Created attachment 25243 [details] patch to stop from crashing I was not able to make a LayoutTest that could trigger this problem. I did however verify that the case mentioned did not crash

1. Launch TOT (r38371, r20843) and go to http://mail.google.com/mail/#inbox 2. Type some text in the message body . Select one of the words and click the link toolbar 3. Type a URL and press return to apply the link dialog 4. After link dialog, a crash occurs.

Comment on attachment 25243 [details] patch to stop from crashing I don't think this is the right fix. It makes no sense for AccessibilityTable to call setNeedsSectionRecalc; any recalculation should be set up by the DOM tree or CSS manipulation that makes the recalculation necessary. Similarly, AccessibilityTable should not be responsible for calling recalcSectionsIfNeeded. Instead the render tree functions used to get at the sections should take care of that. It does make sense to make a call to update layout before trying to work with the render tree, but this is not a table-specific requirement. Layout will call recalcSectionsIfNeeded as appropriate. We need to get to the bottom of what's happening here and not just land this, which is a workaround or band-aid for the real problem.

Thread 0 Crashed: 0 com.apple.WebCore 0x92dbd804 WebCore::AccessibilityTable::isTableExposableThroughAccessibility() + 500 1 com.apple.WebCore 0x92dbdb68 WebCore::AccessibilityTable::AccessibilityTable(WebCore::RenderObject*) + 104 2 com.apple.WebCore 0x92dbdbbc WebCore::AccessibilityTable::create(WebCore::RenderObject*) + 44 3 com.apple.WebCore 0x92869a08 WebCore::AXObjectCache::get(WebCore::RenderObject*) + 312 4 com.apple.WebCore 0x92d9fc9d WebCore::AccessibilityRenderObject::parentObject() const + 125 5 com.apple.WebCore 0x92d9a33b WebCore::AccessibilityRenderObject::isPresentationalChildOfAriaRole() const + 43 6 com.apple.WebCore 0x92d9cdbb WebCore::AccessibilityRenderObject::accessibilityIsIgnored() const + 75 7 com.apple.WebCore 0x92d9a450 WebCore::AccessibilityRenderObject::childrenChanged() + 32 8 com.apple.WebCore 0x9286b5da WebCore::AXObjectCache::childrenChanged(WebCore::RenderObject*) + 106 9 com.apple.WebCore 0x9278f632 WebCore::RenderContainer::removeChildNode(WebCore::RenderObject*, bool) + 226 10 com.apple.WebCore 0x9278f46e WebCore::RenderContainer::removeChild(WebCore::RenderObject*) + 46 11 com.apple.WebCore 0x9278f1ce WebCore::RenderBlock::removeChild(WebCore::RenderObject*) + 78 12 com.apple.WebCore 0x9278f0d2 WebCore::RenderObject::destroy() + 114 13 com.apple.WebCore 0x9278ef6d WebCore::RenderBox::destroy() + 93 14 com.apple.WebCore 0x9278ee67 WebCore::RenderContainer::destroyLeftoverChildren() + 135 15 com.apple.WebCore 0x9278ecec WebCore::RenderFlow::destroy() + 44 16 com.apple.WebCore 0x9278ec6a WebCore::Node::detach() + 42 17 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 18 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 19 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 20 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 21 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 22 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 23 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 24 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 25 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 26 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 27 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 28 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 29 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 30 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 31 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 32 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 33 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 34 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 35 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 36 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 37 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 38 com.apple.WebCore 0x9278ea8b WebCore::ContainerNode::detach() + 43 39 com.apple.WebCore 0x9278eb1d WebCore::Element::detach() + 109 40 com.apple.WebCore 0x927a21dd WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 1005 41 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 42 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 43 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 44 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 45 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 46 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 47 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 48 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 49 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 50 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 51 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 52 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 53 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 54 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 55 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 56 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 57 com.apple.WebCore 0x927a2082 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 658 58 com.apple.WebCore 0x92753dc2 WebCore::Document::recalcStyle(WebCore::Node::StyleChange) + 162 59 com.apple.WebCore 0x9278c3cf WebCore::Document::updateRendering() + 79 60 com.apple.WebCore 0x928a918d WebCore::Document::updateLayout() + 45 61 com.apple.WebCore 0x928041fe WebCore::Document::updateLayoutIgnorePendingStylesheets() + 46 62 com.apple.WebCore 0x92859db5 WebCore::HTMLBodyElement::scrollLeft() const + 21 63 com.apple.WebCore 0x92b4afeb WebCore::jsHTMLBodyElementScrollLeft(JSC::ExecState*, JSC::Identifier const&, JSC::PropertySlot const&) + 27 64 com.apple.JavaScriptCore 0x90eb4033 JSC::Machine::cti_op_get_by_val(void*, ...) + 1267

the DOM tree does not have a chance to update the sections because as soon as detach is called, that kicks off a chain that goes straight to code that asks for children, which have just been detached. if the accessibility children changed could be fired on the next iteration of the run loop, that would probably also solve the problem

this was fixed... not sure where the duplicate bug is

*** This bug has been marked as a duplicate of 24143 ***