Bug 154018

Summary:

AX: crash at WebCore::Range::selectNodeContents(WebCore::Node*, int&)

Product:

WebKit

Reporter:

Nan Wang <n_wang>

Component:

Accessibility

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

aboxhall, apinheiro, cfleizach, commit-queue, dmazzoni, jcraig, jdiggs, mario, n_wang, ryanhaddad, samuel_white, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

All

OS:

All

Attachments:

Description	Flags
patch	none
patch	cfleizach: review+
patch	commit-queue: commit-queue-
patch	none

Nan Wang

Reported 2016-02-08 16:30:15 PST

5 com.apple.WebCore 0x7fff9eb912f4 WebCore::Range::selectNodeContents(WebCore::Node*, int&) + 36 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/dom/Node.h:412) 6 com.apple.WebCore 0x7fff9ecf58eb WebCore::AXObjectCache::rangeForNodeContents(WebCore::Node*) + 75 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/accessibility/AXObjectCache.cpp:1531) 7 com.apple.WebCore 0x7fff9ecf5be8 WebCore::AXObjectCache::rangeForUnorderedCharacterOffsets(WebCore::CharacterOffset const&, WebCore::CharacterOffset const&) + 312 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/accessibility/AXObjectCache.cpp:1561) 8 com.apple.WebCore 0x7fff9fa449b1 -[WebAccessibilityObjectWrapper accessibilityAttributeValue:forParameter:] + 9249 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/accessibility/mac/WebAccessibilityObjectWrapperMac.mm:4032) Seems selectNodeContents is accessing some garbage data.

Attachments
patch (5.45 KB, patch) 2016-02-08 16:52 PST, Nan Wang	no flags	Details Formatted Diff Diff
patch (7.54 KB, patch) 2016-02-08 17:38 PST, Nan Wang	cfleizach: review+	Details Formatted Diff Diff
patch (7.47 KB, patch) 2016-02-08 17:45 PST, Nan Wang	commit-queue: commit-queue-	Details Formatted Diff Diff
patch (7.47 KB, patch) 2016-02-08 17:58 PST, Nan Wang	no flags	Details Formatted Diff Diff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2016-02-08 16:32:43 PST

<rdar://problem/24559206>

Nan Wang

Comment 2 2016-02-08 16:52:43 PST

Created attachment 270894 [details] patch

chris fleizach

Comment 3 2016-02-08 16:55:59 PST

Comment on attachment 270894 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=270894&action=review > Source/WebCore/accessibility/AXObjectCache.cpp:1586 > + if (nodeIsDerefed(characterOffset1.node) || nodeIsDerefed(characterOffset2.node)) can we use our nodeInUse cache to handle this case? seems like we should be doing that when creating the CharacterOffsets too

Nan Wang

Comment 4 2016-02-08 17:37:54 PST

Comment on attachment 270894 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=270894&action=review >> Source/WebCore/accessibility/AXObjectCache.cpp:1586 >> + if (nodeIsDerefed(characterOffset1.node) || nodeIsDerefed(characterOffset2.node)) > > can we use our nodeInUse cache to handle this case? seems like we should be doing that when creating the CharacterOffsets too Good point, will do.

Nan Wang

Comment 5 2016-02-08 17:38:58 PST

Created attachment 270899 [details] patch review comments.

chris fleizach

Comment 6 2016-02-08 17:40:50 PST

Comment on attachment 270899 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=270899&action=review > Source/WebCore/ChangeLog:5 > + <rdar://problem/24559206> don't include rdar numbers (unless there is some new dictate to include them) > LayoutTests/ChangeLog:5 > + <rdar://problem/24559206> don't include rdar numbers > LayoutTests/accessibility/text-marker/text-marker-range-stale-node-crash.html:29 > + textElement.innerHTML=""; textElement.innerHTML = "";

Nan Wang

Comment 7 2016-02-08 17:45:53 PST

Created attachment 270901 [details] patch Addressed minor issues.

chris fleizach

Comment 8 2016-02-08 17:49:22 PST

Comment on attachment 270901 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=270901&action=review > LayoutTests/accessibility/text-marker/text-marker-range-stale-node-crash.html:29 > + textElement.innerHTML= ""; still need another space before HTML=

WebKit Commit Bot

Comment 9 2016-02-08 17:56:25 PST

Comment on attachment 270901 [details] patch Rejecting attachment 270901 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-02', 'validate-changelog', '--check-oops', '--non-interactive', 270901, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit ChangeLog entry in LayoutTests/ChangeLog contains OOPS!. Full output: http://webkit-queues.webkit.org/results/802367

Nan Wang

Comment 10 2016-02-08 17:58:28 PST

Created attachment 270902 [details] patch This one should be good.

WebKit Commit Bot

Comment 11 2016-02-08 19:04:22 PST

Comment on attachment 270902 [details] patch Clearing flags on attachment: 270902 Committed r196287: <http://trac.webkit.org/changeset/196287>

WebKit Commit Bot

Comment 12 2016-02-08 19:04:27 PST

All reviewed patches have been landed. Closing bug.

Ryan Haddad

Comment 13 2016-02-09 10:28:07 PST

The test added with this change seems to be crashing on ios-simulator: <https://build.webkit.org/results/Apple%20iOS%209%20Simulator%20Release%20WK2%20(Tests)/r196313%20(2965)/results.html> <http://webkit-test-results.webkit.org/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=accessibility%2Ftext-marker%2Ftext-marker-range-stale-node-crash.html> Filed: <https://bugs.webkit.org/show_bug.cgi?id=154039>

Note You need to log in before you can comment on or make changes to this bug.