187528 – AX: Crash in accessing AXObjectCache in textMarkerDataForVisiblePosition

Bug 187528 - AX: Crash in accessing AXObjectCache in textMarkerDataForVisiblePosition

Summary: AX: Crash in accessing AXObjectCache in textMarkerDataForVisiblePosition

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Accessibility (show other bugs)
Version:	WebKit Nightly Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	chris fleizach

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2018-07-10 10:51 PDT by chris fleizach
Modified:	2018-07-10 14:56 PDT (History)
CC List:	10 users (show)

See Also:

Attachments
patch (1.48 KB, patch) 2018-07-10 10:59 PDT, chris fleizach	no flags	Details \| Formatted Diff \| Diff
patch (2.22 KB, patch) 2018-07-10 11:12 PDT, chris fleizach	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description chris fleizach 2018-07-10 10:51:26 PDT

<rdar://problem/37231941> CrashTracer: com.apple.WebKit.WebContent.Development at com.apple.WebCore: WebCore::AXObjectCache::get + 75

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000020
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [0]

VM Regions Near 0x20:
--> 
    __TEXT                 0000000102505000-0000000102507000 [    8K] r-x/rwx SM=COW  /Volumes/VOLUME/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development

Application Specific Information:
CRASHING TEST: accessibility/mac/search-field-cancel-button.html

Thread 0 Crashed:
0   com.apple.WebCore             	0x00000007a0aae5db WebCore::AXObjectCache::get(WebCore::Node*) + 75
1   com.apple.WebCore             	0x00000007a0aadf4b WebCore::AXObjectCache::getOrCreate(WebCore::Node*) + 43
2   com.apple.WebCore             	0x00000007a0ab48e2 WebCore::AXObjectCache::textMarkerDataForVisiblePosition(WebCore::VisiblePosition const&) + 290
3   com.apple.WebCore             	0x00000007a15a7dfe -[WebAccessibilityObjectWrapper textMarkerRangeFromVisiblePositions:endPosition:] + 62
4   com.apple.WebCore             	0x00000007a03401ce WebCore::AXObjectCache::postTextStateChangePlatformNotification(WebCore::AccessibilityObject*, WebCore::AXTextStateChangeIntent const&, WebCore::VisibleSelection const&) + 494
5   com.apple.WebCore             	0x00000007a0ab0c5c WebCore::AXObjectCache::postTextStateChangeNotification(WebCore::AccessibilityObject*, WebCore::AXTextStateChangeIntent const&, WebCore::VisibleSelection const&) + 188
6   com.apple.WebCore             	0x00000007a037bfcb WebCore::FrameSelection::notifyAccessibilityForSelectionChange(WebCore::AXTextStateChangeIntent const&) + 203
7   com.apple.WebCore             	0x00000007a0e02f87 WebCore::FrameSelection::updateAndRevealSelection(WebCore::AXTextStateChangeIntent const&) + 167
8   com.apple.WebCore             	0x00000007a0e087e9 WebCore::FrameSelection::updateAppearanceAfterLayout() + 73
9   com.apple.WebCore             	0x00000007a0040c25 WebCore::FrameView::performPostLayoutTasks() + 37
10  com.apple.WebCore             	0x00000007a109b3ff WebCore::LayoutContext::runOrScheduleAsynchronousTasks() + 239
11  com.apple.WebCore             	0x00000007a10910bc WebCore::LayoutContext::layout() + 1612
12  com.apple.WebCore             	0x00000007a0098070 WebCore::Document::updateLayout() + 256
13  com.apple.WebCore             	0x00000007a0d29e5c WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) + 92
14  com.apple.WebCore             	0x00000007a0d55f36 WebCore::Element::boundingClientRect() + 38
1

Comment 1 Radar WebKit Bug Importer 2018-07-10 10:52:55 PDT

<rdar://problem/42031055>

Comment 2 chris fleizach 2018-07-10 10:59:21 PDT

Created attachment 344712 [details]
patch

Comment 3 Nan Wang 2018-07-10 11:07:12 PDT

Comment on attachment 344712 [details]
patch

r=me
There are other instances of calling someobject->document().axObjectCache(). Do we need to null check those as well? Or is there a better way to know that document is being destructed.

Comment 4 chris fleizach 2018-07-10 11:10:20 PDT

(In reply to Nan Wang from comment #3)
> Comment on attachment 344712 [details]
> patch
> 
> r=me
> There are other instances of calling someobject->document().axObjectCache().
> Do we need to null check those as well? Or is there a better way to know
> that document is being destructed.

I'll check those other instances in this area. we could check if the document is destroyed, but checking the cache seems a bit more straight-forward and does the same thing for our purposes.

Comment 5 chris fleizach 2018-07-10 11:12:48 PDT

Created attachment 344713 [details]
patch

Comment 6 WebKit Commit Bot 2018-07-10 14:56:09 PDT

Comment on attachment 344713 [details]
patch

Clearing flags on attachment: 344713

Committed r233699: <https://trac.webkit.org/changeset/233699>

Comment 7 WebKit Commit Bot 2018-07-10 14:56:11 PDT

All reviewed patches have been landed.  Closing bug.