Bug 133825

Summary:

AX: Safari crashed once in WebCore::AccessibilityObject::ariaIsHidden

Product:

WebKit

Reporter:

chris fleizach <cfleizach>

Component:

Accessibility

Assignee:

chris fleizach <cfleizach>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

aboxhall, apinheiro, commit-queue, ddkilzer, dmazzoni, jcraig, jdiggs, koivisto, mario, samuel_white, simon.fraser, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
patch	enrica: review+

chris fleizach

Reported 2014-06-12 14:51:22 PDT

Crash log here #0 0x00000001005deee0 in WebCore::AccessibilityObject::element() const at /Code/Web/OpenSource/Source/WebCore/accessibility/AccessibilityObject.cpp:1874 #1 0x00000001005d9710 in WebCore::AccessibilityObject::getAttribute(WebCore::QualifiedName const&) const at /Code/Web/OpenSource/Source/WebCore/accessibility/AccessibilityObject.cpp:1686 #2 0x00000001005edd54 in WebCore::AccessibilityObject::isARIAHidden() const at /Code/Web/OpenSource/Source/WebCore/accessibility/AccessibilityObject.cpp:2373 #3 0x00000001005ede80 in WebCore::AccessibilityObject::defaultObjectInclusion() const at /Code/Web/OpenSource/Source/WebCore/accessibility/AccessibilityObject.cpp:2393 #4 0x00000001005f22f8 in WebCore::AccessibilityRenderObject::defaultObjectInclusion() const at /Code/Web/OpenSource/Source/WebCore/accessibility/AccessibilityRenderObject.cpp:1166 #5 0x00000001005f2370 in WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const at /Code/Web/OpenSource/Source/WebCore/accessibility/AccessibilityRenderObject.cpp:1178 #6 0x00000001005edfe8 in WebCore::AccessibilityObject::accessibilityIsIgnored() const at /Code/Web/OpenSource/Source/WebCore/accessibility/AccessibilityObject.cpp:2420 #7 0x00000001005d2bf0 in WebCore::AXObjectCache::notificationPostTimerFired(WebCore::Timer<WebCore::AXObjectCache>&) at /Code/Web/OpenSource/Source/WebCore/accessibility/AXObjectCache.cpp:738 #8 0x0000000100633030 in decltype(*(std::__1::forward<WebCore::AXObjectCache*&>(fp0)).*fp(std::__1::forward<WebCore::Timer<WebCore::AXObjectCache>&>(fp1))) std::__1::__invoke<void (WebCore::AXObjectCache::*&)(WebCore::Timer<WebCore::AXObjectCache>&), WebCore::AXObjectCache*&, WebCore::Timer<WebCore::AXObjectCache>&, void>(void (WebCore::AXObjectCache::*&&&)(WebCore::Timer<WebCore::AXObjectCache>&), WebCore::AXObjectCache*&&&, WebCore::Timer<WebCore::AXObjectCache>&&&) [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/iOS8.0.xctoolchain/usr/bin/../include/c++/v1/__functional_base:380 #9 0x0000000100632fc0 in std::__1::__bind_return<void (WebCore::AXObjectCache::*)(WebCore::Timer<WebCore::AXObjectCache>&), std::__1::tuple<WebCore::AXObjectCache*, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >, std::__1::tuple<>, _is_valid_bind_return<void (WebCore::AXObjectCache::*)(WebCore::Timer<WebCore::AXObjectCache>&), std::__1::tuple<WebCore::AXObjectCache*, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >, std::__1::tuple<> >::value>::type std::__1::__apply_functor<void (WebCore::AXObjectCache::*)(WebCore::Timer<WebCore::AXObjectCache>&), std::__1::tuple<WebCore::AXObjectCache*, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >, 0ul, 1ul, std::__1::tuple<> >(void (WebCore::AXObjectCache::*&)(WebCore::Timer<WebCore::AXObjectCache>&), std::__1::tuple<WebCore::AXObjectCache*, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >&, std::__1::__tuple_indices<0ul, 1ul>, std::__1::tuple<>&&) [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/iOS8.0.xctoolchain/usr/bin/../include/c++/v1/functional:2022 #10 0x0000000100632f78 in std::__1::__bind_return<void (WebCore::AXObjectCache::*)(WebCore::Timer<WebCore::AXObjectCache>&), std::__1::tuple<WebCore::AXObjectCache*, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >, std::__1::tuple<>, _is_valid_bind_return<void (WebCore::AXObjectCache::*)(WebCore::Timer<WebCore::AXObjectCache>&), std::__1::tuple<WebCore::AXObjectCache*, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >, std::__1::tuple<> >::value>::type std::__1::__bind<void (WebCore::AXObjectCache::*&)(WebCore::Timer<WebCore::AXObjectCache>&), WebCore::AXObjectCache*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >::operator()<>() [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/iOS8.0.xctoolchain/usr/bin/../include/c++/v1/functional:2085 #11 0x0000000100632f60 in decltype(std::__1::forward<std::__1::__bind<void (WebCore::AXObjectCache::*&)(WebCore::Timer<WebCore::AXObjectCache>&), WebCore::AXObjectCache*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >&>(fp)(std::__1::forward<>(fp0))) std::__1::__invoke<std::__1::__bind<void (WebCore::AXObjectCache::*&)(WebCore::Timer<WebCore::AXObjectCache>&), WebCore::AXObjectCache*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >&>(std::__1::__bind<void (WebCore::AXObjectCache::*&)(WebCore::Timer<WebCore::AXObjectCache>&), WebCore::AXObjectCache*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >&&&) [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/iOS8.0.xctoolchain/usr/bin/../include/c++/v1/__functional_base:413 #12 0x0000000100632f60 in std::__1::__function::__func<std::__1::__bind<void (WebCore::AXObjectCache::*&)(WebCore::Timer<WebCore::AXObjectCache>&), WebCore::AXObjectCache*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > >, std::__1::allocator<std::__1::__bind<void (WebCore::AXObjectCache::*&)(WebCore::Timer<WebCore::AXObjectCache>&), WebCore::AXObjectCache*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::AXObjectCache> > > >, void ()>::operator()() at /Applications/Xcode.app/Contents/Developer/Toolchains/iOS8.0.xctoolchain/usr/bin/../include/c++/v1/functional:1370 #13 0x0000000100632230 in std::__1::function<void ()>::operator()() const at /Applications/Xcode.app/Contents/Developer/Toolchains/iOS8.0.xctoolchain/usr/bin/../include/c++/v1/functional:1755 #14 0x00000001006321ec in WebCore::Timer<WebCore::AXObjectCache>::fired() at /Code/Web/OpenSource/Source/WebCore/platform/Timer.h:133 #15 0x00000001022a1a38 in WebCore::ThreadTimers::sharedTimerFiredInternal() at /Code/Web/OpenSource/Source/WebCore/platform/ThreadTimers.cpp:132 #16 0x00000001022a1730 in WebCore::ThreadTimers::sharedTimerFired() at /Code/Web/OpenSource/Source/WebCore/platform/ThreadTimers.cpp:107 #17 0x0000000101fe8004 in WebCore::timerFired(__CFRunLoopTimer*, void*) at /Code/Web/OpenSource/Source/WebCore/platform/ios/SharedTimerIOS.mm:62

Attachments
patch (2.47 KB, patch) 2014-06-12 14:54 PDT, chris fleizach	enrica: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

chris fleizach

Comment 1 2014-06-12 14:51:42 PDT

The problem looks like if you ask axIsIgnored() on a newly created object, it can actually deallocate itself

Radar WebKit Bug Importer

Comment 2 2014-06-12 14:52:05 PDT

<rdar://problem/17292966>

chris fleizach

Comment 3 2014-06-12 14:54:38 PDT

Created attachment 232992 [details] patch

Geoffrey Garen

Comment 4 2014-06-16 13:15:20 PDT

Comment on attachment 232992 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=232992&action=review > Source/WebCore/accessibility/AXObjectCache.cpp:433 > + // Sometimes asking accessibilityIsIgnored() will cause the newObject to be deallocated, and then > + // it will disappear when this function is finished, leading to a use-after-free. > + if (newObj->isDetached()) > + return nullptr; Do you really mean deallocated, or just detached? If newObj is truly deallocated, we need to understand why our RefPtr didn't prevent that. Accessing newObj after it has been deallocated is not sound, and isDetached() might return anything if it's called on a deallocated object.

chris fleizach

Comment 5 2014-06-16 13:22:29 PDT

(In reply to comment #4) > (From update of attachment 232992 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=232992&action=review > > > Source/WebCore/accessibility/AXObjectCache.cpp:433 > > + // Sometimes asking accessibilityIsIgnored() will cause the newObject to be deallocated, and then > > + // it will disappear when this function is finished, leading to a use-after-free. > > + if (newObj->isDetached()) > > + return nullptr; > > Do you really mean deallocated, or just detached? If newObj is truly deallocated, we need to understand why our RefPtr didn't prevent that. Accessing newObj after it has been deallocated is not sound, and isDetached() might return anything if it's called on a deallocated object. I mean detached. The RefPtr<> in this method is still holding onto the object while we're in the context of the methods stack. as soon as we leave that stack and the RefPtr goes away, the object then becomes deallocated

Enrica Casucci

Comment 6 2014-06-16 13:32:24 PDT

Comment on attachment 232992 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=232992&action=review > Source/WebCore/ChangeLog:8 > + Sometimes asking accessibilityIsIgnored() will cause a newObject to be deallocated. It will Please fix the ChangeLog to use detached.

chris fleizach

Comment 7 2014-06-16 14:44:51 PDT

http://trac.webkit.org/changeset/170028

Note You need to log in before you can comment on or make changes to this bug.