RESOLVED FIXED 87028
Chromium AX: Crash when menulist adds selected option via document.write 
https://bugs.webkit.org/show_bug.cgi?id=87028
Summary Chromium AX: Crash when menulist adds selected option via document.write
Dominic Mazzoni
Reported 2012-05-21 10:16:40 PDT
Somewhat obscure, but this happened "in the wild" - if you add a selected option inside of a <select> element using document.write, AccessibilityMenuListPopup::didUpdateActiveOption gets called with the new index before the children of the AccessibilityMenuListPopup get updated, leading to a crash. I can only reproduce on Chromium because on Mac, the AccessibilityMenuListPopup is ignored if the pop-up is closed. Should repro on Windows in theory, maybe GTK. Here's the repro - the crash only happens if the AccessibilityMenuListPopup is actually created before the script runs; I can trigger this on Chromium by adding a delay to the JavaScript and tabbing to the control (while accessibility is on) before the script runs. When the script does run it triggers the crash. <select id="menulist"> <option>1</option> <script src="data:text/javascript,document.write('<option selected>2');"></script> </select>
Attachments
Patch (4.16 KB, patch)
2012-05-21 11:07 PDT, Dominic Mazzoni 		no flags
DetailsFormatted DiffDiff
Patch (4.83 KB, patch)
2012-05-21 12:13 PDT, Dominic Mazzoni 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Dominic Mazzoni
Comment 1 2012-05-21 11:07:28 PDT
Created attachment 143063 [details] Patch
chris fleizach
Comment 2 2012-05-21 11:19:28 PDT
Comment on attachment 143063 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=143063&action=review > Source/WebCore/rendering/RenderMenuList.cpp:124 > + document()->axObjectCache()->childrenChanged(this); what about removeChild?
Dominic Mazzoni
Comment 3 2012-05-21 12:13:58 PDT
Created attachment 143074 [details] Patch
Dominic Mazzoni
Comment 4 2012-05-21 12:17:44 PDT
(In reply to comment #2) > what about removeChild? Good thought, but I couldn't come up with an case where removeChild didn't work. I updated the test to cover removeChild, but it already worked correctly so no more code changes were needed.
chris fleizach
Comment 5 2012-05-21 23:39:51 PDT
Comment on attachment 143074 [details] Patch looks good
WebKit Review Bot
Comment 6 2012-05-22 08:23:51 PDT
Comment on attachment 143074 [details] Patch Clearing flags on attachment: 143074 Committed r117976: <http://trac.webkit.org/changeset/117976>
WebKit Review Bot
Comment 7 2012-05-22 08:23:55 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.