5 com.apple.WebCore 0x7fff9eb912f4 WebCore::Range::selectNodeContents(WebCore::Node*, int&) + 36 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/dom/Node.h:412) 6 com.apple.WebCore 0x7fff9ecf58eb WebCore::AXObjectCache::rangeForNodeContents(WebCore::Node*) + 75 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/accessibility/AXObjectCache.cpp:1531) 7 com.apple.WebCore 0x7fff9ecf5be8 WebCore::AXObjectCache::rangeForUnorderedCharacterOffsets(WebCore::CharacterOffset const&, WebCore::CharacterOffset const&) + 312 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/accessibility/AXObjectCache.cpp:1561) 8 com.apple.WebCore 0x7fff9fa449b1 -[WebAccessibilityObjectWrapper accessibilityAttributeValue:forParameter:] + 9249 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/accessibility/mac/WebAccessibilityObjectWrapperMac.mm:4032) Seems selectNodeContents is accessing some garbage data.
<rdar://problem/24559206>
Created attachment 270894 [details] patch
Comment on attachment 270894 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=270894&action=review > Source/WebCore/accessibility/AXObjectCache.cpp:1586 > + if (nodeIsDerefed(characterOffset1.node) || nodeIsDerefed(characterOffset2.node)) can we use our nodeInUse cache to handle this case? seems like we should be doing that when creating the CharacterOffsets too
Comment on attachment 270894 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=270894&action=review >> Source/WebCore/accessibility/AXObjectCache.cpp:1586 >> + if (nodeIsDerefed(characterOffset1.node) || nodeIsDerefed(characterOffset2.node)) > > can we use our nodeInUse cache to handle this case? seems like we should be doing that when creating the CharacterOffsets too Good point, will do.
Created attachment 270899 [details] patch review comments.
Comment on attachment 270899 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=270899&action=review > Source/WebCore/ChangeLog:5 > + <rdar://problem/24559206> don't include rdar numbers (unless there is some new dictate to include them) > LayoutTests/ChangeLog:5 > + <rdar://problem/24559206> don't include rdar numbers > LayoutTests/accessibility/text-marker/text-marker-range-stale-node-crash.html:29 > + textElement.innerHTML=""; textElement.innerHTML = "";
Created attachment 270901 [details] patch Addressed minor issues.
Comment on attachment 270901 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=270901&action=review > LayoutTests/accessibility/text-marker/text-marker-range-stale-node-crash.html:29 > + textElement.innerHTML= ""; still need another space before HTML=
Comment on attachment 270901 [details] patch Rejecting attachment 270901 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-02', 'validate-changelog', '--check-oops', '--non-interactive', 270901, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit ChangeLog entry in LayoutTests/ChangeLog contains OOPS!. Full output: http://webkit-queues.webkit.org/results/802367
Created attachment 270902 [details] patch This one should be good.
Comment on attachment 270902 [details] patch Clearing flags on attachment: 270902 Committed r196287: <http://trac.webkit.org/changeset/196287>
All reviewed patches have been landed. Closing bug.
The test added with this change seems to be crashing on ios-simulator: <https://build.webkit.org/results/Apple%20iOS%209%20Simulator%20Release%20WK2%20(Tests)/r196313%20(2965)/results.html> <http://webkit-test-results.webkit.org/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=accessibility%2Ftext-marker%2Ftext-marker-range-stale-node-crash.html> Filed: <https://bugs.webkit.org/show_bug.cgi?id=154039>