133825 2014-06-12 14:51:22 -0700 AX: Safari crashed once in WebCore::AccessibilityObject::ariaIsHidden 2014-06-16 14:44:51 -0700 1 1 1 Unclassified WebKit Accessibility 528+ (Nightly build) All All RESOLVED FIXED InRadar P2 Normal --- 1 cfleizach cfleizach aboxhall apinheiro commit-queue ddkilzer dmazzoni jcraig jdiggs koivisto mario samuel_white simon.fraser webkit-bug-importer oldest_to_newest 1015241 0 cfleizach 2014-06-12 14:51:22 -0700 Crash log here #0 0x00000001005deee0 in WebCore::AccessibilityObject::element() const at /Code/Web/OpenSource/Source/WebCore/accessibility/AccessibilityObject.cpp:1874 #1 0x00000001005d9710 in WebCore::AccessibilityObject::getAttribute(WebCore::QualifiedName const&) const at /Code/Web/OpenSource/Source/WebCore/accessibility/AccessibilityObject.cpp:1686 #2 0x00000001005edd54 in WebCore::AccessibilityObject::isARIAHidden() const at /Code/Web/OpenSource/Source/WebCore/accessibility/AccessibilityObject.cpp:2373 #3 0x00000001005ede80 in WebCore::AccessibilityObject::defaultObjectInclusion() const at /Code/Web/OpenSource/Source/WebCore/accessibility/AccessibilityObject.cpp:2393 #4 0x00000001005f22f8 in WebCore::AccessibilityRenderObject::defaultObjectInclusion() const at /Code/Web/OpenSource/Source/WebCore/accessibility/AccessibilityRenderObject.cpp:1166 #5 0x00000001005f2370 in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const at /Code/Web/OpenSource/Source/WebCore/accessibility/AccessibilityRenderObject.cpp:1178 #6 0x00000001005edfe8 in WebCore::AccessibilityObject::accessibilityIsIgnored() const at /Code/Web/OpenSource/Source/WebCore/accessibility/AccessibilityObject.cpp:2420 #7 0x00000001005d2bf0 in WebCore::AXObjectCache::notificationPostTimerFired(WebCore::Timer<WebCore::AXObjectCache>&) at /Code/Web/OpenSource/Source/WebCore/accessibility/AXObjectCache.cpp:738 #8 0x0000000100633030 in decltype(*(std::__1::forward<WebCore::AXObjectCache*&>(fp0)).*fp(std::__1::forward<WebCore::Timer<WebCore::AXObjectCache>&>(fp1))) std::__1::__invoke<void (WebCore::AXObjectCache::*&)(WebCore::Timer<WebCore::AXObjectCache>&), WebCore::AXObjectCache*&, WebCore::Timer<WebCore::AXObjectCache>&, void>(void (WebCore::AXObjectCache::*&&&)(WebCore::Timer<WebCore::AXObjectCache>&), WebCore::AXObjectCache*&&&, WebCore::Timer<WebCore::AXObjectCache>&&&) [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/iOS8.0.xctoolchain/usr/bin/../include/c++/v1/__functional_base:380 #9 0x0000000100632fc0 in std::__1::__bind_return<void (WebCore::AXObjectCache::*)(WebCore::Timer<WebCore::AXObjectCache>&), std::__1::tuple<WebCore::AXObjectCache*, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >, std::__1::tuple<>, _is_valid_bind_return<void (WebCore::AXObjectCache::*)(WebCore::Timer<WebCore::AXObjectCache>&), std::__1::tuple<WebCore::AXObjectCache*, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >, std::__1::tuple<> >::value>::type std::__1::__apply_functor<void (WebCore::AXObjectCache::*)(WebCore::Timer<WebCore::AXObjectCache>&), std::__1::tuple<WebCore::AXObjectCache*, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >, 0ul, 1ul, std::__1::tuple<> >(void (WebCore::AXObjectCache::*&)(WebCore::Timer<WebCore::AXObjectCache>&), std::__1::tuple<WebCore::AXObjectCache*, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >&, std::__1::__tuple_indices<0ul, 1ul>, std::__1::tuple<>&&) [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/iOS8.0.xctoolchain/usr/bin/../include/c++/v1/functional:2022 #10 0x0000000100632f78 in std::__1::__bind_return<void (WebCore::AXObjectCache::*)(WebCore::Timer<WebCore::AXObjectCache>&), std::__1::tuple<WebCore::AXObjectCache*, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >, std::__1::tuple<>, _is_valid_bind_return<void (WebCore::AXObjectCache::*)(WebCore::Timer<WebCore::AXObjectCache>&), std::__1::tuple<WebCore::AXObjectCache*, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >, std::__1::tuple<> >::value>::type std::__1::__bind<void (WebCore::AXObjectCache::*&)(WebCore::Timer<WebCore::AXObjectCache>&), WebCore::AXObjectCache*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >::operator()<>() [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/iOS8.0.xctoolchain/usr/bin/../include/c++/v1/functional:2085 #11 0x0000000100632f60 in decltype(std::__1::forward<std::__1::__bind<void (WebCore::AXObjectCache::*&)(WebCore::Timer<WebCore::AXObjectCache>&), WebCore::AXObjectCache*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >&>(fp)(std::__1::forward<>(fp0))) std::__1::__invoke<std::__1::__bind<void (WebCore::AXObjectCache::*&)(WebCore::Timer<WebCore::AXObjectCache>&), WebCore::AXObjectCache*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >&>(std::__1::__bind<void (WebCore::AXObjectCache::*&)(WebCore::Timer<WebCore::AXObjectCache>&), WebCore::AXObjectCache*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >&&&) [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/iOS8.0.xctoolchain/usr/bin/../include/c++/v1/__functional_base:413 #12 0x0000000100632f60 in std::__1::__function::__func<std::__1::__bind<void (WebCore::AXObjectCache::*&)(WebCore::Timer<WebCore::AXObjectCache>&), WebCore::AXObjectCache*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >, std::__1::allocator<std::__1::__bind<void (WebCore::AXObjectCache::*&)(WebCore::Timer<WebCore::AXObjectCache>&), WebCore::AXObjectCache*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > > >, void ()>::operator()() at /Applications/Xcode.app/Contents/Developer/Toolchains/iOS8.0.xctoolchain/usr/bin/../include/c++/v1/functional:1370 #13 0x0000000100632230 in std::__1::function<void ()>::operator()() const at /Applications/Xcode.app/Contents/Developer/Toolchains/iOS8.0.xctoolchain/usr/bin/../include/c++/v1/functional:1755 #14 0x00000001006321ec in WebCore::Timer<WebCore::AXObjectCache>::fired() at /Code/Web/OpenSource/Source/WebCore/platform/Timer.h:133 #15 0x00000001022a1a38 in WebCore::ThreadTimers::sharedTimerFiredInternal() at /Code/Web/OpenSource/Source/WebCore/platform/ThreadTimers.cpp:132 #16 0x00000001022a1730 in WebCore::ThreadTimers::sharedTimerFired() at /Code/Web/OpenSource/Source/WebCore/platform/ThreadTimers.cpp:107 #17 0x0000000101fe8004 in WebCore::timerFired(__CFRunLoopTimer*, void*) at /Code/Web/OpenSource/Source/WebCore/platform/ios/SharedTimerIOS.mm:62 1015242 1 cfleizach 2014-06-12 14:51:42 -0700 The problem looks like if you ask axIsIgnored() on a newly created object, it can actually deallocate itself 1015244 2 webkit-bug-importer 2014-06-12 14:52:05 -0700 <rdar://problem/17292966> 1015245 3 232992 cfleizach 2014-06-12 14:54:38 -0700 Created attachment 232992 patch 1015939 4 232992 ggaren 2014-06-16 13:15:20 -0700 Comment on attachment 232992 patch View in context: https://bugs.webkit.org/attachment.cgi?id=232992&action=review > Source/WebCore/accessibility/AXObjectCache.cpp:433 > + // Sometimes asking accessibilityIsIgnored() will cause the newObject to be deallocated, and then > + // it will disappear when this function is finished, leading to a use-after-free. > + if (newObj->isDetached()) > + return nullptr; Do you really mean deallocated, or just detached? If newObj is truly deallocated, we need to understand why our RefPtr didn't prevent that. Accessing newObj after it has been deallocated is not sound, and isDetached() might return anything if it's called on a deallocated object. 1015940 5 cfleizach 2014-06-16 13:22:29 -0700 (In reply to comment #4) > (From update of attachment 232992 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=232992&action=review > > > Source/WebCore/accessibility/AXObjectCache.cpp:433 > > + // Sometimes asking accessibilityIsIgnored() will cause the newObject to be deallocated, and then > > + // it will disappear when this function is finished, leading to a use-after-free. > > + if (newObj->isDetached()) > > + return nullptr; > > Do you really mean deallocated, or just detached? If newObj is truly deallocated, we need to understand why our RefPtr didn't prevent that. Accessing newObj after it has been deallocated is not sound, and isDetached() might return anything if it's called on a deallocated object. I mean detached. The RefPtr<> in this method is still holding onto the object while we're in the context of the methods stack. as soon as we leave that stack and the RefPtr goes away, the object then becomes deallocated 1015944 6 232992 enrica 2014-06-16 13:32:24 -0700 Comment on attachment 232992 patch View in context: https://bugs.webkit.org/attachment.cgi?id=232992&action=review > Source/WebCore/ChangeLog:8 > + Sometimes asking accessibilityIsIgnored() will cause a newObject to be deallocated. It will Please fix the ChangeLog to use detached. 1015968 7 cfleizach 2014-06-16 14:44:51 -0700 http://trac.webkit.org/changeset/170028 232992 2014-06-12 14:54:38 -0700 2014-06-16 13:32:24 -0700 patch patch text/plain 2534 cfleizach SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDE2OTkxMikKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDIyIEBACisyMDE0LTA2LTEyICBDaHJpcyBG bGVpemFjaCAgPGNmbGVpemFjaEBhcHBsZS5jb20+CisKKyAgICAgICAgQVg6IFNhZmFyaSBjcmFz aGVkIG9uY2UgaW4gV2ViQ29yZTo6QWNjZXNzaWJpbGl0eU9iamVjdDo6YXJpYUlzSGlkZGVuCisg ICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xMzM4MjUKKwor ICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBTb21ldGltZXMg YXNraW5nIGFjY2Vzc2liaWxpdHlJc0lnbm9yZWQoKSB3aWxsIGNhdXNlIGEgbmV3T2JqZWN0IHRv IGJlIGRlYWxsb2NhdGVkLiBJdCB3aWxsCisgICAgICAgIHRoZW4gYmUgZGVhZCBiZWZvcmUgaXQn cyBldmVuIHJldHVybmVkIGZyb20gZ2V0T3JDcmVhdGUuCisKKyAgICAgICAgV2l0aCB0aGF0IG91 dCBvZiB0aGUgd2F5LCBJIHNhdyB0aGUgc2FtZSBiYWNrdHJhY2UgbGVhZCB0byB1cGRhdGVMYXlv dXRJZ25vcmVQZW5kaW5nU3R5bGVzaGVldHMgYmVpbmcgY2FsbGVkIHdoaWxlIHN0aWxsIGluTGF5 b3V0LgorCisgICAgICAgIEkgdHJpZWQgbXkgYmVzdCBidXQgY291bGQgbm90IGNyZWF0ZSBhIHJl cHJvZHVjaWJsZSBsYXlvdXQgdGVzdC4KKworICAgICAgICAqIGFjY2Vzc2liaWxpdHkvQVhPYmpl Y3RDYWNoZS5jcHA6CisgICAgICAgIChXZWJDb3JlOjpBWE9iamVjdENhY2hlOjpnZXRPckNyZWF0 ZSk6CisgICAgICAgICogYWNjZXNzaWJpbGl0eS9BY2Nlc3NpYmlsaXR5T2JqZWN0LmNwcDoKKyAg ICAgICAgKFdlYkNvcmU6OkFjY2Vzc2liaWxpdHlPYmplY3Q6OnVwZGF0ZUJhY2tpbmdTdG9yZSk6 CisKIDIwMTQtMDYtMTIgIEFuZGVycyBDYXJsc3NvbiAgPGFuZGVyc2NhQGFwcGxlLmNvbT4KIAog ICAgICAgICBBZGQgYSBzcGFjZSBhZnRlciB0aGUgY29tbWEuCkluZGV4OiBTb3VyY2UvV2ViQ29y ZS9hY2Nlc3NpYmlsaXR5L0FYT2JqZWN0Q2FjaGUuY3BwCj09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9X ZWJDb3JlL2FjY2Vzc2liaWxpdHkvQVhPYmplY3RDYWNoZS5jcHAJKHJldmlzaW9uIDE2OTc0NykK KysrIFNvdXJjZS9XZWJDb3JlL2FjY2Vzc2liaWxpdHkvQVhPYmplY3RDYWNoZS5jcHAJKHdvcmtp bmcgY29weSkKQEAgLTQyNyw3ICs0MjcsMTEgQEAKICAgICBuZXdPYmotPmluaXQoKTsKICAgICBh dHRhY2hXcmFwcGVyKG5ld09iai5nZXQoKSk7CiAgICAgbmV3T2JqLT5zZXRMYXN0S25vd25Jc0ln bm9yZWRWYWx1ZShuZXdPYmotPmFjY2Vzc2liaWxpdHlJc0lnbm9yZWQoKSk7Ci0KKyAgICAvLyBT b21ldGltZXMgYXNraW5nIGFjY2Vzc2liaWxpdHlJc0lnbm9yZWQoKSB3aWxsIGNhdXNlIHRoZSBu ZXdPYmplY3QgdG8gYmUgZGVhbGxvY2F0ZWQsIGFuZCB0aGVuCisgICAgLy8gaXQgd2lsbCBkaXNh cHBlYXIgd2hlbiB0aGlzIGZ1bmN0aW9uIGlzIGZpbmlzaGVkLCBsZWFkaW5nIHRvIGEgdXNlLWFm dGVyLWZyZWUuCisgICAgaWYgKG5ld09iai0+aXNEZXRhY2hlZCgpKQorICAgICAgICByZXR1cm4g bnVsbHB0cjsKKyAgICAKICAgICByZXR1cm4gbmV3T2JqLmdldCgpOwogfQogICAgIApJbmRleDog U291cmNlL1dlYkNvcmUvYWNjZXNzaWJpbGl0eS9BY2Nlc3NpYmlsaXR5T2JqZWN0LmNwcAo9PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09Ci0tLSBTb3VyY2UvV2ViQ29yZS9hY2Nlc3NpYmlsaXR5L0FjY2Vzc2liaWxpdHlPYmpl Y3QuY3BwCShyZXZpc2lvbiAxNjk3NDcpCisrKyBTb3VyY2UvV2ViQ29yZS9hY2Nlc3NpYmlsaXR5 L0FjY2Vzc2liaWxpdHlPYmplY3QuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0xNDI5LDggKzE0Mjks MTAgQEAKIHZvaWQgQWNjZXNzaWJpbGl0eU9iamVjdDo6dXBkYXRlQmFja2luZ1N0b3JlKCkKIHsK ICAgICAvLyBVcGRhdGluZyB0aGUgbGF5b3V0IG1heSBkZWxldGUgdGhpcyBvYmplY3QuCi0gICAg aWYgKERvY3VtZW50KiBkb2N1bWVudCA9IHRoaXMtPmRvY3VtZW50KCkpCi0gICAgICAgIGRvY3Vt ZW50LT51cGRhdGVMYXlvdXRJZ25vcmVQZW5kaW5nU3R5bGVzaGVldHMoKTsKKyAgICBpZiAoRG9j dW1lbnQqIGRvY3VtZW50ID0gdGhpcy0+ZG9jdW1lbnQoKSkgeworICAgICAgICBpZiAoIWRvY3Vt ZW50LT52aWV3KCktPmlzSW5MYXlvdXQoKSkKKyAgICAgICAgICAgIGRvY3VtZW50LT51cGRhdGVM YXlvdXRJZ25vcmVQZW5kaW5nU3R5bGVzaGVldHMoKTsKKyAgICB9CiAgICAgCiAgICAgdXBkYXRl Q2hpbGRyZW5JZk5lY2Vzc2FyeSgpOwogfQo=