[Webkit-unassigned] [Bug 137658] Crash in AccessibilityMenuListOption::elementRect()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 13 22:06:10 PST 2014


https://bugs.webkit.org/show_bug.cgi?id=137658

--- Comment #4 from Joanmarie Diggs (irc: joanie) <jdiggs at igalia.com> ---
Another of the problems is that you can have the right parent and grandparent, but one of those ancestors gets deliberately removed from the document and then atk_object_ref_state_set() gets called for the selected option. So for that issue, I've just opened bug 138727 and attached a patch for that.

So in summary:
* Bug 137866 fixes the emission of bogus accessible events on non-focused options, even when we have the correct parent and grandparent. That fix is committed and should make the crash reported here extremely unlikely for most users.

* Bug 137867 fixes the role returned for detached accessible objects, so ATs won't innocently poke at moribund accessible objects. That fix is committed and should make the crash reported here extremely unlikely for users of assistive technologies.

* Bug 138727 sanity checks for validly null parent and grandparent objects. It's a tiny patch so hopefully it will be reviewed and committed soon. And that should guarantee that the crash here cannot occur.

What remains is figuring out why we're not getting the right parent in the case described in the opening report. I'll do that next. (Keeping this bug here open as it's become the metabug.)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141114/a67d9f04/attachment-0002.html>


More information about the webkit-unassigned mailing list