[webkit-dev] Accessibility: Usage of node in TextMarkerData not reference counting... leading to crashes

Chris Fleizach cfleizach at apple.com
Mon Dec 7 12:19:55 PST 2009 

When we create TextMarkerData in AXObjectCache.cpp

We just stick in a Node, like so

    textMarkerData.axID = obj.get()->axObjectID();
    textMarkerData.node = domNode;
    textMarkerData.offset = deepPos.deprecatedEditingOffset();
    textMarkerData.affinity = visiblePos.affinity(); 

It seems that this is the probable cause of a number of low-incidence crashes, because when TextMarkerData is returned by the Assistive technology application, .node has already been released.

For example, this crash

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x00000000bbadbeef
0x00000001026d2f7f in WebCore::TreeShared<WebCore::Node>::ref ()
(gdb) bt
#0  0x00000001026d2f7f in WebCore::TreeShared<WebCore::Node>::ref ()
#1  0x00000001026d3163 in WTF::PassRefPtr<WebCore::Node>::PassRefPtr ()
#2  0x0000000103193dfb in WebCore::VisiblePosition::VisiblePosition ()
#3  0x00000001027517b9 in WebCore::AXObjectCache::visiblePositionForTextMarkerData ()
#4  0x00000001026dbe69 in visiblePositionForTextMarker ()
#5  0x00000001026dbeb8 in visiblePositionForEndOfTextMarkerRange ()
#6  0x00000001026dbf47 in -[AccessibilityObjectWrapper visiblePositionRangeForTextMarkerRange:] ()
#7  0x00000001026e16ff in -[AccessibilityObjectWrapper accessibilityAttributeValue:forParameter:] ()
#8  0x0000000100d9c692 in CopyParameterizedAttributeValue ()
#9  0x00007fff8619a6c2 in _AXXMIGCopyParameterizedAttributeValue ()
#10 0x00007fff861a481f in _XCopyParameterizedAttributeValue ()

It seems like we need a cache for the node's we store in TextMarkerData

----------------

Should I add a HashSet in AXObjectCache that uses RefPtr around the nodes?

Or should I add something in the destructor of Node to inform accessibility to update it's cache? (I think this is what RenderObject does)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20091207/96a6372b/attachment.html>

More information about the webkit-dev mailing list