Bug 22340 - Crash at WebCore::AccessibilityTable::isTableExposableThroughAccessibility() when a table changes
Summary: Crash at WebCore::AccessibilityTable::isTableExposableThroughAccessibility()...
Status: RESOLVED DUPLICATE of bug 24143
Alias: None
Product: WebKit
Classification: Unclassified
Component: Accessibility (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.5
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-11-18 12:00 PST by chris fleizach
Modified: 2009-05-18 11:32 PDT (History)
0 users

See Also:

Attachments
patch to stop from crashing (1.34 KB, patch)
2008-11-18 12:01 PST, chris fleizach 		darin: review-
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description chris fleizach 2008-11-18 12:00:28 PST 
WebCore can crash when a table is modified through the DOM because of stale information
Comment 1 chris fleizach 2008-11-18 12:01:35 PST 
Created attachment 25243 [details]
patch to stop from crashing

I was not able to make a LayoutTest that could trigger this problem. I did however verify that the case mentioned did not crash
Comment 2 chris fleizach 2008-11-18 12:01:50 PST 
1. Launch TOT (r38371, r20843) and go to http://mail.google.com/mail/#inbox
2. Type some text in the message body . Select one of the words and click the link toolbar
3. Type a URL and press return to apply the link dialog
4. After link dialog, a crash occurs.
Comment 3 Darin Adler 2008-11-18 12:29:08 PST 
Comment on attachment 25243 [details]
patch to stop from crashing

I don't think this is the right fix.

It makes no sense for AccessibilityTable to call setNeedsSectionRecalc; any recalculation should be set up by the DOM tree or CSS manipulation that makes the recalculation necessary.

Similarly, AccessibilityTable should not be responsible for calling recalcSectionsIfNeeded. Instead the render tree functions used to get at the sections should take care of that. It does make sense to make a call to update layout before trying to work with the render tree, but this is not a table-specific requirement. Layout will call recalcSectionsIfNeeded as appropriate.

We need to get to the bottom of what's happening here and not just land this, which is a workaround or band-aid for the real problem.
Comment 4 chris fleizach 2008-11-18 12:38:05 PST 
Thread 0 Crashed:
0   com.apple.WebCore             	0x92dbd804 WebCore::AccessibilityTable::isTableExposableThroughAccessibility() + 500
1   com.apple.WebCore             	0x92dbdb68 WebCore::AccessibilityTable::AccessibilityTable(WebCore::RenderObject*) + 104
2   com.apple.WebCore             	0x92dbdbbc WebCore::AccessibilityTable::create(WebCore::RenderObject*) + 44
3   com.apple.WebCore             	0x92869a08 WebCore::AXObjectCache::get(WebCore::RenderObject*) + 312
4   com.apple.WebCore             	0x92d9fc9d WebCore::AccessibilityRenderObject::parentObject() const + 125
5   com.apple.WebCore             	0x92d9a33b WebCore::AccessibilityRenderObject::isPresentationalChildOfAriaRole() const + 43
6   com.apple.WebCore             	0x92d9cdbb WebCore::AccessibilityRenderObject::accessibilityIsIgnored() const + 75
7   com.apple.WebCore             	0x92d9a450 WebCore::AccessibilityRenderObject::childrenChanged() + 32
8   com.apple.WebCore             	0x9286b5da WebCore::AXObjectCache::childrenChanged(WebCore::RenderObject*) + 106
9   com.apple.WebCore             	0x9278f632 WebCore::RenderContainer::removeChildNode(WebCore::RenderObject*, bool) + 226
10  com.apple.WebCore             	0x9278f46e WebCore::RenderContainer::removeChild(WebCore::RenderObject*) + 46
11  com.apple.WebCore             	0x9278f1ce WebCore::RenderBlock::removeChild(WebCore::RenderObject*) + 78
12  com.apple.WebCore             	0x9278f0d2 WebCore::RenderObject::destroy() + 114
13  com.apple.WebCore             	0x9278ef6d WebCore::RenderBox::destroy() + 93
14  com.apple.WebCore             	0x9278ee67 WebCore::RenderContainer::destroyLeftoverChildren() + 135
15  com.apple.WebCore             	0x9278ecec WebCore::RenderFlow::destroy() + 44
16  com.apple.WebCore             	0x9278ec6a WebCore::Node::detach() + 42
17  com.apple.WebCore             	0x9278eb1d WebCore::Element::detach() + 109
18  com.apple.WebCore             	0x9278ea8b WebCore::ContainerNode::detach() + 43
19  com.apple.WebCore             	0x9278eb1d WebCore::Element::detach() + 109
20  com.apple.WebCore             	0x9278ea8b WebCore::ContainerNode::detach() + 43
21  com.apple.WebCore             	0x9278eb1d WebCore::Element::detach() + 109
22  com.apple.WebCore             	0x9278ea8b WebCore::ContainerNode::detach() + 43
23  com.apple.WebCore             	0x9278eb1d WebCore::Element::detach() + 109
24  com.apple.WebCore             	0x9278ea8b WebCore::ContainerNode::detach() + 43
25  com.apple.WebCore             	0x9278eb1d WebCore::Element::detach() + 109
26  com.apple.WebCore             	0x9278ea8b WebCore::ContainerNode::detach() + 43
27  com.apple.WebCore             	0x9278eb1d WebCore::Element::detach() + 109
28  com.apple.WebCore             	0x9278ea8b WebCore::ContainerNode::detach() + 43
29  com.apple.WebCore             	0x9278eb1d WebCore::Element::detach() + 109
30  com.apple.WebCore             	0x9278ea8b WebCore::ContainerNode::detach() + 43
31  com.apple.WebCore             	0x9278eb1d WebCore::Element::detach() + 109
32  com.apple.WebCore             	0x9278ea8b WebCore::ContainerNode::detach() + 43
33  com.apple.WebCore             	0x9278eb1d WebCore::Element::detach() + 109
34  com.apple.WebCore             	0x9278ea8b WebCore::ContainerNode::detach() + 43
35  com.apple.WebCore             	0x9278eb1d WebCore::Element::detach() + 109
36  com.apple.WebCore             	0x9278ea8b WebCore::ContainerNode::detach() + 43
37  com.apple.WebCore             	0x9278eb1d WebCore::Element::detach() + 109
38  com.apple.WebCore             	0x9278ea8b WebCore::ContainerNode::detach() + 43
39  com.apple.WebCore             	0x9278eb1d WebCore::Element::detach() + 109
40  com.apple.WebCore             	0x927a21dd WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 1005
41  com.apple.WebCore             	0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658
42  com.apple.WebCore             	0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658
43  com.apple.WebCore             	0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658
44  com.apple.WebCore             	0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658
45  com.apple.WebCore             	0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658
46  com.apple.WebCore             	0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658
47  com.apple.WebCore             	0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658
48  com.apple.WebCore             	0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658
49  com.apple.WebCore             	0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658
50  com.apple.WebCore             	0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658
51  com.apple.WebCore             	0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658
52  com.apple.WebCore             	0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658
53  com.apple.WebCore             	0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658
54  com.apple.WebCore             	0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658
55  com.apple.WebCore             	0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658
56  com.apple.WebCore             	0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658
57  com.apple.WebCore             	0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658
58  com.apple.WebCore             	0x92753dc2 WebCore::Document::recalcStyle(WebCore::Node::StyleChange) + 162
59  com.apple.WebCore             	0x9278c3cf WebCore::Document::updateRendering() + 79
60  com.apple.WebCore             	0x928a918d WebCore::Document::updateLayout() + 45
61  com.apple.WebCore             	0x928041fe WebCore::Document::updateLayoutIgnorePendingStylesheets() + 46
62  com.apple.WebCore             	0x92859db5 WebCore::HTMLBodyElement::scrollLeft() const + 21
63  com.apple.WebCore             	0x92b4afeb WebCore::jsHTMLBodyElementScrollLeft(JSC::ExecState*, JSC::Identifier const&, JSC::PropertySlot const&) + 27
64  com.apple.JavaScriptCore      	0x90eb4033 JSC::Machine::cti_op_get_by_val(void*, ...) + 1267
Comment 5 chris fleizach 2008-11-18 12:39:52 PST 
the DOM tree does not have a chance to update the sections because as soon as detach is called, that kicks off a chain that goes straight to code that asks for children, which have just been detached.

if the accessibility children changed could be fired on the next iteration of the run loop, that would probably also solve the problem
Comment 6 chris fleizach 2009-05-18 11:26:37 PDT 
this was fixed... not sure where the duplicate bug is
Comment 7 chris fleizach 2009-05-18 11:32:33 PDT 

*** This bug has been marked as a duplicate of 24143 ***