[Webkit-unassigned] [Bug 175340] AX: crash at WebCore::AccessibilityObject::supportsARIALiveRegion() const + 24

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Aug 10 07:09:45 PDT 2017 

https://bugs.webkit.org/show_bug.cgi?id=175340

zalan <zalan at apple.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #317793|review?                     |review-
              Flags|                            |

--- Comment #20 from zalan <zalan at apple.com> ---
Comment on attachment 317793
  --> https://bugs.webkit.org/attachment.cgi?id=317793
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=317793&action=review

> Source/WebCore/rendering/RenderImage.cpp:156
> +    // Remove this from accessibility first, since the below shutdown() function
> +    // will clear m_cachedImage and lead to a stale ax render object.
> +    if (UNLIKELY(AXObjectCache::accessibilityEnabled())) {
> +        if (AXObjectCache* cache = document().existingAXObjectCache())
> +            cache->remove(this);
> +    }

Do you mind explaining what you mean by "clear m_cachedImage and lead to a stale ax render object". What's the connection between the m_cachedImage and the AX render object? What exactly prevents us from going through the normal RenderObject::willBeDestroyed path? Also, though Chris might know more about this, but this changeset makes a call to AXObjectCache::remove() before notifying the parent (please see the related comments in RenderObject::willBeDestoryed()).
If the problem here is that the AccessibilitySVGRoot outlives the AX RenderImage (which is correct, since svg root is a resource, while the RenderImage is a renderer), then it needs to be addressed in another way.

I tried to debug this myself but the attached test case (in second patch) passes fine even with guard malloc. -is it ASan only?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170810/5213bf40/attachment.html>

More information about the webkit-unassigned mailing list