Bug 139856 - AX: Hidden aria table crash
Summary: AX: Hidden aria table crash
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Accessibility (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Geoffrey Garen
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2014-12-21 10:47 PST by Gabor Rapcsanyi
Modified: 2015-03-10 11:17 PDT (History)
13 users (show)

See Also:


Attachments
proposed fix (3.73 KB, patch)
2014-12-21 13:30 PST, Gabor Rapcsanyi
no flags Details | Formatted Diff | Diff
Patch (1.74 KB, patch)
2015-03-09 21:19 PDT, Geoffrey Garen
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Gabor Rapcsanyi 2014-12-21 10:47:53 PST
Hidden aria table crashing.

Crashing test:
<html>
    <body>
        <ul aria-hidden="true">
            <table>
                <theader>
                    <td>
                        <span aria-live="assertive"></span>
                    </td>
                </theader>
                <caption></caption>
            </table>
        </ul>
        <svg onerror="logPass()"></svg>
    </body>
</html>
Comment 1 Radar WebKit Bug Importer 2014-12-21 10:48:07 PST
<rdar://problem/19320881>
Comment 2 Gabor Rapcsanyi 2014-12-21 13:30:10 PST
Created attachment 243614 [details]
proposed fix
Comment 3 WebKit Commit Bot 2014-12-21 15:57:04 PST
Comment on attachment 243614 [details]
proposed fix

Clearing flags on attachment: 243614

Committed r177627: <http://trac.webkit.org/changeset/177627>
Comment 4 WebKit Commit Bot 2014-12-21 15:57:08 PST
All reviewed patches have been landed.  Closing bug.
Comment 5 Alexey Proskuryakov 2014-12-30 13:23:58 PST
A test added in r177824 crashes on Mac with a RELEASE_ASSERT: https://build.webkit.org/results/Apple%20Yosemite%20Release%20WK2%20(Tests)/r177825%20(1624)/plugins/large-plugin-crash-crash-log.txt

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010867bc32 bmalloc::Heap::allocateXLarge(std::__1::lock_guard<bmalloc::StaticMutex>&, unsigned long) + 98
1   com.apple.JavaScriptCore      	0x000000010867a7e7 bmalloc::Allocator::allocateXLarge(unsigned long) + 71
2   com.apple.JavaScriptCore      	0x000000010865a537 WTF::fastMalloc(unsigned long) + 151
3   com.apple.JavaScriptCore      	0x000000010865a5b1 WTF::tryFastMalloc(unsigned long) + 17
Comment 6 Alexey Proskuryakov 2014-12-30 13:27:28 PST
Is this the wrong bug though? This is the one referenced in ChangeLog.
Comment 7 Gabor Rapcsanyi 2014-12-30 13:44:26 PST
(In reply to comment #6)
> Is this the wrong bug though? This is the one referenced in ChangeLog.

Nope, sorry I mixed bug number.
The right one is https://bugs.webkit.org/show_bug.cgi?id=139868
Comment 8 WebKit Commit Bot 2014-12-31 00:38:26 PST
Re-opened since this is blocked by bug 140011
Comment 9 David Kilzer (:ddkilzer) 2015-01-05 11:54:23 PST
Looks like a regression from r176706.
<http://trac.webkit.org/changeset/176706>
Comment 10 Geoffrey Garen 2015-03-09 21:19:13 PDT
Reopening to attach new patch.
Comment 11 Geoffrey Garen 2015-03-09 21:19:16 PDT
Created attachment 248315 [details]
Patch
Comment 12 Geoffrey Garen 2015-03-09 21:20:09 PDT
We should be able to re-land this test now.
Comment 13 Alexey Proskuryakov 2015-03-09 23:57:59 PDT
I just rolled out the bmalloc patch, so we can't land this yet.
Comment 14 Gabor Rapcsanyi 2015-03-10 02:17:37 PDT
I think there is a missunderstanding here. These are two different bugs:

AX: Hidden aria table crash:
https://bugs.webkit.org/show_bug.cgi?id=139856

Too large plugins are crashing (tryFastMalloc is broken with bmalloc):
https://bugs.webkit.org/show_bug.cgi?id=139868

Unfortunately when I created the fix for the second one I copy/pasted the first one bugnumber as I wrote above. Sorry for that. To make the situation more complicated the second one failed on Mac because of bmalloc and the commit bot complained on this bug not the other one.
Comment 15 WebKit Commit Bot 2015-03-10 11:17:48 PDT
Comment on attachment 248315 [details]
Patch

Clearing flags on attachment: 248315

Committed r181330: <http://trac.webkit.org/changeset/181330>
Comment 16 WebKit Commit Bot 2015-03-10 11:17:54 PDT
All reviewed patches have been landed.  Closing bug.