96443 – AX: Crashes in WebProcess at com.apple.WebCore: -[AccessibilityObjectWrapper remoteAccessibilityParentObject] + 78

Bug 96443 - AX: Crashes in WebProcess at com.apple.WebCore: -[AccessibilityObjectWrapper remoteAccessibilityParentObject] + 78

Summary: AX: Crashes in WebProcess at com.apple.WebCore: -[AccessibilityObjectWrapper ...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Accessibility (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	chris fleizach

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2012-09-11 16:04 PDT by chris fleizach
Modified:	2012-10-18 18:06 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
patch for landing (3.28 KB, patch) 2012-09-11 16:10 PDT, chris fleizach	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description chris fleizach 2012-09-11 16:04:16 PDT

>  1 com.apple.WebCore              0x7fff900a5e6e -[AccessibilityObjectWrapper remoteAccessibilityParentObject] + 0x4e
   2 com.apple.WebCore              0x7fff9005f9af -[AccessibilityObjectWrapper scrollViewParent] + 0x7f
   3 com.apple.WebCore              0x7fff9003023d -[AccessibilityObjectWrapper accessibilityAttributeValue:] + 0xcd
   4 com.apple.AppKit               0x7fff8ec7b26d -[NSObject(NSRemoteUIElementAccessibility) accessibilityPresenterProcessIdentifier] + 0x7a
   5 com.apple.AppKit               0x7fff8e6b5bb9 NSAccessibilityCreateAXUIElementRef + 0x36a
   6 com.apple.AppKit               0x7fff8e6b611b ConvertOutgoingValue + 0x50e
   7 com.apple.AppKit               0x7fff8e6b5caf ConvertOutgoingValue + 0xa2
   8 com.apple.AppKit               0x7fff8e6b630d ConvertOutgoingValueForAttribute + 0x1bd
   9 com.apple.AppKit               0x7fff8e6b6360 CopyAppKitUIElementAttributeValueNoCatch + 0x48
  10 com.apple.AppKit               0x7fff8e6b3d51 CopyAttributeValue + 0x13c
  11 com.apple.HIServices           0x7fff8b0c956f _AXXMIGCopyAttributeValue + 0xe1
  12 com.apple.HIServices           0x7fff8b0d2876 _XCopyAttributeValue + 0x26b
  13 com.apple.HIServices           0x7fff8b0ae182 mshMIGPerform + 0x234
  14 com.apple.CoreFoundation       0x7fff887e3abc __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__ + 0x2c
  15 com.apple.CoreFoundation       0x7fff887e37eb __CFRunLoopDoSource1 + 0x9b
  16 com.apple.CoreFoundation       0x7fff88819f27 __CFRunLoopRun + 0x767
  17 com.apple.CoreFoundation       0x7fff88819486 CFRunLoopRunSpecific + 0xe6
  18 com.apple.HIToolbox            0x7fff876c44d3 RunCurrentEventLoopInMode + 0x115
  19 com.apple.HIToolbox            0x7fff876cb781 ReceiveNextEventCommon + 0x163
  20 com.apple.HIToolbox            0x7fff876cb60e BlockUntilNextEventMatchingListInMode + 0x3e
  21 com.apple.AppKit               0x7fff8e41be31 _DPSNextEvent + 0x293
  22 com.apple.AppKit               0x7fff8e41b735 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 0x87
  23 com.apple.AppKit               0x7fff8e418071 -[NSApplication run] + 0x1d6
  24 com.apple.WebKit2              0x7fff84b5963b WebKit::WebProcessMain(WebKit::CommandLine const&) + 0x229
  25 com.apple.WebKit2              0x7fff84b3fc30 WebKitMain + 0x110
  26 com.apple.WebProcess           0x109d9ce56 main + 0x0 (/SourceCache/WebKit2/WebKit2-7534.53.1/mac/MainMac.cpp:68)
  27 com.apple.WebProcess           0x109d9cd64 start + 0x0

Comment 1 chris fleizach 2012-09-11 16:05:08 PDT

It appears that in
RemoteAXObjectRef WebFrameLoaderClient::accessibilityRemoteObject()

we are not checking whether the page is nil

Comment 2 chris fleizach 2012-09-11 16:10:11 PDT

Created attachment 163471 [details]
patch for landing

Comment 3 chris fleizach 2012-09-11 16:11:02 PDT

Comment on attachment 163471 [details]
patch for landing

View in context: https://bugs.webkit.org/attachment.cgi?id=163471&action=review

> Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapper.mm:1393
> +    Document* document = m_object->document();

I wanted to separate these calls out so 
1) we don't end up calling document() three times.
2) If the crash is actually in this method (which I don't think is the case), it will be easier to determine which line

Comment 4 chris fleizach 2012-09-11 16:13:25 PDT

rdar://11638298

Comment 5 chris fleizach 2012-10-18 17:55:33 PDT

Comment on attachment 163471 [details]
patch for landing

thanks!

Comment 6 WebKit Review Bot 2012-10-18 18:06:15 PDT

Comment on attachment 163471 [details]
patch for landing

Clearing flags on attachment: 163471

Committed r131834: <http://trac.webkit.org/changeset/131834>

Comment 7 WebKit Review Bot 2012-10-18 18:06:18 PDT

All reviewed patches have been landed.  Closing bug.