187528 2018-07-10 10:51:26 -0700 AX: Crash in accessing AXObjectCache in textMarkerDataForVisiblePosition 2018-07-10 14:56:11 -0700 1 1 1 Unclassified WebKit Accessibility WebKit Nightly Build All All RESOLVED FIXED InRadar P2 Normal --- 1 cfleizach cfleizach aboxhall apinheiro commit-queue dmazzoni ews-watchlist jcraig jdiggs n_wang samuel_white webkit-bug-importer oldest_to_newest 1440905 0 cfleizach 2018-07-10 10:51:26 -0700 <rdar://problem/37231941> CrashTracer: com.apple.WebKit.WebContent.Development at com.apple.WebCore: WebCore::AXObjectCache::get + 75 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000020 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [0] VM Regions Near 0x20: --> __TEXT 0000000102505000-0000000102507000 [ 8K] r-x/rwx SM=COW /Volumes/VOLUME/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development Application Specific Information: CRASHING TEST: accessibility/mac/search-field-cancel-button.html Thread 0 Crashed: 0 com.apple.WebCore 0x00000007a0aae5db WebCore::AXObjectCache::get(WebCore::Node*) + 75 1 com.apple.WebCore 0x00000007a0aadf4b WebCore::AXObjectCache::getOrCreate(WebCore::Node*) + 43 2 com.apple.WebCore 0x00000007a0ab48e2 WebCore::AXObjectCache::textMarkerDataForVisiblePosition(WebCore::VisiblePosition const&) + 290 3 com.apple.WebCore 0x00000007a15a7dfe -[WebAccessibilityObjectWrapper textMarkerRangeFromVisiblePositions:endPosition:] + 62 4 com.apple.WebCore 0x00000007a03401ce WebCore::AXObjectCache::postTextStateChangePlatformNotification(WebCore::AccessibilityObject*, WebCore::AXTextStateChangeIntent const&, WebCore::VisibleSelection const&) + 494 5 com.apple.WebCore 0x00000007a0ab0c5c WebCore::AXObjectCache::postTextStateChangeNotification(WebCore::AccessibilityObject*, WebCore::AXTextStateChangeIntent const&, WebCore::VisibleSelection const&) + 188 6 com.apple.WebCore 0x00000007a037bfcb WebCore::FrameSelection::notifyAccessibilityForSelectionChange(WebCore::AXTextStateChangeIntent const&) + 203 7 com.apple.WebCore 0x00000007a0e02f87 WebCore::FrameSelection::updateAndRevealSelection(WebCore::AXTextStateChangeIntent const&) + 167 8 com.apple.WebCore 0x00000007a0e087e9 WebCore::FrameSelection::updateAppearanceAfterLayout() + 73 9 com.apple.WebCore 0x00000007a0040c25 WebCore::FrameView::performPostLayoutTasks() + 37 10 com.apple.WebCore 0x00000007a109b3ff WebCore::LayoutContext::runOrScheduleAsynchronousTasks() + 239 11 com.apple.WebCore 0x00000007a10910bc WebCore::LayoutContext::layout() + 1612 12 com.apple.WebCore 0x00000007a0098070 WebCore::Document::updateLayout() + 256 13 com.apple.WebCore 0x00000007a0d29e5c WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) + 92 14 com.apple.WebCore 0x00000007a0d55f36 WebCore::Element::boundingClientRect() + 38 1 1440906 1 webkit-bug-importer 2018-07-10 10:52:55 -0700 <rdar://problem/42031055> 1440909 2 344712 cfleizach 2018-07-10 10:59:21 -0700 Created attachment 344712 patch 1440913 3 344712 n_wang 2018-07-10 11:07:12 -0700 Comment on attachment 344712 patch r=me There are other instances of calling someobject->document().axObjectCache(). Do we need to null check those as well? Or is there a better way to know that document is being destructed. 1440914 4 cfleizach 2018-07-10 11:10:20 -0700 (In reply to Nan Wang from comment #3) > Comment on attachment 344712 [details] > patch > > r=me > There are other instances of calling someobject->document().axObjectCache(). > Do we need to null check those as well? Or is there a better way to know > that document is being destructed. I'll check those other instances in this area. we could check if the document is destroyed, but checking the cache seems a bit more straight-forward and does the same thing for our purposes. 1440916 5 344713 cfleizach 2018-07-10 11:12:48 -0700 Created attachment 344713 patch 1440977 6 344713 commit-queue 2018-07-10 14:56:09 -0700 Comment on attachment 344713 patch Clearing flags on attachment: 344713 Committed r233699: <https://trac.webkit.org/changeset/233699> 1440978 7 commit-queue 2018-07-10 14:56:11 -0700 All reviewed patches have been landed. Closing bug. 344712 2018-07-10 10:59:21 -0700 2018-07-10 11:12:48 -0700 patch patch text/plain 1515 cfleizach SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDIzMzY5MCkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE3IEBACisyMDE4LTA3LTEwICBDaHJpcyBG bGVpemFjaCAgPGNmbGVpemFjaEBhcHBsZS5jb20+CisKKyAgICAgICAgQVg6IENyYXNoIGluIGFj Y2Vzc2luZyBBWE9iamVjdENhY2hlIGluIHRleHRNYXJrZXJEYXRhRm9yVmlzaWJsZVBvc2l0aW9u CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xODc1MjgK KyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzM3MjMxOTQxPgorCisgICAgICAgIFJldmlld2VkIGJ5 IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIE9jY2FzaW9uYWwgY3Jhc2hlcyByZXBvcnRlZCB3 aGVuIHJ1bm5pbmcgYWNjZXNzaWJpbGl0eS9tYWMvc2VhcmNoLWZpZWxkLWNhbmNlbC1idXR0b24u aHRtbC4KKyAgICAgICAgTG9va3MgbGlrZSB0aGUgY2FjaGUgb2JqZWN0IHJldHJpZXZlZCB3YXMg bm90IHZhbGlkIGFuZCB3ZSB3ZXJlbid0IGNoZWNraW5nIGZvciBpdC4KKworICAgICAgICAqIGFj Y2Vzc2liaWxpdHkvQVhPYmplY3RDYWNoZS5jcHA6CisgICAgICAgIChXZWJDb3JlOjpBWE9iamVj dENhY2hlOjp0ZXh0TWFya2VyRGF0YUZvclZpc2libGVQb3NpdGlvbik6CisKIDIwMTgtMDctMTAg IFJ5b3N1a2UgTml3YSAgPHJuaXdhQHdlYmtpdC5vcmc+CiAKICAgICAgICAgRGlzYWJsZSBjcm9z cy1vcmlnaW4td2luZG93LXBvbGljeSBieSBkZWZhdWx0CkluZGV4OiBTb3VyY2UvV2ViQ29yZS9h Y2Nlc3NpYmlsaXR5L0FYT2JqZWN0Q2FjaGUuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJD b3JlL2FjY2Vzc2liaWxpdHkvQVhPYmplY3RDYWNoZS5jcHAJKHJldmlzaW9uIDIzMzY3MikKKysr IFNvdXJjZS9XZWJDb3JlL2FjY2Vzc2liaWxpdHkvQVhPYmplY3RDYWNoZS5jcHAJKHdvcmtpbmcg Y29weSkKQEAgLTIyMDQsNiArMjIwNCw4IEBACiAKICAgICAvLyBmaW5kIG9yIGNyZWF0ZSBhbiBh Y2Nlc3NpYmlsaXR5IG9iamVjdCBmb3IgdGhpcyBub2RlCiAgICAgQVhPYmplY3RDYWNoZSogY2Fj aGUgPSBkb21Ob2RlLT5kb2N1bWVudCgpLmF4T2JqZWN0Q2FjaGUoKTsKKyAgICBpZiAoIWNhY2hl KQorICAgICAgICByZXR1cm4gc3RkOjpudWxsb3B0OwogICAgIFJlZlB0cjxBY2Nlc3NpYmlsaXR5 T2JqZWN0PiBvYmogPSBjYWNoZS0+Z2V0T3JDcmVhdGUoZG9tTm9kZSk7CiAKICAgICAvLyBUaGlz IG1lbW9yeSBtdXN0IGJlIHplcm8nZCBzbyBpbnN0YW5jZXMgb2YgVGV4dE1hcmtlckRhdGEgY2Fu IGJlIHRlc3RlZCBmb3IgYnl0ZS1lcXVpdmFsZW5jZS4K 344713 2018-07-10 11:12:48 -0700 2018-07-10 14:56:09 -0700 patch patch text/plain 2270 cfleizach SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDIzMzY5MCkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE5IEBACisyMDE4LTA3LTEwICBDaHJpcyBG bGVpemFjaCAgPGNmbGVpemFjaEBhcHBsZS5jb20+CisKKyAgICAgICAgQVg6IENyYXNoIGluIGFj Y2Vzc2luZyBBWE9iamVjdENhY2hlIGluIHRleHRNYXJrZXJEYXRhRm9yVmlzaWJsZVBvc2l0aW9u CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xODc1MjgK KyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzM3MjMxOTQxPgorCisgICAgICAgIFJldmlld2VkIGJ5 IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIE9jY2FzaW9uYWwgY3Jhc2hlcyByZXBvcnRlZCB3 aGVuIHJ1bm5pbmcgYWNjZXNzaWJpbGl0eS9tYWMvc2VhcmNoLWZpZWxkLWNhbmNlbC1idXR0b24u aHRtbC4KKyAgICAgICAgTG9va3MgbGlrZSB0aGUgY2FjaGUgb2JqZWN0IHJldHJpZXZlZCB3YXMg bm90IHZhbGlkIGFuZCB3ZSB3ZXJlbid0IGNoZWNraW5nIGZvciBpdC4KKworICAgICAgICAqIGFj Y2Vzc2liaWxpdHkvQVhPYmplY3RDYWNoZS5jcHA6CisgICAgICAgIChXZWJDb3JlOjpBWE9iamVj dENhY2hlOjp2aXNpYmxlUG9zaXRpb25Gb3JUZXh0TWFya2VyRGF0YSk6CisgICAgICAgIChXZWJD b3JlOjpBWE9iamVjdENhY2hlOjp0ZXh0TWFya2VyRGF0YUZvclZpc2libGVQb3NpdGlvbik6Cisg ICAgICAgIChXZWJDb3JlOjpBWE9iamVjdENhY2hlOjp0ZXh0TWFya2VyRGF0YUZvckZpcnN0UG9z aXRpb25JblRleHRDb250cm9sKToKKwogMjAxOC0wNy0xMCAgUnlvc3VrZSBOaXdhICA8cm5pd2FA d2Via2l0Lm9yZz4KIAogICAgICAgICBEaXNhYmxlIGNyb3NzLW9yaWdpbi13aW5kb3ctcG9saWN5 IGJ5IGRlZmF1bHQKSW5kZXg6IFNvdXJjZS9XZWJDb3JlL2FjY2Vzc2liaWxpdHkvQVhPYmplY3RD YWNoZS5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL1dlYkNvcmUvYWNjZXNzaWJpbGl0eS9BWE9i amVjdENhY2hlLmNwcAkocmV2aXNpb24gMjMzNjcyKQorKysgU291cmNlL1dlYkNvcmUvYWNjZXNz aWJpbGl0eS9BWE9iamVjdENhY2hlLmNwcAkod29ya2luZyBjb3B5KQpAQCAtMTU5MSw3ICsxNTkx LDcgQEAKICAgICAgICAgcmV0dXJuIFZpc2libGVQb3NpdGlvbigpOwogICAgIAogICAgIEFYT2Jq ZWN0Q2FjaGUqIGNhY2hlID0gcmVuZGVyZXItPmRvY3VtZW50KCkuYXhPYmplY3RDYWNoZSgpOwot ICAgIGlmICghY2FjaGUtPm1faWRzSW5Vc2UuY29udGFpbnModGV4dE1hcmtlckRhdGEuYXhJRCkp CisgICAgaWYgKGNhY2hlICYmICFjYWNoZS0+bV9pZHNJblVzZS5jb250YWlucyh0ZXh0TWFya2Vy RGF0YS5heElEKSkKICAgICAgICAgcmV0dXJuIFZpc2libGVQb3NpdGlvbigpOwogCiAgICAgcmV0 dXJuIHZpc2libGVQb3M7CkBAIC0yMjA0LDYgKzIyMDQsOCBAQAogCiAgICAgLy8gZmluZCBvciBj cmVhdGUgYW4gYWNjZXNzaWJpbGl0eSBvYmplY3QgZm9yIHRoaXMgbm9kZQogICAgIEFYT2JqZWN0 Q2FjaGUqIGNhY2hlID0gZG9tTm9kZS0+ZG9jdW1lbnQoKS5heE9iamVjdENhY2hlKCk7CisgICAg aWYgKCFjYWNoZSkKKyAgICAgICAgcmV0dXJuIHN0ZDo6bnVsbG9wdDsKICAgICBSZWZQdHI8QWNj ZXNzaWJpbGl0eU9iamVjdD4gb2JqID0gY2FjaGUtPmdldE9yQ3JlYXRlKGRvbU5vZGUpOwogCiAg ICAgLy8gVGhpcyBtZW1vcnkgbXVzdCBiZSB6ZXJvJ2Qgc28gaW5zdGFuY2VzIG9mIFRleHRNYXJr ZXJEYXRhIGNhbiBiZSB0ZXN0ZWQgZm9yIGJ5dGUtZXF1aXZhbGVuY2UuCkBAIC0yMjMxLDYgKzIy MzMsOSBAQAogICAgICAgICByZXR1cm4gc3RkOjpudWxsb3B0OwogCiAgICAgQVhPYmplY3RDYWNo ZSogY2FjaGUgPSB0ZXh0Q29udHJvbC5kb2N1bWVudCgpLmF4T2JqZWN0Q2FjaGUoKTsKKyAgICBp ZiAoIWNhY2hlKQorICAgICAgICByZXR1cm4gc3RkOjpudWxsb3B0OworCiAgICAgUmVmUHRyPEFj Y2Vzc2liaWxpdHlPYmplY3Q+IG9iaiA9IGNhY2hlLT5nZXRPckNyZWF0ZSgmdGV4dENvbnRyb2wp OwogICAgIGlmICghb2JqKQogICAgICAgICByZXR1cm4gc3RkOjpudWxsb3B0Owo=