Bug 284246

Summary: AX: Crash in AtspiObject->textAttributesWithUTF8Offset
Product: WebKit Reporter: Mike Gorse <mgorse>
Component: AccessibilityAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: andresg_22, feaneron, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: Linux   

Mike Gorse
Reported 2024-12-08 06:29:20 PST
Steps to reproduce: 1. Enable screen reader. I'm using Orca 47.2; I'm guessing that anything >= 47 will work. 2. Start evolution. 3. Set up a gmail/google account. Start the oauth flow. 4. Press tab a few times to focus the next button. #3 0x00007f48f662891a in __GI_abort () at abort.c:79 79 raise (SIGABRT); #4 0x00007f48fdf77454 in WTF::CrashOnOverflow::crash () at /home/mgorse/src/WebKit/t/WTF/Headers/wtf/CheckedArithmetic.h:109 109 CRASH(); #5 0x00007f48fdf7744b in WTF::CrashOnOverflow::overflowed () at /home/mgorse/src/WebKit/t/WTF/Headers/wtf/CheckedArithmetic.h:102 102 crash(); #6 0x00007f490244f82d in WTF::Vector<unsigned int, 128ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at (this=0x7ffd82b2a0d0, i=4) at /home/mgorse/src/WebKit/t/WTF/Headers/wtf/Vector.h:847 847 OverflowHandler::overflowed(); #7 0x00007f490244ed23 in WTF::Vector<unsigned int, 128ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::operator[] (this=0x7ffd82b2a0d0, i=4) at /home/mgorse/src/WebKit/t/WTF/Headers/wtf/Vector.h:852 852 const T& operator[](size_t i) const { return at(i); } #8 0x00007f4902449323 in WebCore::UTF16OffsetToUTF8 (mapping=WTF::Vector of length 2, capacity 128 = {...}, offset=4) at /home/mgorse/src/WebKit/Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cp p:256 256 return mapping.isEmpty() ? offset : mapping[offset]; #9 0x00007f490244e0e6 in WebCore::AccessibilityObjectAtspi::textAttributesWithUTF8Offset (this=0x7f48e9d35080, offset=std::optional = {...}, includeDefault=true) at /home/mgorse/src/WebKit/Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp:935 935 attributes.startOffset = UTF16OffsetToUTF8(mapping, attributes.startOffset); (gdb) #10 0x00007f490244820a in operator() (__closure=0x0, methodName=0x7f48d4007470 "GetAttributeRun", parameters=0x7f48d4008310, invocation=0x7f48d40050c0, userData=0x7f48e9d35080) at /home/mgorse/src/WebKit/Source/WebCore/accessibility/atspi/AccessibilityObjectTextAtspi.cpp:139 139 auto attributes = atspiObject->textAttributesWithUTF8Offset(offset, includeDefaults);
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-12-08 06:29:28 PST
<rdar://problem/141119347>
Mike Gorse
Comment 2 2024-12-08 07:02:02 PST
The object triggering this contains one U+fffc character. The code in AccessibilityObjectAtspi::TextAttributes looks like it can recurse into an object's children, while the caller has a UTF16 -> UTF8 mapping for the text in the object itself, so just the U+fffc character.
Mike Gorse
Comment 3 2025-01-13 17:30:06 PST
AccessibilityObjectAtspi::TextAttributes() has this: auto firstValidPosition = firstPositionInOrBeforeNode(m_coreObject->node()->firstDescendant()); ... auto startPosition = firstPositionInOrBeforeNode(startRenderer->node()); for (RenderObject* r = childRenderer->previousInPreOrder(); r && startPosition > firstValidPosition; r = r->previousInPreOrder()) { ... auto startOffset = adjustOutputOffset(m_coreObject->indexForVisiblePosition(startPosition), m_hasListMarkerAtStart); startOffset is set to 4, and the code in the loop never executes because startPosition == firstValidPosition. I think that the accessible is encapsulating a button labeled "next", which might be where the 4 is coming from, but the accessible's text contains the object replacement character, rather than "next".
Mike Gorse
Comment 4 2025-01-13 17:56:51 PST
Okay, my guess in my last comment was wrong. I tried changing the language on the page to Spanish, which changed the label on the button to "Siguiente," and the returned attribute offset is still 4. The "create account" button on the same page also triggers the crash for me, and 2 is returned there for the start offset.
Mike Gorse
Comment 5 2025-01-21 08:53:22 PST
Marking this as a dup; making the change described in bug 270354 would likely fix this. *** This bug has been marked as a duplicate of bug 270354 ***
Note You need to log in before you can comment on or make changes to this bug.