42652 – CrashTracer: [USER] 300 crashes in Safari at com.apple.WebCore: WebCore::AccessibilityTable::isTableExposableThroughAccessibility + 573

RESOLVED FIXED42652

CrashTracer: [USER] 300 crashes in Safari at com.apple.WebCore: WebCore::AccessibilityTable::isTableExposableThroughAccessibility + 573

https://bugs.webkit.org/show_bug.cgi?id=42652

Summary CrashTracer: [USER] 300 crashes in Safari at com.apple.WebCore: WebCore::Acce...

chris fleizach

Reported 2010-07-20 10:45:17 PDT

55 com.apple.WebCore: WebCore::AccessibilityTable::AccessibilityTable + 94 <== 55 com.apple.WebCore: WebCore::AccessibilityTable::create + 50 55 com.apple.WebCore: WebCore::AXObjectCache::getOrCreate + 1066 28 com.apple.WebCore: WebCore::AccessibilityTableCell::isTableCell const + 13 | 28 com.apple.WebCore: WebCore::AccessibilityTableCell::roleValue const + 21 | 28 com.apple.WebCore: WebCore::AccessibilityRenderObject::ariaLiveRegionStatus const + 96 | 28 com.apple.WebCore: WebCore::AccessibilityObject::supportsARIALiveRegion const + 18 | 28 com.apple.WebCore: WebCore::AccessibilityRenderObject::contentChanged + 72 | 28 com.apple.WebCore: WebCore::StyledElement::attributeChanged + 331 | 28 com.apple.WebCore: WebCore::NamedNodeMap::addAttribute + 119 | 26 com.apple.WebCore: WebCore::Element::setAttribute + 594 | | 26 com.apple.WebCore: WebCore::Element::setAttribute + 17 | | 26 com.apple.WebCore: WebCore::setJSHTMLElementTitle + 102 | | 26 com.apple.WebCore: WebCore::JSHTMLElement::put + 186 | | 26 com.apple.WebCore: WebCore::JSHTMLTableCellElement::put + 133

Attachments
Patch (5.35 KB, patch) 2010-07-20 12:24 PDT, chris fleizach	bdakin: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

chris fleizach

Comment 1 2010-07-20 10:46:49 PDT

this can happen when you remove a row from a table, then add a row, then modify an attribute on the new row. That will cause the AccessibilityTable to see if it should be exposed as a table. That in turn will look at its grid of cells, accessing the row that was removed. the solution is that we cannot use getOrCreate in contentChanged(). we can only access AX elements already created.

chris fleizach

Comment 2 2010-07-20 12:19:57 PDT

Actually a better solution is that the table cell should not getOrCreate its parent. it should only get it's parent. There's no real user cases where a table cell will be created in AX, before its AXTable is created

chris fleizach

Comment 3 2010-07-20 12:24:05 PDT

Created attachment 62099 [details] Patch

Beth Dakin

Comment 4 2010-07-20 14:09:07 PDT

Comment on attachment 62099 [details] Patch r=me!

chris fleizach

Comment 5 2010-07-20 14:35:40 PDT

http://trac.webkit.org/changeset/63774

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware PC

OS OS X 10.5

Product WebKit

Component Accessibility

Assignee

chris fleizach

Reported

2010-07-20 10:45 PDT

Modified

2010-07-20 14:35 PDT History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks