138905 2014-11-19 18:13:53 -0800 AX: com.apple.WebKit.WebContent crashed at WebCore: WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored const 2014-11-21 16:11:46 -0800 1 1 1 Unclassified WebKit Accessibility 528+ (Nightly build) All All RESOLVED FIXED InRadar P2 Normal --- 1 cfleizach cfleizach aboxhall apinheiro commit-queue dmazzoni jcraig jdiggs mario samuel_white webkit-bug-importer oldest_to_newest 1050028 0 cfleizach 2014-11-19 18:13:53 -0800 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Subtype: KERN_INVALID_ADDRESS at 0x00000008 Triggered by Thread: 0 Filtered syslog: None found Thread 0 name: Dispatch queue: com.apple.main-thread Thread 0 Crashed: 0 WebCore 0x33714618 WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const + 180 (RenderObject.h:160) 1 WebCore 0x337061e8 WebCore::AccessibilityObject::accessibilityIsIgnored() const + 212 (AccessibilityObject.cpp:2517) 2 WebCore 0x33703c40 WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) + 1364 (AXObjectCache.cpp:435) 3 WebCore 0x33711f70 WebCore::AccessibilityObject::isARIAHidden() const + 188 (AccessibilityObject.cpp:2468) 4 WebCore 0x337144da WebCore::AccessibilityRenderObject::defaultObjectInclusion() const + 94 (AccessibilityObject.cpp:2489) 5 WebCore 0x33714578 WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const + 20 (AccessibilityRenderObject.cpp:1169) 6 WebCore 0x337061e8 WebCore::AccessibilityObject::accessibilityIsIgnored() const + 212 (AccessibilityObject.cpp:2517) 7 WebCore 0x33703c40 WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) + 1364 (AXObjectCache.cpp:435) 8 WebCore 0x33711f70 WebCore::AccessibilityObject::isARIAHidden() const + 188 (AccessibilityObject.cpp:2468) 9 WebCore 0x337144da WebCore::AccessibilityRenderObject::defaultObjectInclusion() const + 94 (AccessibilityObject.cpp:2489) 10 WebCore 0x33714578 WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const + 20 (AccessibilityRenderObject.cpp:1169) 11 WebCore 0x337061e8 WebCore::AccessibilityObject::accessibilityIsIgnored() const + 212 (AccessibilityObject.cpp:2517) 12 WebCore 0x33703c40 WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) + 1364 (AXObjectCache.cpp:435) 13 WebCore 0x33711f70 WebCore::AccessibilityObject::isARIAHidden() const + 188 (AccessibilityObject.cpp:2468) 14 WebCore 0x337144da WebCore::AccessibilityRenderObject::defaultObjectInclusion() const + 94 (AccessibilityObject.cpp:2489) 15 WebCore 0x33714578 WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const + 20 (AccessibilityRenderObject.cpp:1169) 16 WebCore 0x337061e8 WebCore::AccessibilityObject::accessibilityIsIgnored() const + 212 (AccessibilityObject.cpp:2517) 17 WebCore 0x33703c40 WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*) + 1364 (AXObjectCache.cpp:435) 18 WebCore 0x33704432 WebCore::AXObjectCache::textChanged(WebCore::RenderObject*) + 6 (AXObjectCache.cpp:625) 19 WebCore 0x33e1f1ea WebCore::RenderText::setText(WTF::String const&, bool) + 274 (RenderText.cpp:1109) 20 WebCore 0x3360bc50 WebCore::RenderMenuList::setText(WTF::String const&) + 76 (RenderMenuList.cpp:296) 21 WebCore 0x3360bae0 WebCore::RenderMenuList::setTextFromOption(int) + 376 (RenderMenuList.cpp:287) 22 WebCore 0x3360ca88 WebCore::HTMLSelectElement::selectOption(int, unsigned int) + 360 (HTMLSelectElement.cpp:894) 23 WebCore 0x33b55618 WebCore::setJSHTMLSelectElementSelectedIndex(JSC::ExecState*, JSC::JSObject*, long long, long long) + 260 (JSHTMLSelectElement.cpp:723) 24 JavaScriptCore 0x28170b3a JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, JSC::JSObject*, JSC::JSValue, JSC::JSValue) + 34 (CustomGetterSetter.cpp:44) 25 JavaScriptCore 0x28009622 JSC::JSObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 682 (JSObject.cpp:383) 26 WebCore 0x336af89c WebCore::JSHTMLSelectElement::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 64 <rdar://problem/19036181> 1050064 1 241928 cfleizach 2014-11-20 00:15:11 -0800 Created attachment 241928 patch 1050105 2 241928 mario 2014-11-20 03:01:42 -0800 Comment on attachment 241928 patch View in context: https://bugs.webkit.org/attachment.cgi?id=241928&action=review > Source/WebCore/accessibility/AccessibilityRenderObject.cpp:1197 > + if (m_renderer && ancestorsOfType<RenderMenuList>(*m_renderer).first()) You early returned on !m_renderer, so I don't think you need this extra check, unless any of the previous calls cause any side effect on the renderer (which should not be the case) 1050480 3 cfleizach 2014-11-21 09:29:07 -0800 (In reply to comment #2) > Comment on attachment 241928 [details] > patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=241928&action=review > > > Source/WebCore/accessibility/AccessibilityRenderObject.cpp:1197 > > + if (m_renderer && ancestorsOfType<RenderMenuList>(*m_renderer).first()) > > You early returned on !m_renderer, so I don't think you need this extra > check, unless any of the previous calls cause any side effect on the > renderer (which should not be the case) I think there is a chance that m_renderer may be set to nil by something else in the method (descendantOfBarrenChildren())? It's possible that going up the render tree is causing that. I don't have any evidence of that and I've never seen it happen, but the crash report leaves open that interpretation. do you think we should keep both checks just in case? 1050490 4 241928 mario 2014-11-21 10:39:18 -0800 Comment on attachment 241928 patch View in context: https://bugs.webkit.org/attachment.cgi?id=241928&action=review >>> Source/WebCore/accessibility/AccessibilityRenderObject.cpp:1197 >>> + if (m_renderer && ancestorsOfType<RenderMenuList>(*m_renderer).first()) >> >> You early returned on !m_renderer, so I don't think you need this extra check, unless any of the previous calls cause any side effect on the renderer (which should not be the case) > > I think there is a chance that m_renderer may be set to nil by something else in the method (descendantOfBarrenChildren())? It's possible that going up the render tree is causing that. I don't have any evidence of that and I've never seen it happen, but the crash report leaves open that interpretation. > > do you think we should keep both checks just in case? I guess that the "fearful me" agree on that it would perhaps be worth leaving the two checks, just in case. Anyway, as this is an speculative fix, either option (to leave both checks or only one) will be a gamble, so I think I lean more towards the safest one. 1050630 5 241928 commit-queue 2014-11-21 16:11:39 -0800 Comment on attachment 241928 patch Clearing flags on attachment: 241928 Committed r176484: <http://trac.webkit.org/changeset/176484> 1050631 6 commit-queue 2014-11-21 16:11:46 -0800 All reviewed patches have been landed. Closing bug. 241928 2014-11-20 00:15:11 -0800 2014-11-21 16:11:39 -0800 patch patch text/plain 2002 cfleizach SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDE3NjM4MykKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE4IEBACisyMDE0LTExLTIwICBDaHJpcyBG bGVpemFjaCAgPGNmbGVpemFjaEBhcHBsZS5jb20+CisKKyAgICAgICAgQVg6IGNvbS5hcHBsZS5X ZWJLaXQuV2ViQ29udGVudCBjcmFzaGVkIGF0IFdlYkNvcmU6IFdlYkNvcmU6OkFjY2Vzc2liaWxp dHlSZW5kZXJPYmplY3Q6OmNvbXB1dGVBY2Nlc3NpYmlsaXR5SXNJZ25vcmVkIGNvbnN0CisgICAg ICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xMzg5MDUKKworICAg ICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBUaGUgY3Jhc2ggbG9n IGluZGljYXRlcyB0aGF0IG1fcmVuZGVyZXIgaXMgbnVsbCBhdCB0aGUgdGltZSB3ZSBhc2sgYW5j ZXN0b3JzT2ZUeXBlKCkuIAorICAgICAgICBUaGlzIGlzIG1vcmUgb2YgYSBzcGVjdWxhdGl2ZSBm aXgsIHNpbmNlIEkgYW0gbm90IGVudGlyZWx5IHN1cmUgbV9yZW5kZXJlciBpcyBudWxsIHdoZW4g d2UgZW50ZXIgdGhlIG1ldGhvZC4KKworICAgICAgICBVbmFibGUgdG8gZGV0ZXJtaW5lIGNhdXNl IG9mIGNyYXNoIG9yIGhvdyB0byByZXByb2R1Y2Ugb24gZGVtYW5kLgorCisgICAgICAgICogYWNj ZXNzaWJpbGl0eS9BY2Nlc3NpYmlsaXR5UmVuZGVyT2JqZWN0LmNwcDoKKyAgICAgICAgKFdlYkNv cmU6OkFjY2Vzc2liaWxpdHlSZW5kZXJPYmplY3Q6OmNvbXB1dGVBY2Nlc3NpYmlsaXR5SXNJZ25v cmVkKToKKwogMjAxNC0xMS0xOSAgQ2hyaXMgRHVtZXogIDxjZHVtZXpAYXBwbGUuY29tPgogCiAg ICAgICAgIE1vdmUgJ2NsaXAnIENTUyBwcm9wZXJ0eSB0byB0aGUgbmV3IFN0eWxlQnVpbGRlcgpJ bmRleDogU291cmNlL1dlYkNvcmUvYWNjZXNzaWJpbGl0eS9BY2Nlc3NpYmlsaXR5UmVuZGVyT2Jq ZWN0LmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2ViQ29yZS9hY2Nlc3NpYmlsaXR5L0FjY2Vz c2liaWxpdHlSZW5kZXJPYmplY3QuY3BwCShyZXZpc2lvbiAxNzYwNTMpCisrKyBTb3VyY2UvV2Vi Q29yZS9hY2Nlc3NpYmlsaXR5L0FjY2Vzc2liaWxpdHlSZW5kZXJPYmplY3QuY3BwCSh3b3JraW5n IGNvcHkpCkBAIC0xMTYzLDYgKzExNjMsOSBAQAogICAgIEFTU0VSVChtX2luaXRpYWxpemVkKTsK ICNlbmRpZgogCisgICAgaWYgKCFtX3JlbmRlcmVyKQorICAgICAgICByZXR1cm4gdHJ1ZTsKKyAg ICAKICAgICAvLyBDaGVjayBmaXJzdCBpZiBhbnkgb2YgdGhlIGNvbW1vbiByZWFzb25zIGNhdXNl IHRoaXMgZWxlbWVudCB0byBiZSBpZ25vcmVkLgogICAgIC8vIFRoZW4gcHJvY2VzcyBvdGhlciB1 c2UgY2FzZXMgdGhhdCBuZWVkIHRvIGJlIGFwcGxpZWQgdG8gYWxsIHRoZSB2YXJpb3VzIHJvbGVz CiAgICAgLy8gdGhhdCBBY2Nlc3NpYmlsaXR5UmVuZGVyT2JqZWN0cyB0YWtlIG9uLgpAQCAtMTE5 MSw3ICsxMTk0LDcgQEAKICAgICAgICAgcmV0dXJuIGFjY2Vzc2liaWxpdHlJZ25vcmVBdHRhY2ht ZW50KCk7CiAgICAgCiAgICAgLy8gaWdub3JlIHBvcHVwIG1lbnUgaXRlbXMgYmVjYXVzZSBBcHBL aXQgZG9lcwotICAgIGlmIChhbmNlc3RvcnNPZlR5cGU8UmVuZGVyTWVudUxpc3Q+KCptX3JlbmRl cmVyKS5maXJzdCgpKQorICAgIGlmIChtX3JlbmRlcmVyICYmIGFuY2VzdG9yc09mVHlwZTxSZW5k ZXJNZW51TGlzdD4oKm1fcmVuZGVyZXIpLmZpcnN0KCkpCiAgICAgICAgIHJldHVybiB0cnVlOwog CiAgICAgLy8gZmluZCBvdXQgaWYgdGhpcyBlbGVtZW50IGlzIGluc2lkZSBvZiBhIGxhYmVsIGVs ZW1lbnQuCg==