RESOLVED FIXED 122572
AX: Crash at WebCore::accessibleNameForNode when visiting Facebook 
https://bugs.webkit.org/show_bug.cgi?id=122572
Summary AX: Crash at WebCore::accessibleNameForNode when visiting Facebook
chris fleizach
Reported 2013-10-09 13:46:57 PDT
> 1 com.apple.WebCore 0x10bdb025f WebCore::accessibleNameForNode(WebCore::Node*) + 0x12f (AccessibilityNodeObject.cpp:1806) 2 com.apple.WebCore 0x10bdb00e0 WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements(WTF::Vector<WebCore::Element*, 0ul, WTF::CrashOnOverflow>&) const + 0x80 (AccessibilityNodeObject.cpp:1825) 3 com.apple.WebCore 0x10bdb0579 WebCore::AccessibilityNodeObject::ariaLabeledByAttribute() const + 0x49 (AccessibilityNodeObject.cpp:1877) 4 com.apple.WebCore 0x10bdae4f3 WebCore::AccessibilityNodeObject::ariaLabeledByText(WTF::Vector<WebCore::AccessibilityText, 0ul, WTF::CrashOnOverflow>&) const + 0x43 (AccessibilityNodeObject.cpp:1379) 5 com.apple.WebCore 0x10bdadf25 WebCore::AccessibilityNodeObject::alternativeText(WTF::Vector<WebCore::AccessibilityText, 0ul, WTF::CrashOnOverflow>&) const + 0xb5 (AccessibilityNodeObject.cpp:1236) 6 com.apple.WebCore 0x10bdaed03 WebCore::AccessibilityNodeObject::accessibilityText(WTF::Vector<WebCore::AccessibilityText, 0ul, WTF::CrashOnOverflow>&) + 0x43 (AccessibilityNodeObject.cpp:1368) 7 com.apple.WebCore 0x10d7725fd -[WebAccessibilityObjectWrapperBase accessibilityDescription] + 0xbd (WebAccessibilityObjectWrapperBase.mm:198) 8 com.apple.WebCore 0x10d77d195 -[WebAccessibilityObjectWrapper accessibilityAttributeValue:] + 0x1625 (WebAccessibilityObjectWrapperMac.mm:2177) 9 com.apple.AppKit 0x7fff8884feb1 -[NSObject(NSAccessibilityInternal) _accessibilityValueForAttribute:clientError:] + 0xf2 10 com.apple.AppKit 0x7fff88853f7d <rdar://problem/15189506>
Attachments
patch (4.13 KB, patch)
2013-10-09 14:42 PDT, chris fleizach 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
chris fleizach
Comment 1 2013-10-09 13:47:32 PDT
Looks like they're probably doing something like <button aria-labeledby="item"> <div id="item" style="display:none">data</div>
chris fleizach
Comment 2 2013-10-09 14:42:37 PDT
Created attachment 213818 [details] patch
Mario Sanchez Prada
Comment 3 2013-10-10 03:29:29 PDT
Comment on attachment 213818 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=213818&action=review > Source/WebCore/accessibility/AccessibilityNodeObject.cpp:1814 > - String text = node->document().axObjectCache()->getOrCreate(node)->textUnderElement(); > + // If the node can be turned into an AX object, we can use standard name computation rules. > + // If however, the node cannot (because there's no renderer e.g.) fallback to using the basic text underneath. > + AccessibilityObject* axObject = node->document().axObjectCache()->getOrCreate(node); > + String text; > + if (axObject) > + text = axObject->textUnderElement(); > + else if (node->isElementNode()) > + text = toElement(node)->innerText(); > + I wonder if we could fix this issue in a different way, by making AXObjectCache::getOrCreate(Node* node) able to handle this kind of situation, creating a AccessibilityNodeObject that wraps that not rendered node inside. What do you think?
chris fleizach
Comment 4 2013-10-10 05:56:54 PDT
(In reply to comment #3) > (From update of attachment 213818 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=213818&action=review > > > Source/WebCore/accessibility/AccessibilityNodeObject.cpp:1814 > > - String text = node->document().axObjectCache()->getOrCreate(node)->textUnderElement(); > > + // If the node can be turned into an AX object, we can use standard name computation rules. > > + // If however, the node cannot (because there's no renderer e.g.) fallback to using the basic text underneath. > > + AccessibilityObject* axObject = node->document().axObjectCache()->getOrCreate(node); > > + String text; > > + if (axObject) > > + text = axObject->textUnderElement(); > > + else if (node->isElementNode()) > > + text = toElement(node)->innerText(); > > + > > I wonder if we could fix this issue in a different way, by making AXObjectCache::getOrCreate(Node* node) able to handle this kind of situation, creating a AccessibilityNodeObject that wraps that not rendered node inside. > > What do you think? Certainly getOrCreate could return an object, but there's a bit of code to ensure we only return a AXNode based object under certain conditions (either in a canvas or aria-hidden=false). Hard for me to say if there's any negative consequence of doing that. It might allow more elements into the tree than we would like... For example, we definitely don't want to add objects that are just hidden to the tree, as in <div style="display:none;"> sub tree here </div> So it could be done, but I am less sure of the consequences of doing that right now. Thoughts
Mario Sanchez Prada
Comment 5 2013-10-10 06:04:39 PDT
Comment on attachment 213818 [details] patch (In reply to comment #4) > > I wonder if we could fix this issue in a different way, by making > > AXObjectCache::getOrCreate(Node* node) able to handle this kind of situation, > > creating a AccessibilityNodeObject that wraps that not rendered node inside. > > > > What do you think? > > Certainly getOrCreate could return an object, but there's a bit of code > to ensure we only return a AXNode based object under certain conditions > (either in a canvas or aria-hidden=false). Hard for me to say if there's > any negative consequence of doing that. It might allow more elements > into the tree than we would like... > Yes, I've seen that code and it's not clear to me either. That's why I ask. > For example, we definitely don't want to add objects that are just hidden > to the tree, as in <div style="display:none;"> sub tree here </div> > Agreed. > So it could be done, but I am less sure of the consequences of doing that > right now. > Fair enough. Let's give this a try then :)
WebKit Commit Bot
Comment 6 2013-10-10 06:41:19 PDT
Comment on attachment 213818 [details] patch Clearing flags on attachment: 213818 Committed r157221: <http://trac.webkit.org/changeset/157221>
WebKit Commit Bot
Comment 7 2013-10-10 06:41:21 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.