment on attachment 193705 [details] patch Attachment 193705 [details] did not pass cr-android-ews (chromium-android): Output: http://webkit-commit-queue.appspot.com/results/17185425

chris fleizach

Comment 22 2013-03-18 22:40:02 PDT

Created attachment 193734 [details] patch

WebKit Review Bot

Comment 23 2013-03-18 23:37:16 PDT

Comment on attachment 193734 [details] patch Attachment 193734 [details] did not pass chromium-ews (chromium-xvfb): Output: http://webkit-commit-queue.appspot.com/results/17160623

chris fleizach

Comment 24 2013-03-18 23:40:09 PDT

Created attachment 193744 [details] patch

WebKit Review Bot

Comment 25 2013-03-19 00:27:59 PDT

Comment on attachment 193744 [details] patch Attachment 193744 [details] did not pass chromium-ews (chromium-xvfb): Output: http://webkit-commit-queue.appspot.com/results/17133368 New failing tests: accessibility/disabled-controls-not-focusable.html accessibility/aria-hidden-update.html accessibility/canvas-fallback-content-2.html accessibility/canvas-accessibilitynodeobject.html accessibility/aria-readonly.html accessibility/canvas-description-and-role.html accessibility/canvas-fallback-content.html accessibility/aria-labelledby-on-input.html accessibility/color-well.html accessibility/crash-determining-aria-role-when-label-present.html accessibility/accessibility-node-reparent.html accessibility/button-title-uses-inner-img-alt.html accessibility/contenteditable-hidden-div.html accessibility/accessibility-object-detached.html accessibility/aria-labelledby-overrides-label.html accessibility/aria-link-supports-press.html accessibility/aria-labelledby-stay-within.html accessibility/aria-toggle-button-with-title.html accessibility/aria-slider-value.html accessibility/aria-hidden-updates-alldescendants.html accessibility/aria-scrollbar-role.html accessibility/aria-labelledby-overrides-aria-label.html accessibility/aria-describedby-on-input.html accessibility/aria-roles.html accessibility/accessibility-node-memory-management.html accessibility/aria-fallback-roles.html accessibility/dimensions-include-descendants.html accessibility/button-press-action.html accessibility/aria-help.html accessibility/aria-text-role.html

chris fleizach

Comment 26 2013-03-19 00:35:06 PDT

Dom, can you take a look at this patch? Does anything make it look like it would make chrome fail so badly with this patch?

Build Bot

Comment 27 2013-03-19 03:26:30 PDT

Comment on attachment 193744 [details] patch Attachment 193744 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-commit-queue.appspot.com/results/17187559 New failing tests: fast/css/sticky/sticky-both-sides.html fast/css/sticky/inline-sticky.html

Dominic Mazzoni

Comment 28 2013-03-19 16:32:33 PDT

I haven't figured out exactly what's going on, but for most tests, the first accessibility object tested fails, and subsequent ones succeed. I think focusedElement returns the accessible web area the first time, then from then on it succeeds. Some sort of initialization problem? aria-readonly.html: FAIL ariaTextBoxIsWritable should be true. Was false. PASS ariaReadOnlyAriaTextBoxIsWritable is false PASS ariaReadOnlyTextFieldIsWritable is false PASS ariaNonReadOnlyTextFieldIsWritable is true PASS htmlReadOnlyTextFieldIsWritable is false PASS textFieldIsWritable is true PASS htmlReadOnlyTextAreaIsWritable is false PASS textAreaIsWritable is true PASS successfullyParsed is true aria-roles.html: This test FAILS in DumpRenderTree. The ARIA role is AXRole: AXWebArea, but the real role is AXRole: AXCheckBox Hello This test PASSES in DumpRenderTree. The role is AXRole: AXButton This test PASSES in DumpRenderTree. The role is AXRole: AXHeading Hello This test PASSES in DumpRenderTree. The role is AXRole: AXLink This test PASSES in DumpRenderTree. The role is AXRole: AXRadioButton This test PASSES in DumpRenderTree. The role is AXRole: AXTextField This test PASSES in DumpRenderTree. The role is AXRole: AXImage This test PASSES in DumpRenderTree. The role is AXRole: AXList

chris fleizach

Comment 29 2013-03-19 16:37:07 PDT

(In reply to comment #28) > I haven't figured out exactly what's going on, but for most tests, the first accessibility object tested fails, and subsequent ones succeed. I think focusedElement returns the accessible web area the first time, then from then on it succeeds. > > Some sort of initialization problem? > > aria-readonly.html: > FAIL ariaTextBoxIsWritable should be true. Was false. > PASS ariaReadOnlyAriaTextBoxIsWritable is false > PASS ariaReadOnlyTextFieldIsWritable is false > PASS ariaNonReadOnlyTextFieldIsWritable is true > PASS htmlReadOnlyTextFieldIsWritable is false > PASS textFieldIsWritable is true > PASS htmlReadOnlyTextAreaIsWritable is false > PASS textAreaIsWritable is true > PASS successfullyParsed is true > > aria-roles.html: > This test FAILS in DumpRenderTree. The ARIA role is AXRole: AXWebArea, but the real role is AXRole: AXCheckBox > Hello This test PASSES in DumpRenderTree. The role is AXRole: AXButton > This test PASSES in DumpRenderTree. The role is AXRole: AXHeading > Hello This test PASSES in DumpRenderTree. The role is AXRole: AXLink > This test PASSES in DumpRenderTree. The role is AXRole: AXRadioButton > This test PASSES in DumpRenderTree. The role is AXRole: AXTextField > This test PASSES in DumpRenderTree. The role is AXRole: AXImage > This test PASSES in DumpRenderTree. The role is AXRole: AXList Thanks. It looks like there must be one case where we are actually relying on axObjectCache() to create the AXObjectCache for us instead of just retrieving the existing one.

chris fleizach

Comment 30 2013-03-21 08:45:34 PDT

Created attachment 194271 [details] patch This patch will create an AXObjectCache on focus change if necessary. Looking at the failing tests in chromium indicates that might be the reason why this is failing

WebKit Review Bot

Comment 31 2013-03-21 08:48:40 PDT

Attachment 194271 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/WebCore/ChangeLog', u'Source/WebCore/dom/ContainerNode.cpp', u'Source/WebCore/dom/Document.cpp', u'Source/WebCore/dom/Document.h', u'Source/WebCore/dom/Element.cpp', u'Source/WebCore/dom/Node.cpp', u'Source/WebCore/editing/AppendNodeCommand.cpp', u'Source/WebCore/editing/DeleteFromTextNodeCommand.cpp', u'Source/WebCore/editing/Editor.cpp', u'Source/WebCore/editing/InsertIntoTextNodeCommand.cpp', u'Source/WebCore/editing/InsertNodeBeforeCommand.cpp', u'Source/WebCore/editing/mac/FrameSelectionMac.mm', u'Source/WebCore/html/HTMLInputElement.cpp', u'Source/WebCore/html/HTMLSelectElement.cpp', u'Source/WebCore/html/HTMLTextFormControlElement.cpp', u'Source/WebCore/html/InputType.cpp', u'Source/WebCore/html/RangeInputType.cpp', u'Source/WebCore/loader/FrameLoader.cpp', u'Source/WebCore/page/FocusController.cpp', u'Source/WebCore/page/Frame.cpp', u'Source/WebCore/page/FrameView.cpp', u'Source/WebCore/platform/ScrollView.cpp', u'Source/WebCore/platform/Scrollbar.cpp', u'Source/WebCore/platform/Scrollbar.h', u'Source/WebCore/rendering/RenderBlock.cpp', u'Source/WebCore/rendering/RenderListBox.cpp', u'Source/WebCore/rendering/RenderMenuList.cpp', u'Source/WebCore/rendering/RenderObject.cpp', u'Source/WebCore/rendering/RenderObjectChildList.cpp', u'Source/WebCore/rendering/RenderText.cpp', u'Source/WebCore/rendering/RenderWidget.cpp']" exit_code: 1 Source/WebCore/ChangeLog:1: ChangeLog entry has no bug number [changelog/bugnumber] [5] Total errors found: 1 in 31 files If any of these errors are false positives, please file a bug against check-webkit-style.

WebKit Review Bot

Comment 32 2013-03-21 10:18:43 PDT

Comment on attachment 194271 [details] patch Attachment 194271 [details] did not pass chromium-ews (chromium-xvfb): Output: http://webkit-commit-queue.appspot.com/results/17206705 New failing tests: accessibility/disabled-controls-not-focusable.html accessibility/canvas-fallback-content-2.html platform/chromium/accessibility/add-to-menu-list-crashes.html accessibility/canvas-accessibilitynodeobject.html editing/selection/selection-invalid-offset.html accessibility/canvas-fallback-content.html platform/chromium/accessibility/readonly.html accessibility/menu-list-sends-change-notification.html

WebKit Review Bot

Comment 33 2013-03-21 10:18:47 PDT

Created attachment 194287 [details] Archive of layout-test-results from gce-cr-linux-07 The attached test failures were seen while running run-webkit-tests on the chromium-ews. Bot: gce-cr-linux-07 Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'> Platform: Linux-3.3.8-gcg-201212281604-x86_64-with-GCEL-10.04-gcel_10.04

chris fleizach

Comment 34 2013-03-21 12:33:21 PDT

Created attachment 194317 [details] patch

WebKit Review Bot

Comment 35 2013-03-21 14:10:19 PDT

Comment on attachment 194317 [details] patch Attachment 194317 [details] did not pass chromium-ews (chromium-xvfb): Output: http://webkit-commit-queue.appspot.com/results/17147640 New failing tests: editing/selection/selection-invalid-offset.html

WebKit Review Bot

Comment 36 2013-03-21 14:10:23 PDT

Created attachment 194335 [details] Archive of layout-test-results from gce-cr-linux-03 The attached test failures were seen while running run-webkit-tests on the chromium-ews. Bot: gce-cr-linux-03 Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'> Platform: Linux-3.3.8-gcg-201212281604-x86_64-with-GCEL-10.04-gcel_10.04

chris fleizach

Comment 37 2013-03-21 15:38:01 PDT

Created attachment 194366 [details] patch

WebKit Review Bot

Comment 38 2013-03-21 17:16:49 PDT

Comment on attachment 194366 [details] patch Attachment 194366 [details] did not pass chromium-ews (chromium-xvfb): Output: http://webkit-commit-queue.appspot.com/results/17216561 New failing tests: editing/selection/selection-invalid-offset.html

WebKit Review Bot

Comment 39 2013-03-21 17:16:55 PDT

Created attachment 194392 [details] Archive of layout-test-results from gce-cr-linux-03 The attached test failures were seen while running run-webkit-tests on the chromium-ews. Bot: gce-cr-linux-03 Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'> Platform: Linux-3.3.8-gcg-201212281604-x86_64-with-GCEL-10.04-gcel_10.04

chris fleizach

Comment 40 2013-03-21 17:31:29 PDT

Created attachment 194397 [details] patch

WebKit Review Bot

Comment 41 2013-03-21 18:51:51 PDT

Comment on attachment 194397 [details] patch Attachment 194397 [details] did not pass chromium-ews (chromium-xvfb): Output: http://webkit-commit-queue.appspot.com/results/17215997 New failing tests: editing/selection/selection-invalid-offset.html

WebKit Review Bot

Comment 42 2013-03-21 18:51:57 PDT

Created attachment 194416 [details] Archive of layout-test-results from gce-cr-linux-01 The attached test failures were seen while running run-webkit-tests on the chromium-ews. Bot: gce-cr-linux-01 Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'> Platform: Linux-3.3.8-gcg-201212281604-x86_64-with-GCEL-10.04-gcel_10.04

WebKit Review Bot

Comment 43 2013-03-21 20:14:37 PDT

Comment on attachment 194397 [details] patch Attachment 194397 [details] did not pass chromium-ews (chromium-xvfb): Output: http://webkit-commit-queue.appspot.com/results/17144564 New failing tests: editing/selection/selection-invalid-offset.html

WebKit Review Bot

Comment 44 2013-03-21 20:14:43 PDT

Created attachment 194428 [details] Archive of layout-test-results from gce-cr-linux-04 The attached test failures were seen while running run-webkit-tests on the chromium-ews. Bot: gce-cr-linux-04 Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'> Platform: Linux-3.3.8-gcg-201212281604-x86_64-with-GCEL-10.04-gcel_10.04

chris fleizach

Comment 45 2013-03-22 17:58:52 PDT

Created attachment 194672 [details] patch Thanks Dom for the chromium help!

chris fleizach

Comment 46 2013-03-24 00:40:13 PDT

http://trac.webkit.org/changeset/146726

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component Accessibility

Assignee

chris fleizach

Reported

2013-03-17 16:22 PDT

Modified

2013-03-24 00:40 PDT History

CC List

20 users Show

URL

Keywords

Depends on

Blocks

abarth
aboxhall
apinheiro
bdakin
buildbot
cfleizach
cmarcelo
dglazkov
dmazzoni
eric
esprehn+autocc
japhet
jdiggs
mifenton
ojan.autocc
peter+ews
rniwa
simon.fraser
tkent
webkit.review.bot