Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010572d71c WebCore::Node::renderer() const + 12 (Node.h:444) 1 com.apple.WebCore 0x000000010571b3b1 WebCore::AccessibilityRenderObject::renderParentObject() const + 465 (AccessibilityRenderObject.cpp:429) 2 com.apple.WebCore 0x000000010571b5e0 WebCore::AccessibilityRenderObject::parentObject() const + 208 (AccessibilityRenderObject.cpp:456) 3 com.apple.WebCore 0x0000000105720706 WebCore::AccessibilityRenderObject::ariaIsHidden() const + 102 (AccessibilityRenderObject.cpp:1705) 4 com.apple.WebCore 0x0000000105710987 WebCore::AccessibilityRenderObject::accessibilityIsIgnoredBase() const + 87 (AccessibilityRenderObject.cpp:1756) 5 com.apple.WebCore 0x00000001057208ff WebCore::AccessibilityRenderObject::accessibilityIsIgnored() const + 31 (AccessibilityRenderObject.cpp:1778) 6 com.apple.WebCore 0x000000010570ecd6 WebCore::AccessibilityRenderObject::addChildren() + 262 (AccessibilityRenderObject.cpp:3527) 7 com.apple.WebCore 0x0000000105717b65 WebCore::AccessibilityObject::updateChildrenIfNecessary() + 53 (AccessibilityObject.cpp:1050) 8 com.apple.WebCore 0x0000000105727012 WebCore::AccessibilityRenderObject::updateChildrenIfNecessary() + 66 (AccessibilityRenderObject.cpp:3491) 9 com.apple.WebCore 0x000000010570bc5d WebCore::AccessibilityObject::children() + 29 (AccessibilityObject.cpp:1043) 10 com.apple.WebCore 0x00000001057149c8 WebCore::AccessibilityObject::accessibleObjectsWithAccessibilitySearchPredicate(WebCore::AccessibilitySearchPredicate*, 10/26/11 10:20 PM Chris Fleizach: #1 0x00000001077eb3b1 in WebCore::AccessibilityRenderObject::renderParentObject (this=0x7f88270bfc50) at AccessibilityRenderObject.cpp:429 429 nodeRenderFirstChild = firstChild->node()->renderer(); (gdb) p firstChild $4 = ('WebCore::RenderObject' *) 0x7f8827091808 (gdb) p firstChild->node() $5 = ('WebCore::Node' *) 0x0

this snippet reproduces <table width=600> <tr><td> <br><br> <li> <font>test <ul type="circle"> <li>test <li>test </ul> <!-- your content --> </font> </li> </td></tr></table>

Created attachment 114651 [details] Patch

Comment on attachment 114651 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=114651&action=review > Source/WebCore/ChangeLog:3 > + Fix crash when an anonymous render block is in a continuation. Fix a crash > LayoutTests/ChangeLog:10 > + I don't think this test needs to dump the AX tree. it just needs to access it. if we removing the dumping then we our expectation can be the same for all platforms which is preferable for crashers like these

(In reply to comment #4) > (From update of attachment 114651 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=114651&action=review > > > Source/WebCore/ChangeLog:3 > > + Fix crash when an anonymous render block is in a continuation. > > Fix a crash Done. > > LayoutTests/ChangeLog:10 > > + > > I don't think this test needs to dump the AX tree. it just needs to access it. if we removing the dumping then we our expectation can be the same for all platforms which is preferable for crashers like these Sure, makes sense.

Created attachment 114744 [details] Patch

Comment on attachment 114744 [details] Patch r=me

Comment on attachment 114744 [details] Patch Clearing flags on attachment: 114744 Committed r100065: <http://trac.webkit.org/changeset/100065>

All reviewed patches have been landed. Closing bug.