Bug 127439 - AX: Disable accessibility after every test run
Summary: AX: Disable accessibility after every test run
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Accessibility (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: chris fleizach
URL:
Keywords: InRadar
: 127411 127429 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-01-22 11:52 PST by chris fleizach
Modified: 2014-02-06 09:29 PST (History)
17 users (show)

See Also:


Attachments
patch (14.76 KB, patch)
2014-01-22 15:33 PST, chris fleizach
ap: review+
Details | Formatted Diff | Diff
patch that uses WebCoreTestSupport (6.91 KB, patch)
2014-01-25 23:06 PST, chris fleizach
no flags Details | Formatted Diff | Diff
patch that uses WebCoreTestSupport (6.91 KB, patch)
2014-01-25 23:12 PST, chris fleizach
no flags Details | Formatted Diff | Diff
patch that uses WebCoreTestSupport (6.90 KB, patch)
2014-01-25 23:17 PST, chris fleizach
no flags Details | Formatted Diff | Diff
patch (7.83 KB, patch)
2014-01-26 14:51 PST, chris fleizach
no flags Details | Formatted Diff | Diff
patch (1.79 KB, patch)
2014-01-26 23:08 PST, chris fleizach
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description chris fleizach 2014-01-22 11:52:06 PST
We shouldn't have the accessibility infrastructure running during every test because there are some subtle differences that are exposing problems that don't affect customers.

While we resolve those subtle differences, we should reset accessibility for each test
Comment 1 Radar WebKit Bug Importer 2014-01-22 11:52:24 PST
<rdar://problem/15883227>
Comment 2 chris fleizach 2014-01-22 15:33:49 PST
Created attachment 221915 [details]
patch
Comment 3 chris fleizach 2014-01-22 17:25:13 PST
Comment on attachment 221915 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=221915&action=review

> Source/WebCore/dom/Document.cpp:-2179
> -    if (!AXObjectCache::accessibilityEnabled())

If there was an axObjectCache we may still need to return it after we disabled accessibility in order to finish cleaning up
Comment 4 Alexey Proskuryakov 2014-01-22 22:55:30 PST
Comment on attachment 221915 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=221915&action=review

r=me as is, however please consider using Internals instead.

> Source/WebKit/mac/WebView/WebFrame.mm:2171
> +- (void)accessibilitySetEnabled:(BOOL)enabled

AXObjectCache is a WebCore class, so it's a better to expose the accessors via Internals, not via private APIs - unless it has uses besides testing.

That way, you only need to do it once, not for each port, and there is no risk of someone starting to use the API and forcing us to support it in the future.
Comment 5 chris fleizach 2014-01-22 23:29:01 PST
(In reply to comment #4)
> (From update of attachment 221915 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=221915&action=review
> 
> r=me as is, however please consider using Internals instead.
> 
> > Source/WebKit/mac/WebView/WebFrame.mm:2171
> > +- (void)accessibilitySetEnabled:(BOOL)enabled
> 
> AXObjectCache is a WebCore class, so it's a better to expose the accessors via Internals, not via private APIs - unless it has uses besides testing.
> 
> That way, you only need to do it once, not for each port, and there is no risk of someone starting to use the API and forcing us to support it in the future.

Ok, i'll look into that
Comment 6 chris fleizach 2014-01-24 12:48:57 PST
(In reply to comment #4)
> (From update of attachment 221915 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=221915&action=review
> 
> r=me as is, however please consider using Internals instead.
> 
> > Source/WebKit/mac/WebView/WebFrame.mm:2171
> > +- (void)accessibilitySetEnabled:(BOOL)enabled
> 
> AXObjectCache is a WebCore class, so it's a better to expose the accessors via Internals, not via private APIs - unless it has uses besides testing.
> 
> That way, you only need to do it once, not for each port, and there is no risk of someone starting to use the API and forcing us to support it in the future.

Internals looks like it's only available through the layout tests (with JS) and not from the DRT app itself. Is that correct?
Comment 7 Alexey Proskuryakov 2014-01-24 19:18:43 PST
I think that there is some code that's used from C++, please see code that calls WebCoreTestSupport functions, such as WebCoreTestSupport::resetInternalsObject().
Comment 8 chris fleizach 2014-01-25 23:06:29 PST
Created attachment 222259 [details]
patch that uses WebCoreTestSupport
Comment 9 chris fleizach 2014-01-25 23:12:48 PST
Created attachment 222260 [details]
patch that uses WebCoreTestSupport
Comment 10 WebKit Commit Bot 2014-01-25 23:15:43 PST
Attachment 222260 [details] did not pass style-queue:


ERROR: Source/WebCore/testing/Internals.cpp:32:  Alphabetical sorting problem.  [build/include_order] [4]
Total errors found: 1 in 5 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 11 chris fleizach 2014-01-25 23:17:26 PST
Created attachment 222261 [details]
patch that uses WebCoreTestSupport
Comment 12 Alexey Proskuryakov 2014-01-26 00:09:24 PST
Windows build fails:

     1>WebCoreTestSupport.lib(Internals.obj) : error LNK2001: unresolved external symbol "private: static bool WebCore::AXObjectCache::gAccessibilityEnabled" (?gAccessibilityEnabled@AXObjectCache@WebCore@@0_NA)
Comment 13 chris fleizach 2014-01-26 00:13:07 PST
(In reply to comment #12)
> Windows build fails:
> 
>      1>WebCoreTestSupport.lib(Internals.obj) : error LNK2001: unresolved external symbol "private: static bool WebCore::AXObjectCache::gAccessibilityEnabled" (?gAccessibilityEnabled@AXObjectCache@WebCore@@0_NA)

This is already in WebCore.exp.in

__ZN7WebCore13AXObjectCache21gAccessibilityEnabledE


Is there something different that needs to happen for Win?
Comment 14 Alexey Proskuryakov 2014-01-26 10:44:03 PST
I think that it should be added to Source/WebKit/WebKit.vcxproj/WebKitExportGenerator/WebKitExports.def.in for Windows.
Comment 15 chris fleizach 2014-01-26 14:51:28 PST
Created attachment 222286 [details]
patch
Comment 16 chris fleizach 2014-01-26 15:36:22 PST
http://trac.webkit.org/changeset/162816
Comment 17 chris fleizach 2014-01-26 15:38:12 PST
*** Bug 127411 has been marked as a duplicate of this bug. ***
Comment 18 chris fleizach 2014-01-26 15:38:37 PST
*** Bug 127429 has been marked as a duplicate of this bug. ***
Comment 19 Gyuyoung Kim 2014-01-26 19:54:41 PST
EFL layout test has broken since r162816. http://build.webkit.org/builders/EFL%20Linux%2064-bit%20Release%20WK2/builds/12643
Comment 20 chris fleizach 2014-01-26 22:52:42 PST
(In reply to comment #19)
> EFL layout test has broken since r162816. http://build.webkit.org/builders/EFL%20Linux%2064-bit%20Release%20WK2/builds/12643

16:26:47.487 23905 WebProcess crash, pid = None, error_line = #CRASHED - WebProcess
16:26:47.488 23905 killed pid 24304
16:26:47.512 23905 worker/6 compositing/absolute-position-changed-in-composited-layer.html crashed, (stderr lines):
16:26:47.512 23905   1   0x7f31384cdc08
16:26:47.512 23905   2   0x7f313885d0b0
16:26:47.512 23905   3   0x7f3136582dbc WebCore::AXObjectCache::get(WebCore::Widget*)
16:26:47.513 23905   4   0x7f313658629c WebCore::AXObjectCache::getOrCreate(WebCore::Widget*)
16:26:47.513 23905   5   0x7f31365985ba WebCore::AccessibilityObject::parentObjectUnignored() const
16:26:47.513 23905   6   0x7f31375babe7 WebCore::AXObjectCache::attachWrapper(WebCore::AccessibilityObject*)
16:26:47.513 23905   7   0x7f313658757d WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*)
16:26:47.513 23905   8   0x7f3136587b80 WebCore::AXObjectCache::frameLoadingEventNotification(WebCore::Frame*, WebCore::AXObjectCache::AXLoadingEvent)
16:26:47.513 23905   9   0x7f3136a30260 WebCore::FrameLoader::continueLoadAfterWillSubmitForm()
16:26:47.513 23905   10  0x7f3136a36c40 WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)
16:26:47.513 23905   11  0x7f3136a36c84
16:26:47.513 23905   12  0x7f3136a4cba1 WebCore::PolicyCallback::call(bool)
16:26:47.513 23905   13  0x7f3136a5384f WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction)
16:26:47.513 23905   14  0x7f3138f03aba WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, std::function<void (WebCore::PolicyAction)>)
16:26:47.513 23905   15  0x7f3136a50bea WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)
16:26:47.513 23905   16  0x7f3136a37206 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>)
16:26:47.513 23905   17  0x7f3136a3759a WebCore::FrameLoader::load(WebCore::DocumentLoader*)
16:26:47.513 23905   18  0x7f3136a3c35b WebCore::FrameLoader::load(WebCore::FrameLoadRequest const&)
16:26:47.513 23905   19  0x7f3138f282ac WebKit::WebPage::loadURLRequest(WebCore::ResourceRequest const&, WebKit::SandboxExtension::Handle const&, IPC::MessageDecoder&)
16:26:47.513 23905   20  0x7f3138f28701 WebKit::WebPage::loadURL(WTF::String const&, WebKit::SandboxExtension::Handle const&, IPC::MessageDecoder&)
16:26:47.513 23905   21  0x7f3138f9f811 void IPC::handleMessageVariadic<Messages::WebPage::LoadURL, WebKit::WebPage, void (WebKit::WebPage::*)(WTF::String const&, WebKit::SandboxExtension::Handle const&, IPC::MessageDecoder&)>(IPC::MessageDecoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WTF::String const&, WebKit::SandboxExtension::Handle const&, IPC::MessageDecoder&))
16:26:47.513 23905   22  0x7f3138fa3d7b WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection*, IPC::MessageDecoder&)
16:26:47.513 23905   23  0x7f3138dabc55 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection*, IPC::MessageDecoder&)
16:26:47.513 23905   24  0x7f3138eaaa15 WebKit::WebProcess::didReceiveMessage(IPC::Connection*, IPC::MessageDecoder&)
16:26:47.513 23905   25  0x7f3138da545e IPC::Connection::dispatchMessage(std::unique_ptr<IPC::MessageDecoder, std::default_delete<IPC::MessageDecoder> >)
16:26:47.514 23905   26  0x7f3138da55bf IPC::Connection::dispatchOneMessage()
16:26:47.514 23905   27  0x7f3138fa702f WTF::RunLoop::performWork()
1
Comment 21 chris fleizach 2014-01-26 23:08:45 PST
Created attachment 222304 [details]
patch 

Speculative fix. 

My guess is that  this assert is being hit

AXID axID = m_widgetObjectMapping.get(widget);
    ASSERT(!HashTraits<AXID>::isDeletedValue(axID));

I'm not sure why however right now.
Comment 22 Csaba Osztrogonác 2014-01-27 04:34:27 PST
Comment on attachment 222304 [details]
patch 

r=me, I can confirm it fixes the EFL crashes.
Comment 23 Csaba Osztrogonác 2014-01-27 04:35:49 PST
Comment on attachment 222304 [details]
patch 

Clearing flags on attachment: 222304

Committed r162834: <http://trac.webkit.org/changeset/162834>
Comment 24 Csaba Osztrogonác 2014-01-27 04:35:59 PST
All reviewed patches have been landed.  Closing bug.
Comment 25 Csaba Osztrogonác 2014-01-27 05:11:14 PST
(In reply to comment #16)
> http://trac.webkit.org/changeset/162816

It broke the Apple Windows bot too: http://build.webkit.org/builders/Apple%20Win%207%20Debug%20%28Tests%29/builds/57518 , but unfortunately
the Windows bots don't provide any useful information about the problem.

( http://trac.webkit.org/changeset/162834 didn't fix the Windows bot,
only the GTK and EFL )
Comment 26 chris fleizach 2014-01-27 09:23:16 PST
(In reply to comment #25)
> (In reply to comment #16)
> > http://trac.webkit.org/changeset/162816
> 
> It broke the Apple Windows bot too: http://build.webkit.org/builders/Apple%20Win%207%20Debug%20%28Tests%29/builds/57518 , but unfortunately
> the Windows bots don't provide any useful information about the problem.
> 
> ( http://trac.webkit.org/changeset/162834 didn't fix the Windows bot,
> only the GTK and EFL )

Hopefully someone will be able to post the crash log!
Comment 27 Michal Pakula vel Rutka 2014-02-06 08:37:31 PST
<http://trac.webkit.org/changeset/162834> did not fixed all tests on EFL WK2, still there are around 15 tests crashing. There are two types of crashes:

#0  0x00007ffff052c95a in std::unique_ptr<WebCore::AXComputedObjectAttributeCache, std::default_delete<WebCore::AXComputedObjectAttributeCache> >::get (this=0xd0) at /usr/include/c++/4.7/bits/unique_ptr.h:223
#1  0x00007ffff055b056 in WebCore::AXObjectCache::computedObjectAttributeCache (this=0x0) at /home/michal/source/WebKit/Source/WebCore/accessibility/AXObjectCache.h:211
#2  0x00007ffff0559b22 in WebCore::AccessibilityObject::accessibilityIsIgnored (this=0x776e80) at /home/michal/source/WebKit/Source/WebCore/accessibility/AccessibilityObject.cpp:2105
#3  0x00007ffff0559820 in WebCore::AccessibilityObject::notifyIfIgnoredValueChanged (this=0x776e80) at /home/michal/source/WebKit/Source/WebCore/accessibility/AccessibilityObject.cpp:2018
#4  0x00007ffff052a3f4 in WebCore::AXObjectCache::recomputeIsIgnored (this=0x813b20, renderer=0x82ebb0) at /home/michal/source/WebKit/Source/WebCore/accessibility/AXObjectCache.cpp:905
#5  0x00007ffff0fab3da in WebCore::RenderBlock::deleteLines (this=0x82ebb0) at /home/michal/source/WebKit/Source/WebCore/rendering/RenderBlock.cpp:920
#6  0x00007ffff0fe2795 in WebCore::RenderBlockFlow::deleteLines (this=0x82ebb0) at /home/michal/source/WebKit/Source/WebCore/rendering/RenderBlockFlow.cpp:1906
#7  0x00007ffff0fabce6 in WebCore::RenderBlock::collapseAnonymousBoxChild (parent=0xa1cba0, child=0x82ebb0) at /home/michal/source/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1084
#8  0x00007ffff0fac171 in WebCore::RenderBlock::removeChild (this=0xa1cba0, oldChild=...) at /home/michal/source/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1160

second:

#0  0x00007ffff0533d4c in WTF::HashTable<WebCore::RenderObject*, WTF::KeyValuePair<WebCore::RenderObject*, unsigned int>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WebCore::RenderObject*, unsigned int> >, WTF::PtrHash<WebCore::RenderObject*>, WTF::HashMap<WebCore::RenderObject*, unsigned int, WTF::PtrHash<WebCore::RenderObject*>, WTF::HashTraits<WebCore::RenderObject*>, WTF::HashTraits<unsigned int> >::KeyValuePairTraits, WTF::HashTraits<WebCore::RenderObject*> >::lookup<WTF::IdentityHashTranslator<WTF::PtrHash<WebCore::RenderObject*> >, WebCore::RenderObject*> (this=0x30, key=@0x7fffffffb268: 0x8504e0)
    at /home/michal/source/WebKit/Source/WTF/wtf/HashTable.h:588
#1  0x00007ffff0530a95 in WTF::HashTable<WebCore::RenderObject*, WTF::KeyValuePair<WebCore::RenderObject*, unsigned int>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WebCore::RenderObject*, unsigned int> >, WTF::PtrHash<WebCore::RenderObject*>, WTF::HashMap<WebCore::RenderObject*, unsigned int, WTF::PtrHash<WebCore::RenderObject*>, WTF::HashTraits<WebCore::RenderObject*>, WTF::HashTraits<unsigned int> >::KeyValuePairTraits, WTF::HashTraits<WebCore::RenderObject*> >::lookup (this=0x30, key=@0x7fffffffb268: 0x8504e0) at /home/michal/source/WebKit/Source/WTF/wtf/HashTable.h:402
#2  0x00007ffff052d5eb in WTF::HashMap<WebCore::RenderObject*, unsigned int, WTF::PtrHash<WebCore::RenderObject*>, WTF::HashTraits<WebCore::RenderObject*>, WTF::HashTraits<unsigned int> >::get (this=0x30, 
    key=@0x7fffffffb268: 0x8504e0) at /home/michal/source/WebKit/Source/WTF/wtf/HashMap.h:322
#3  0x00007ffff05277d2 in WebCore::AXObjectCache::get (this=0x0, node=0x852110) at /home/michal/source/WebKit/Source/WebCore/accessibility/AXObjectCache.cpp:222
#4  0x00007ffff0528545 in WebCore::AXObjectCache::getOrCreate (this=0x0, node=0x852110) at /home/michal/source/WebKit/Source/WebCore/accessibility/AXObjectCache.cpp:361
#5  0x00007ffff0573457 in WebCore::AccessibilityScrollView::webAreaObject (this=0x7bc1d0) at /home/michal/source/WebKit/Source/WebCore/accessibility/AccessibilityScrollView.cpp:195
#6  0x00007ffff0573322 in WebCore::AccessibilityScrollView::addChildren (this=0x7bc1d0) at /home/michal/source/WebKit/Source/WebCore/accessibility/AccessibilityScrollView.cpp:179
#7  0x00007ffff0572edb in WebCore::AccessibilityScrollView::updateChildrenIfNecessary (this=0x7bc1d0) at /home/michal/source/WebKit/Source/WebCore/accessibility/AccessibilityScrollView.cpp:113
#8  0x00007ffff0529eaa in WebCore::AXObjectCache::handleScrollbarUpdate (this=0x7b2270, view=0x84bc20) at /home/michal/source/WebKit/Source/WebCore/accessibility/AXObjectCache.cpp:835

Some of those tests fail on EFL only, 10 fails on GTK too i.e.:
http://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#tests=scrollbars%2Fscrollbar-drag-thumb-with-large-content.html
Comment 28 chris fleizach 2014-02-06 09:24:50 PST
(In reply to comment #27)
> <http://trac.webkit.org/changeset/162834> did not fixed all tests on EFL WK2, still there are around 15 tests crashing. There are two types of crashes:
> 
> #0  0x00007ffff052c95a in std::unique_ptr<WebCore::AXComputedObjectAttributeCache, std::default_delete<WebCore::AXComputedObjectAttributeCache> >::get (this=0xd0) at /usr/include/c++/4.7/bits/unique_ptr.h:223
> #1  0x00007ffff055b056 in WebCore::AXObjectCache::computedObjectAttributeCache (this=0x0) at /home/michal/source/WebKit/Source/WebCore/accessibility/AXObjectCache.h:211
> #2  0x00007ffff0559b22 in WebCore::AccessibilityObject::accessibilityIsIgnored (this=0x776e80) at /home/michal/source/WebKit/Source/WebCore/accessibility/AccessibilityObject.cpp:2105
> #3  0x00007ffff0559820 in WebCore::AccessibilityObject::notifyIfIgnoredValueChanged (this=0x776e80) at /home/michal/source/WebKit/Source/WebCore/accessibility/AccessibilityObject.cpp:2018
> #4  0x00007ffff052a3f4 in WebCore::AXObjectCache::recomputeIsIgnored (this=0x813b20, renderer=0x82ebb0) at /home/michal/source/WebKit/Source/WebCore/accessibility/AXObjectCache.cpp:905
> #5  0x00007ffff0fab3da in WebCore::RenderBlock::deleteLines (this=0x82ebb0) at /home/michal/source/WebKit/Source/WebCore/rendering/RenderBlock.cpp:920
> #6  0x00007ffff0fe2795 in WebCore::RenderBlockFlow::deleteLines (this=0x82ebb0) at /home/michal/source/WebKit/Source/WebCore/rendering/RenderBlockFlow.cpp:1906
> #7  0x00007ffff0fabce6 in WebCore::RenderBlock::collapseAnonymousBoxChild (parent=0xa1cba0, child=0x82ebb0) at /home/michal/source/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1084
> #8  0x00007ffff0fac171 in WebCore::RenderBlock::removeChild (this=0xa1cba0, oldChild=...) at /home/michal/source/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1160
> 

Filed
https://bugs.webkit.org/show_bug.cgi?id=128310
for this
Comment 29 chris fleizach 2014-02-06 09:29:38 PST
> #0  0x00007ffff0533d4c in WTF::HashTable<WebCore::RenderObject*, WTF::KeyValuePair<WebCore::RenderObject*, unsigned int>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WebCore::RenderObject*, unsigned int> >, WTF::PtrHash<WebCore::RenderObject*>, WTF::HashMap<WebCore::RenderObject*, unsigned int, WTF::PtrHash<WebCore::RenderObject*>, WTF::HashTraits<WebCore::RenderObject*>, WTF::HashTraits<unsigned int> >::KeyValuePairTraits, WTF::HashTraits<WebCore::RenderObject*> >::lookup<WTF::IdentityHashTranslator<WTF::PtrHash<WebCore::RenderObject*> >, WebCore::RenderObject*> (this=0x30, key=@0x7fffffffb268: 0x8504e0)
>     at /home/michal/source/WebKit/Source/WTF/wtf/HashTable.h:588
> #1  0x00007ffff0530a95 in WTF::HashTable<WebCore::RenderObject*, WTF::KeyValuePair<WebCore::RenderObject*, unsigned int>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WebCore::RenderObject*, unsigned int> >, WTF::PtrHash<WebCore::RenderObject*>, WTF::HashMap<WebCore::RenderObject*, unsigned int, WTF::PtrHash<WebCore::RenderObject*>, WTF::HashTraits<WebCore::RenderObject*>, WTF::HashTraits<unsigned int> >::KeyValuePairTraits, WTF::HashTraits<WebCore::RenderObject*> >::lookup (this=0x30, key=@0x7fffffffb268: 0x8504e0) at /home/michal/source/WebKit/Source/WTF/wtf/HashTable.h:402
> #2  0x00007ffff052d5eb in WTF::HashMap<WebCore::RenderObject*, unsigned int, WTF::PtrHash<WebCore::RenderObject*>, WTF::HashTraits<WebCore::RenderObject*>, WTF::HashTraits<unsigned int> >::get (this=0x30, 
>     key=@0x7fffffffb268: 0x8504e0) at /home/michal/source/WebKit/Source/WTF/wtf/HashMap.h:322
> #3  0x00007ffff05277d2 in WebCore::AXObjectCache::get (this=0x0, node=0x852110) at /home/michal/source/WebKit/Source/WebCore/accessibility/AXObjectCache.cpp:222
> #4  0x00007ffff0528545 in WebCore::AXObjectCache::getOrCreate (this=0x0, node=0x852110) at /home/michal/source/WebKit/Source/WebCore/accessibility/AXObjectCache.cpp:361
> #5  0x00007ffff0573457 in WebCore::AccessibilityScrollView::webAreaObject (this=0x7bc1d0) at /home/michal/source/WebKit/Source/WebCore/accessibility/AccessibilityScrollView.cpp:195
> #6  0x00007ffff0573322 in WebCore::AccessibilityScrollView::addChildren (this=0x7bc1d0) at /home/michal/source/WebKit/Source/WebCore/accessibility/AccessibilityScrollView.cpp:179
> #7  0x00007ffff0572edb in WebCore::AccessibilityScrollView::updateChildrenIfNecessary (this=0x7bc1d0) at /home/michal/source/WebKit/Source/WebCore/accessibility/AccessibilityScrollView.cpp:113
> #8  0x00007ffff0529eaa in WebCore::AXObjectCache::handleScrollbarUpdate (this=0x7b2270, view=0x84bc20) at /home/michal/source/WebKit/Source/WebCore/accessibility/AXObjectCache.cpp:835
> 

By code inspection I would have to say this 2nd issue most be resolved in ToT.

We see that the call in 
   WebCore::AccessibilityScrollView::webAreaObject (this=0x7bc1d0) at 
results in accessing the null axobject cache

> #4  0x00007ffff0528545 in WebCore::AXObjectCache::getOrCreate (this=0x0, node=0x852110) at /home/michal/source/WebKit/Source/WebCore/accessibility/AXObjectCache.cpp:361


But, that's already protected against
    if (AXObjectCache* cache = axObjectCache())
        return cache->getOrCreate(doc);

the line numbers in the BT are not correct against ToT, so perhaps this was a recent fix