WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
154018
AX: crash at WebCore::Range::selectNodeContents(WebCore::Node*, int&)
https://bugs.webkit.org/show_bug.cgi?id=154018
Summary
AX: crash at WebCore::Range::selectNodeContents(WebCore::Node*, int&)
Nan Wang
Reported
2016-02-08 16:30:15 PST
5 com.apple.WebCore 0x7fff9eb912f4 WebCore::Range::selectNodeContents(WebCore::Node*, int&) + 36 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/dom/Node.h:412) 6 com.apple.WebCore 0x7fff9ecf58eb WebCore::AXObjectCache::rangeForNodeContents(WebCore::Node*) + 75 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/accessibility/AXObjectCache.cpp:1531) 7 com.apple.WebCore 0x7fff9ecf5be8 WebCore::AXObjectCache::rangeForUnorderedCharacterOffsets(WebCore::CharacterOffset const&, WebCore::CharacterOffset const&) + 312 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/accessibility/AXObjectCache.cpp:1561) 8 com.apple.WebCore 0x7fff9fa449b1 -[WebAccessibilityObjectWrapper accessibilityAttributeValue:forParameter:] + 9249 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/accessibility/mac/WebAccessibilityObjectWrapperMac.mm:4032) Seems selectNodeContents is accessing some garbage data.
Attachments
patch
(5.45 KB, patch)
2016-02-08 16:52 PST
,
Nan Wang
no flags
Details
Formatted Diff
Diff
patch
(7.54 KB, patch)
2016-02-08 17:38 PST
,
Nan Wang
cfleizach
: review+
Details
Formatted Diff
Diff
patch
(7.47 KB, patch)
2016-02-08 17:45 PST
,
Nan Wang
commit-queue
: commit-queue-
Details
Formatted Diff
Diff
patch
(7.47 KB, patch)
2016-02-08 17:58 PST
,
Nan Wang
no flags
Details
Formatted Diff
Diff
Show Obsolete
(3)
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2016-02-08 16:32:43 PST
<
rdar://problem/24559206
>
Nan Wang
Comment 2
2016-02-08 16:52:43 PST
Created
attachment 270894
[details]
patch
chris fleizach
Comment 3
2016-02-08 16:55:59 PST
Comment on
attachment 270894
[details]
patch View in context:
https://bugs.webkit.org/attachment.cgi?id=270894&action=review
> Source/WebCore/accessibility/AXObjectCache.cpp:1586 > + if (nodeIsDerefed(characterOffset1.node) || nodeIsDerefed(characterOffset2.node))
can we use our nodeInUse cache to handle this case? seems like we should be doing that when creating the CharacterOffsets too
Nan Wang
Comment 4
2016-02-08 17:37:54 PST
Comment on
attachment 270894
[details]
patch View in context:
https://bugs.webkit.org/attachment.cgi?id=270894&action=review
>> Source/WebCore/accessibility/AXObjectCache.cpp:1586 >> + if (nodeIsDerefed(characterOffset1.node) || nodeIsDerefed(characterOffset2.node)) > > can we use our nodeInUse cache to handle this case? seems like we should be doing that when creating the CharacterOffsets too
Good point, will do.
Nan Wang
Comment 5
2016-02-08 17:38:58 PST
Created
attachment 270899
[details]
patch review comments.
chris fleizach
Comment 6
2016-02-08 17:40:50 PST
Comment on
attachment 270899
[details]
patch View in context:
https://bugs.webkit.org/attachment.cgi?id=270899&action=review
> Source/WebCore/ChangeLog:5 > + <
rdar://problem/24559206
>
don't include rdar numbers (unless there is some new dictate to include them)
> LayoutTests/ChangeLog:5 > + <
rdar://problem/24559206
>
don't include rdar numbers
> LayoutTests/accessibility/text-marker/text-marker-range-stale-node-crash.html:29 > + textElement.innerHTML="";
textElement.innerHTML = "";
Nan Wang
Comment 7
2016-02-08 17:45:53 PST
Created
attachment 270901
[details]
patch Addressed minor issues.
chris fleizach
Comment 8
2016-02-08 17:49:22 PST
Comment on
attachment 270901
[details]
patch View in context:
https://bugs.webkit.org/attachment.cgi?id=270901&action=review
> LayoutTests/accessibility/text-marker/text-marker-range-stale-node-crash.html:29 > + textElement.innerHTML= "";
still need another space before HTML=
WebKit Commit Bot
Comment 9
2016-02-08 17:56:25 PST
Comment on
attachment 270901
[details]
patch Rejecting
attachment 270901
[details]
from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-02', 'validate-changelog', '--check-oops', '--non-interactive', 270901, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit ChangeLog entry in LayoutTests/ChangeLog contains OOPS!. Full output:
http://webkit-queues.webkit.org/results/802367
Nan Wang
Comment 10
2016-02-08 17:58:28 PST
Created
attachment 270902
[details]
patch This one should be good.
WebKit Commit Bot
Comment 11
2016-02-08 19:04:22 PST
Comment on
attachment 270902
[details]
patch Clearing flags on attachment: 270902 Committed
r196287
: <
http://trac.webkit.org/changeset/196287
>
WebKit Commit Bot
Comment 12
2016-02-08 19:04:27 PST
All reviewed patches have been landed. Closing bug.
Ryan Haddad
Comment 13
2016-02-09 10:28:07 PST
The test added with this change seems to be crashing on ios-simulator: <
https://build.webkit.org/results/Apple%20iOS%209%20Simulator%20Release%20WK2%20(Tests)/r196313%20(2965)/results.html
> <
http://webkit-test-results.webkit.org/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=accessibility%2Ftext-marker%2Ftext-marker-range-stale-node-crash.html
> Filed: <
https://bugs.webkit.org/show_bug.cgi?id=154039
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug