164331 – AX: [ATK] Attempting to clear selection on ARIA listboxes results in crash

Bug 164331 - AX: [ATK] Attempting to clear selection on ARIA listboxes results in crash

Summary: AX: [ATK] Attempting to clear selection on ARIA listboxes results in crash

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Accessibility (show other bugs)
Version:	WebKit Nightly Build
Hardware:	All Linux

Importance:	P2 Normal
Assignee:	Joanmarie Diggs

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2016-11-02 12:22 PDT by Joanmarie Diggs
Modified:	2016-11-04 09:51 PDT (History)
CC List:	9 users (show)

See Also:

Attachments
Patch (19.94 KB, patch) 2016-11-02 12:50 PDT, Joanmarie Diggs	no flags	Details \| Formatted Diff \| Diff
Patch (18.79 KB, patch) 2016-11-03 02:06 PDT, Joanmarie Diggs	no flags	Details \| Formatted Diff \| Diff
Patch (17.64 KB, patch) 2016-11-04 05:56 PDT, Joanmarie Diggs	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Joanmarie Diggs 2016-11-02 12:22:19 PDT

The ATK code is using is<AccessibilityListBox>() to identify native listboxes. But is<AccessibilityListBox>() returns the value of isListBox() which returns true both for AccessibilityListBox instances as well as for AccessibilityObject instances which have an AccessibilityRole value of ListBoxRole.

#0  0x00007f3617f3aab1 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:323
#1  0x00007f3617f3aac2 in WTFCrashWithSecurityImplication () at ../../Source/WTF/wtf/Assertions.cpp:343
#2  0x00007f361ec388a0 in WTF::downcast<WebCore::HTMLSelectElement, WebCore::Node> (source=...)
    at ../../Source/WTF/wtf/TypeCasts.h:81
#3  0x00007f361ec37ef4 in (anonymous namespace)::AccessibilityListBox::canSetSelectedChildrenAttribute (this=0x7f3591df00c0)
    at ../../Source/WebCore/accessibility/AccessibilityListBox.cpp:64
#4  0x00007f361ec3801c in (anonymous namespace)::AccessibilityListBox::setSelectedChildren (this=0x7f3591df00c0, children=...)
    at ../../Source/WebCore/accessibility/AccessibilityListBox.cpp:86
#5  0x00007f36200fea9f in webkitAccessibleSelectionClearSelection (selection=0xfdb340)
    at ../../Source/WebCore/accessibility/atk/WebKitAccessibleInterfaceSelection.cpp:156
#6  0x00007f3603e5c908 in impl_ClearSelection ()
    at /home/jd/checkout/WebKitGtk/WebKitBuild/DependenciesGTK/Source/at-spi2-atk-2.15.4/atk-adaptor/adaptors/selection-adaptor.c:185
#7  0x00007f3603e558c8 in handle_other ()
    at /home/jd/checkout/WebKitGtk/WebKitBuild/DependenciesGTK/Source/at-spi2-atk-2.15.4/droute/droute.c:553
#8  handle_message () at /home/jd/checkout/WebKitGtk/WebKitBuild/DependenciesGTK/Source/at-spi2-atk-2.15.4/droute/droute.c:600
#9  0x00007f3602355a33 in _dbus_object_tree_dispatch_and_unlock () from /lib64/libdbus-1.so.3
#10 0x00007f36023470a4 in dbus_connection_dispatch () from /lib64/libdbus-1.so.3
#11 0x00007f3600f8bef5 in message_queue_dispatch ()
    at /home/jd/checkout/WebKitGtk/WebKitBuild/DependenciesGTK/Source/at-spi2-core-2.15.4/atspi/atspi-gmain.c:89
#12 0x00007f360f7ea777 in g_main_dispatch ()
    at /home/jd/checkout/WebKitGtk/WebKitBuild/DependenciesGTK/Source/glib-2.44.1/glib/gmain.c:3122
#13 g_main_context_dispatch () at /home/jd/checkout/WebKitGtk/WebKitBuild/DependenciesGTK/Source/glib-2.44.1/glib/gmain.c:3737
#14 0x00007f360f7ea9a8 in g_main_context_iterate ()
    at /home/jd/checkout/WebKitGtk/WebKitBuild/DependenciesGTK/Source/glib-2.44.1/glib/gmain.c:3808
#15 0x00007f360f7eacc2 in g_main_loop_run ()
    at /home/jd/checkout/WebKitGtk/WebKitBuild/DependenciesGTK/Source/glib-2.44.1/glib/gmain.c:4002
#16 0x00007f3617fa01ea in WTF::RunLoop::run () at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:94
#17 0x00007f361e844680 in (anonymous namespace)::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, 
    argv=0x7ffcc03eebe8) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61
#18 0x00007f361e84452e in (anonymous namespace)::WebProcessMainUnix (argc=2, argv=0x7ffcc03eebe8)
    at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:69
#19 0x0000000000400c3a in main (argc=2, argv=0x7ffcc03eebe8)
    at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:44

Comment 1 Radar WebKit Bug Importer 2016-11-02 12:22:44 PDT

<rdar://problem/29072422>

Comment 2 Joanmarie Diggs 2016-11-02 12:50:12 PDT

Created attachment 293687 [details]
Patch

Comment 3 Joanmarie Diggs 2016-11-03 02:06:46 PDT

Created attachment 293756 [details]
Patch

Comment 4 chris fleizach 2016-11-03 11:09:26 PDT

(In reply to comment #3)
> Created attachment 293756 [details]
> Patch

did this land already? do you need another review

Comment 5 Joanmarie Diggs 2016-11-03 11:45:44 PDT

(In reply to comment #4)
> (In reply to comment #3)
> > Created attachment 293756 [details]
> > Patch
> 
> did this land already? do you need another review

It hasn't landed already. My first patch broke the build for both ios-simulator and win. I believe this one is good, and I confirmed the ios-simulator failure and fix locally. But I was hoping EWS would confirm I'm not about to break anyone's port before landing it. :)

Comment 6 Joanmarie Diggs 2016-11-04 05:56:00 PDT

Created attachment 293880 [details]
Patch

Comment 7 Joanmarie Diggs 2016-11-04 06:55:30 PDT

Comment on attachment 293880 [details]
Patch

Bots are all green. Third time is charm. (2nd time failed due to conflicts after r208338.)

Comment 8 WebKit Commit Bot 2016-11-04 09:51:12 PDT

Comment on attachment 293880 [details]
Patch

Clearing flags on attachment: 293880

Committed r208384: <http://trac.webkit.org/changeset/208384>

Comment 9 WebKit Commit Bot 2016-11-04 09:51:16 PDT

All reviewed patches have been landed.  Closing bug.