159330 2016-06-30 21:30:16 -0700 Possible null Range dereference under AXObjectCache::visiblePositionFromCharacterOffset() 2016-07-01 16:25:37 -0700 1 1 1 Unclassified WebKit Accessibility WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 158138 1 cdumez cdumez aboxhall apinheiro cfleizach commit-queue dmazzoni enrica jcraig jdiggs mario n_wang rniwa samuel_white webkit-bug-importer oldest_to_newest 1206987 0 cdumez 2016-06-30 21:30:16 -0700 Possible null Range dereference under AXObjectCache::visiblePositionFromCharacterOffset(): Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000018 Exception Note: EXC_CORPSE_NOTIFY VM Regions Near 0x18: --> __TEXT 0000000107708000-000000010770a000 [ 8K] r-x/rwx SM=COW /System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent Application Specific Information: Bundle controller class: BrowserBundleController Thread 0 Crashed ↩:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00007fffa724d981 WebCore::Range::startPosition() const + 17 1 com.apple.WebCore 0x00007fffa7385695 WebCore::AXObjectCache::visiblePositionFromCharacterOffset(WebCore::CharacterOffset const&) + 53 2 com.apple.WebCore 0x00007fffa738553c WebCore::AXObjectCache::setTextMarkerDataWithCharacterOffset(WebCore::TextMarkerData&, WebCore::CharacterOffset const&) + 140 3 com.apple.WebCore 0x00007fffa7385f63 WebCore::AXObjectCache::startOrEndTextMarkerDataForRange(WebCore::TextMarkerData&, WTF::RefPtr<WebCore::Range>, bool) + 147 4 com.apple.WebCore 0x00007fffa810f1e0 startOrEndTextmarkerForRange(WebCore::AXObjectCache*, WTF::RefPtr<WebCore::Range>, bool) + 48 5 com.apple.WebCore 0x00007fffa810efca -[WebAccessibilityObjectWrapper textMarkerRangeFromRange:] + 154 6 com.apple.WebCore 0x00007fffa811f5d2 -[WebAccessibilityObjectWrapper accessibilityAttributeValue:forParameter:] + 5794 7 com.apple.AppKit 0x00007fff9ead94cb ___NSAccessibilityEntryPointValueForAttributeWithParameter_block_invoke.824 + 416 1206988 1 webkit-bug-importer 2016-06-30 21:30:45 -0700 <rdar://problem/27123752> 1206989 2 282511 cdumez 2016-06-30 21:34:14 -0700 Created attachment 282511 Patch 1206998 3 282511 benjamin 2016-06-30 23:21:45 -0700 Comment on attachment 282511 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=282511&action=review Can you please try to write a test before landing? > Source/WebCore/accessibility/AXObjectCache.cpp:1961 > + auto range = rangeForUnorderedCharacterOffsets(characterOffset, characterOffset); Honestly, this auto is making this code worse. I would prefer if you used the type. 1207270 4 cdumez 2016-07-01 14:14:51 -0700 + cfleizach / n_wang in case they know how to write a test for this as I have no idea. 1207292 5 cfleizach 2016-07-01 15:09:27 -0700 (In reply to comment #4) > + cfleizach / n_wang in case they know how to write a test for this as I > have no idea. There are some existing text marker range tests. My guess is you could make some invalid text marker ranges and pass into the api that calls into this method to recreate 1207324 6 cdumez 2016-07-01 16:06:27 -0700 (In reply to comment #5) > (In reply to comment #4) > > + cfleizach / n_wang in case they know how to write a test for this as I > > have no idea. > > There are some existing text marker range tests. My guess is you could make > some invalid text marker ranges and pass into the api that calls into this > method to recreate OK, it looks like I have a test, thanks. 1207325 7 cdumez 2016-07-01 16:11:47 -0700 (In reply to comment #6) > (In reply to comment #5) > > (In reply to comment #4) > > > + cfleizach / n_wang in case they know how to write a test for this as I > > > have no idea. > > > > There are some existing text marker range tests. My guess is you could make > > some invalid text marker ranges and pass into the api that calls into this > > method to recreate > > OK, it looks like I have a test, thanks. Actually no, the crash was in WKTR code. 1207335 8 282511 cdumez 2016-07-01 16:25:31 -0700 Comment on attachment 282511 Patch Clearing flags on attachment: 282511 Committed r202762: <http://trac.webkit.org/changeset/202762> 1207336 9 cdumez 2016-07-01 16:25:37 -0700 All reviewed patches have been landed. Closing bug. 282511 2016-06-30 21:34:14 -0700 2016-07-01 16:25:31 -0700 Patch bug-159330-20160630213352.patch text/plain 1906 cdumez U3VidmVyc2lvbiBSZXZpc2lvbjogMjAyNzIzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggODM3MjJjZjE1ZWRhNjIy MWUwYjBmMmFmNDg1NDc3ZGQyNTM4NzEyOC4uNGYwZGVjOGRhZTZiYWY1NmNjZTA2N2MyOGU5MDFk OGMzY2ZhYzFkZCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE3IEBACisyMDE2LTA2LTMwICBDaHJp cyBEdW1leiAgPGNkdW1lekBhcHBsZS5jb20+CisKKyAgICAgICAgUG9zc2libGUgbnVsbCBSYW5n ZSBkZXJlZmVyZW5jZSB1bmRlciBBWE9iamVjdENhY2hlOjp2aXNpYmxlUG9zaXRpb25Gcm9tQ2hh cmFjdGVyT2Zmc2V0KCkKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcu Y2dpP2lkPTE1OTMzMAorICAgICAgICA8cmRhcjovL3Byb2JsZW0vMjcxMjM3NTI+CisKKyAgICAg ICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgcmFuZ2VGb3JVbm9yZGVy ZWRDaGFyYWN0ZXJPZmZzZXRzKCkgY2FuIHJldHVybiBhIG51bGwgUmFuZ2UgYnV0IHdlIGZhaWxl ZAorICAgICAgICB0byBkbyBhIG51bGwgY2hlY2sgYmVmb3JlIGRlcmVmZXJlbmNpbmcgaXQuCisK KyAgICAgICAgKiBhY2Nlc3NpYmlsaXR5L0FYT2JqZWN0Q2FjaGUuY3BwOgorICAgICAgICAoV2Vi Q29yZTo6QVhPYmplY3RDYWNoZTo6dmlzaWJsZVBvc2l0aW9uRnJvbUNoYXJhY3Rlck9mZnNldCk6 CisKIDIwMTYtMDYtMzAgIEppZXdlbiBUYW4gIDxqaWV3ZW5fdGFuQGFwcGxlLmNvbT4KIAogICAg ICAgICBDcmVhdGUgYSBnZW5lcmljICJsaW5rZWQtb24tb3ItYWZ0ZXIiIGNoZWNrIGZvciBuZXcg Q1NQIFJ1bGVzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9hY2Nlc3NpYmlsaXR5L0FYT2Jq ZWN0Q2FjaGUuY3BwIGIvU291cmNlL1dlYkNvcmUvYWNjZXNzaWJpbGl0eS9BWE9iamVjdENhY2hl LmNwcAppbmRleCAzYTI1MjhjNTE3NGQ5OGU5MWEwYTRhY2Q5MjMzZDU4Y2M1NmU3MmMwLi5kNzFm ZmQ4Nzc5YzNhZWY3N2M4MzcxMDk3ZTBjNWQ1ODdhYjYxODViIDEwMDY0NAotLS0gYS9Tb3VyY2Uv V2ViQ29yZS9hY2Nlc3NpYmlsaXR5L0FYT2JqZWN0Q2FjaGUuY3BwCisrKyBiL1NvdXJjZS9XZWJD b3JlL2FjY2Vzc2liaWxpdHkvQVhPYmplY3RDYWNoZS5jcHAKQEAgLTE5NTgsOCArMTk1OCw4IEBA IFZpc2libGVQb3NpdGlvbiBBWE9iamVjdENhY2hlOjp2aXNpYmxlUG9zaXRpb25Gcm9tQ2hhcmFj dGVyT2Zmc2V0KGNvbnN0IENoYXJhY3RlCiAgICAgCiAgICAgLy8gQ3JlYXRlIGEgY29sbGFwc2Vk IHJhbmdlIGFuZCB1c2UgdGhhdCB0byBmb3JtIGEgVmlzaWJsZVBvc2l0aW9uLCBzbyB0aGF0IHRo ZSBjYXNlIHdpdGgKICAgICAvLyBjb21wb3NlZCBjaGFyYWN0ZXJzIHdpbGwgYmUgY292ZXJlZC4K LSAgICBSZWZQdHI8UmFuZ2U+IHJhbmdlID0gcmFuZ2VGb3JVbm9yZGVyZWRDaGFyYWN0ZXJPZmZz ZXRzKGNoYXJhY3Rlck9mZnNldCwgY2hhcmFjdGVyT2Zmc2V0KTsKLSAgICByZXR1cm4gVmlzaWJs ZVBvc2l0aW9uKHJhbmdlLT5zdGFydFBvc2l0aW9uKCkpOworICAgIGF1dG8gcmFuZ2UgPSByYW5n ZUZvclVub3JkZXJlZENoYXJhY3Rlck9mZnNldHMoY2hhcmFjdGVyT2Zmc2V0LCBjaGFyYWN0ZXJP ZmZzZXQpOworICAgIHJldHVybiByYW5nZSA/IFZpc2libGVQb3NpdGlvbihyYW5nZS0+c3RhcnRQ b3NpdGlvbigpKSA6IFZpc2libGVQb3NpdGlvbigpOwogfQogCiBDaGFyYWN0ZXJPZmZzZXQgQVhP YmplY3RDYWNoZTo6Y2hhcmFjdGVyT2Zmc2V0RnJvbVZpc2libGVQb3NpdGlvbihjb25zdCBWaXNp YmxlUG9zaXRpb24mIHZpc2libGVQb3MpCg==