Bug 143188

Summary: AX: WebKitWebProcess crashes in a11y code for some websites
Product: WebKit Reporter: Debarshi Ray <rishi.is>
Component: AccessibilityAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ahmad.saleem792, andresg_22, bugs-noreply, cfleizach, mcatanzaro, tyler_w, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   

Description Debarshi Ray 2015-03-28 17:27:49 PDT 
I have been seeing this particular crash with some web sites. Here is an example:
1) Go to https://twitter.com/marinaz
2) Find this tweet: "Asked @lwnnet to make its site a safe space for reading news about Linux ..."
3) Ctrl+click the LWN link and you will see the WebKitWebProcess for the new tab crash

Core was generated by `/usr/libexec/webkit2gtk-4.0/WebKitWebProcess 22'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  WebCore::AccessibilityMenuList::isCollapsed (this=0x7f712d9c09a0)
    at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/AccessibilityMenuList.cpp:92
92	    return !static_cast<RenderMenuList*>(m_renderer)->popupIsVisible();
(gdb) bt
#0  WebCore::AccessibilityMenuList::isCollapsed (this=0x7f712d9c09a0)
    at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/AccessibilityMenuList.cpp:92
#1  0x00007f719e3fee4d in notifyChildrenSelectionChange (object=0x7f712d9c09a0)
    at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp:180
#2  WebCore::AXObjectCache::postPlatformNotification (
    this=this@entry=0x7f713c116e00, 
    coreObject=coreObject@entry=0x7f712d9c09a0, 
    notification=notification@entry=(anonymous namespace)::AXObjectCache::AXMenuListValueChanged)
    at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp:211
#3  0x00007f719d854b96 in WebCore::AXObjectCache::postNotification (
    this=this@entry=0x7f713c116e00, object=object@entry=0x7f712d9c09a0, 
    document=document@entry=0x7f719f4c6700, 
    notification=notification@entry=(anonymous namespace)::AXObjectCache::AXMenuListValueChanged, 
    postTarget=postTarget@entry=(anonymous namespace)::TargetElement, 
    postType=postType@entry=(anonymous namespace)::PostSynchronously)
    at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/AXObjectCache.cpp:807
#4  0x00007f719d860220 in WebCore::AccessibilityMenuList::didUpdateActiveOption
    (this=0x7f712d9c09a0, optionIndex=1)
    at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/AccessibilityMenuList.cpp:130
#5  0x00007f719e11ec5d in WebCore::RenderMenuList::setTextFromOption (
    this=0x7f71074d55a0, optionIndex=1)
    at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/rendering/RenderMenuList.cpp:288
#6  0x00007f719dc2f168 in WebCore::HTMLSelectElement::selectOption (
    this=0x7f710693a000, optionIndex=<optimized out>, flags=0)
    at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/html/HTMLSelectElement.cpp:893

#7  0x00007f719c0e5f9e in JSC::JSObject::put (cell=0x7f7106fa40b0, 
    exec=0x7ffee3cb0130, propertyName=..., value=..., slot=...)
    at /usr/src/debug/webkitgtk-2.6.5/Source/JavaScriptCore/runtime/JSObject.cpp:383
#8  0x00007f719be506a8 in operationPutByValInternal<false, false> (
    encodedValue=7, encodedProperty=<optimized out>, 
    encodedBase=140123425095856, exec=0x7ffee3cb0130)
    at /usr/src/debug/webkitgtk-2.6.5/Source/JavaScriptCore/dfg/DFGOperations.cpp:130
#9  JSC::DFG::operationPutByValNonStrict (exec=0x7ffee3cb0130, 
    encodedBase=140123425095856, encodedProperty=<optimized out>, 
    encodedValue=7)
    at /usr/src/debug/webkitgtk-2.6.5/Source/JavaScriptCore/dfg/DFGOperations.cpp:383
#10 0x00007f713d5f2938 in ?? ()
#11 0x0000000000000000 in ?? ()
(gdb)

I have:
webkitgtk4-2.6.5-1.fc21.x86_64
epiphany-3.14.2-4.fc21.x86_64
Comment 1 Debarshi Ray 2015-03-28 17:34:58 PDT 
I also had gtk+, atk, glib-networking, gvfs and glib built from their respection GNOME 3.16 branches. Reverting those back to their GNOME 3.14 versions seem to have stopped the crashes.
Comment 2 Ahmad Saleem 2022-11-15 14:25:04 PST 
It is something which was detected by fuzzer in Chrome / Blink and fixed in this commit:

Link - https://src.chromium.org/viewvc/blink?view=revision&revision=194543

https://github.com/WebKit/WebKit/blob/d5220e254917f82a86e5d6235224f82a03d25acb/Source/WebCore/accessibility/AccessibilityMenuList.cpp#L45

Adding

if(!renderer)
return false;

https://github.com/WebKit/WebKit/blob/d5220e254917f82a86e5d6235224f82a03d25acb/Source/WebCore/accessibility/AccessibilityMenuList.cpp#L89

Adding

if (!renderer)
return true;

It fixed crashes in - AccessibilityMenuList::isCollapsed
Comment 3 Radar WebKit Bug Importer 2022-11-16 07:29:05 PST 
<rdar://problem/102419394>
Comment 4 Tyler Wilcock 2022-11-16 13:59:28 PST 
(In reply to Ahmad Saleem from comment #2)
> It is something which was detected by fuzzer in Chrome / Blink and fixed in
> this commit:
> 
> Link - https://src.chromium.org/viewvc/blink?view=revision&revision=194543
> 
> https://github.com/WebKit/WebKit/blob/
> d5220e254917f82a86e5d6235224f82a03d25acb/Source/WebCore/accessibility/
> AccessibilityMenuList.cpp#L45
> 
> Adding
> 
> if(!renderer)
> return false;
> 
> https://github.com/WebKit/WebKit/blob/
> d5220e254917f82a86e5d6235224f82a03d25acb/Source/WebCore/accessibility/
> AccessibilityMenuList.cpp#L89
> 
> Adding
> 
> if (!renderer)
> return true;
> 
> It fixed crashes in - AccessibilityMenuList::isCollapsed
Both of your suggested changes sound good to me. Would you be interested in submitting a patch for them?

Also, were you able to reproduce this crash? Your comment implies so, but want to confirm.
Comment 5 Ahmad Saleem 2022-11-16 14:01:21 PST 
(In reply to Tyler Wilcock from comment #4)
> (In reply to Ahmad Saleem from comment #2)
> > It is something which was detected by fuzzer in Chrome / Blink and fixed in
> > this commit:
> > 
> > Link - https://src.chromium.org/viewvc/blink?view=revision&revision=194543
> > 
> > https://github.com/WebKit/WebKit/blob/
> > d5220e254917f82a86e5d6235224f82a03d25acb/Source/WebCore/accessibility/
> > AccessibilityMenuList.cpp#L45
> > 
> > Adding
> > 
> > if(!renderer)
> > return false;
> > 
> > https://github.com/WebKit/WebKit/blob/
> > d5220e254917f82a86e5d6235224f82a03d25acb/Source/WebCore/accessibility/
> > AccessibilityMenuList.cpp#L89
> > 
> > Adding
> > 
> > if (!renderer)
> > return true;
> > 
> > It fixed crashes in - AccessibilityMenuList::isCollapsed
> Both of your suggested changes sound good to me. Would you be interested in
> submitting a patch for them?
> 
> Also, were you able to reproduce this crash? Your comment implies so, but
> want to confirm.

Nah! I didn't checked or tried to reproduce, I was just looking through some bugs and came across fix for it. I just thought to post, I am happy to do PR.
Comment 6 EWS 2022-11-17 17:35:11 PST 
Committed 256814@main (c441a937ca2a): <https://commits.webkit.org/256814@main>

Reviewed commits have been landed. Closing PR #6569 and removing active labels.