RESOLVED FIXED143188
AX: WebKitWebProcess crashes in a11y code for some websites 
https://bugs.webkit.org/show_bug.cgi?id=143188
Summary AX: WebKitWebProcess crashes in a11y code for some websites
Debarshi Ray
Reported 2015-03-28 17:27:49 PDT
I have been seeing this particular crash with some web sites. Here is an example: 1) Go to https://twitter.com/marinaz 2) Find this tweet: "Asked @lwnnet to make its site a safe space for reading news about Linux ..." 3) Ctrl+click the LWN link and you will see the WebKitWebProcess for the new tab crash Core was generated by `/usr/libexec/webkit2gtk-4.0/WebKitWebProcess 22'. Program terminated with signal SIGSEGV, Segmentation fault. #0 WebCore::AccessibilityMenuList::isCollapsed (this=0x7f712d9c09a0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/AccessibilityMenuList.cpp:92 92 return !static_cast<RenderMenuList*>(m_renderer)->popupIsVisible(); (gdb) bt #0 WebCore::AccessibilityMenuList::isCollapsed (this=0x7f712d9c09a0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/AccessibilityMenuList.cpp:92 #1 0x00007f719e3fee4d in notifyChildrenSelectionChange (object=0x7f712d9c09a0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp:180 #2 WebCore::AXObjectCache::postPlatformNotification ( this=this@entry=0x7f713c116e00, coreObject=coreObject@entry=0x7f712d9c09a0, notification=notification@entry=(anonymous namespace)::AXObjectCache::AXMenuListValueChanged) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp:211 #3 0x00007f719d854b96 in WebCore::AXObjectCache::postNotification ( this=this@entry=0x7f713c116e00, object=object@entry=0x7f712d9c09a0, document=document@entry=0x7f719f4c6700, notification=notification@entry=(anonymous namespace)::AXObjectCache::AXMenuListValueChanged, postTarget=postTarget@entry=(anonymous namespace)::TargetElement, postType=postType@entry=(anonymous namespace)::PostSynchronously) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/AXObjectCache.cpp:807 #4 0x00007f719d860220 in WebCore::AccessibilityMenuList::didUpdateActiveOption (this=0x7f712d9c09a0, optionIndex=1) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/AccessibilityMenuList.cpp:130 #5 0x00007f719e11ec5d in WebCore::RenderMenuList::setTextFromOption ( this=0x7f71074d55a0, optionIndex=1) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/rendering/RenderMenuList.cpp:288 #6 0x00007f719dc2f168 in WebCore::HTMLSelectElement::selectOption ( this=0x7f710693a000, optionIndex=<optimized out>, flags=0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/html/HTMLSelectElement.cpp:893 #7 0x00007f719c0e5f9e in JSC::JSObject::put (cell=0x7f7106fa40b0, exec=0x7ffee3cb0130, propertyName=..., value=..., slot=...) at /usr/src/debug/webkitgtk-2.6.5/Source/JavaScriptCore/runtime/JSObject.cpp:383 #8 0x00007f719be506a8 in operationPutByValInternal<false, false> ( encodedValue=7, encodedProperty=<optimized out>, encodedBase=140123425095856, exec=0x7ffee3cb0130) at /usr/src/debug/webkitgtk-2.6.5/Source/JavaScriptCore/dfg/DFGOperations.cpp:130 #9 JSC::DFG::operationPutByValNonStrict (exec=0x7ffee3cb0130, encodedBase=140123425095856, encodedProperty=<optimized out>, encodedValue=7) at /usr/src/debug/webkitgtk-2.6.5/Source/JavaScriptCore/dfg/DFGOperations.cpp:383 #10 0x00007f713d5f2938 in ?? () #11 0x0000000000000000 in ?? () (gdb) I have: webkitgtk4-2.6.5-1.fc21.x86_64 epiphany-3.14.2-4.fc21.x86_64
Attachments
Add attachment proposed patch, testcase, etc.
Debarshi Ray
Comment 1 2015-03-28 17:34:58 PDT
I also had gtk+, atk, glib-networking, gvfs and glib built from their respection GNOME 3.16 branches. Reverting those back to their GNOME 3.14 versions seem to have stopped the crashes.
Ahmad Saleem
Comment 2 2022-11-15 14:25:04 PST
It is something which was detected by fuzzer in Chrome / Blink and fixed in this commit: Link - https://src.chromium.org/viewvc/blink?view=revision&revision=194543 https://github.com/WebKit/WebKit/blob/d5220e254917f82a86e5d6235224f82a03d25acb/Source/WebCore/accessibility/AccessibilityMenuList.cpp#L45 Adding if(!renderer) return false; https://github.com/WebKit/WebKit/blob/d5220e254917f82a86e5d6235224f82a03d25acb/Source/WebCore/accessibility/AccessibilityMenuList.cpp#L89 Adding if (!renderer) return true; It fixed crashes in - AccessibilityMenuList::isCollapsed
Radar WebKit Bug Importer
Comment 3 2022-11-16 07:29:05 PST
<rdar://problem/102419394>
Tyler Wilcock
Comment 4 2022-11-16 13:59:28 PST
(In reply to Ahmad Saleem from comment #2) > It is something which was detected by fuzzer in Chrome / Blink and fixed in > this commit: > > Link - https://src.chromium.org/viewvc/blink?view=revision&revision=194543 > > https://github.com/WebKit/WebKit/blob/ > d5220e254917f82a86e5d6235224f82a03d25acb/Source/WebCore/accessibility/ > AccessibilityMenuList.cpp#L45 > > Adding > > if(!renderer) > return false; > > https://github.com/WebKit/WebKit/blob/ > d5220e254917f82a86e5d6235224f82a03d25acb/Source/WebCore/accessibility/ > AccessibilityMenuList.cpp#L89 > > Adding > > if (!renderer) > return true; > > It fixed crashes in - AccessibilityMenuList::isCollapsed Both of your suggested changes sound good to me. Would you be interested in submitting a patch for them? Also, were you able to reproduce this crash? Your comment implies so, but want to confirm.
Ahmad Saleem
Comment 5 2022-11-16 14:01:21 PST
(In reply to Tyler Wilcock from comment #4) > (In reply to Ahmad Saleem from comment #2) > > It is something which was detected by fuzzer in Chrome / Blink and fixed in > > this commit: > > > > Link - https://src.chromium.org/viewvc/blink?view=revision&revision=194543 > > > > https://github.com/WebKit/WebKit/blob/ > > d5220e254917f82a86e5d6235224f82a03d25acb/Source/WebCore/accessibility/ > > AccessibilityMenuList.cpp#L45 > > > > Adding > > > > if(!renderer) > > return false; > > > > https://github.com/WebKit/WebKit/blob/ > > d5220e254917f82a86e5d6235224f82a03d25acb/Source/WebCore/accessibility/ > > AccessibilityMenuList.cpp#L89 > > > > Adding > > > > if (!renderer) > > return true; > > > > It fixed crashes in - AccessibilityMenuList::isCollapsed > Both of your suggested changes sound good to me. Would you be interested in > submitting a patch for them? > > Also, were you able to reproduce this crash? Your comment implies so, but > want to confirm. Nah! I didn't checked or tried to reproduce, I was just looking through some bugs and came across fix for it. I just thought to post, I am happy to do PR.
EWS
Comment 6 2022-11-17 17:35:11 PST
Committed 256814@main (c441a937ca2a): <https://commits.webkit.org/256814@main> Reviewed commits have been landed. Closing PR #6569 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.