154018 – AX: crash at WebCore::Range::selectNodeContents(WebCore::Node*, int&)

RESOLVED FIXED 154018

AX: crash at WebCore::Range::selectNodeContents(WebCore::Node*, int&)

https://bugs.webkit.org/show_bug.cgi?id=154018

Summary AX: crash at WebCore::Range::selectNodeContents(WebCore::Node*, int&)

Nan Wang

Reported 2016-02-08 16:30:15 PST

5 com.apple.WebCore 0x7fff9eb912f4 WebCore::Range::selectNodeContents(WebCore::Node*, int&) + 36 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/dom/Node.h:412) 6 com.apple.WebCore 0x7fff9ecf58eb WebCore::AXObjectCache::rangeForNodeContents(WebCore::Node*) + 75 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/accessibility/AXObjectCache.cpp:1531) 7 com.apple.WebCore 0x7fff9ecf5be8 WebCore::AXObjectCache::rangeForUnorderedCharacterOffsets(WebCore::CharacterOffset const&, WebCore::CharacterOffset const&) + 312 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/accessibility/AXObjectCache.cpp:1561) 8 com.apple.WebCore 0x7fff9fa449b1 -[WebAccessibilityObjectWrapper accessibilityAttributeValue:forParameter:] + 9249 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/accessibility/mac/WebAccessibilityObjectWrapperMac.mm:4032) Seems selectNodeContents is accessing some garbage data.

Attachments
patch (5.45 KB, patch) 2016-02-08 16:52 PST, Nan Wang	no flags	Details Formatted Diff Diff
patch (7.54 KB, patch) 2016-02-08 17:38 PST, Nan Wang	cfleizach: review+	Details Formatted Diff Diff
patch (7.47 KB, patch) 2016-02-08 17:45 PST, Nan Wang	commit-queue: commit-queue-	Details Formatted Diff Diff
patch (7.47 KB, patch) 2016-02-08 17:58 PST, Nan Wang	no flags	Details Formatted Diff Diff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2016-02-08 16:32:43 PST

<rdar://problem/24559206>

Nan Wang

Comment 2 2016-02-08 16:52:43 PST

Created attachment 270894 [details] patch

chris fleizach

Comment 3 2016-02-08 16:55:59 PST

Comment on attachment 270894 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=270894&action=review > Source/WebCore/accessibility/AXObjectCache.cpp:1586 > + if (nodeIsDerefed(characterOffset1.node) || nodeIsDerefed(characterOffset2.node)) can we use our nodeInUse cache to handle this case? seems like we should be doing that when creating the CharacterOffsets too

Nan Wang

Comment 4 2016-02-08 17:37:54 PST

Comment on attachment 270894 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=270894&action=review >> Source/WebCore/accessibility/AXObjectCache.cpp:1586 >> + if (nodeIsDerefed(characterOffset1.node) || nodeIsDerefed(characterOffset2.node)) > > can we use our nodeInUse cache to handle this case? seems like we should be doing that when creating the CharacterOffsets too Good point, will do.

Nan Wang

Comment 5 2016-02-08 17:38:58 PST

Created attachment 270899 [details] patch review comments.

chris fleizach

Comment 6 2016-02-08 17:40:50 PST

Comment on attachment 270899 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=270899&action=review > Source/WebCore/ChangeLog:5 > + <rdar://problem/24559206> don't include rdar numbers (unless there is some new dictate to include them) > LayoutTests/ChangeLog:5 > + <rdar://problem/24559206> don't include rdar numbers > LayoutTests/accessibility/text-marker/text-marker-range-stale-node-crash.html:29 > + textElement.innerHTML=""; textElement.innerHTML = "";

Nan Wang

Comment 7 2016-02-08 17:45:53 PST

Created attachment 270901 [details] patch Addressed minor issues.

chris fleizach

Comment 8 2016-02-08 17:49:22 PST

Comment on attachment 270901 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=270901&action=review > LayoutTests/accessibility/text-marker/text-marker-range-stale-node-crash.html:29 > + textElement.innerHTML= ""; still need another space before HTML=

WebKit Commit Bot

Comment 9 2016-02-08 17:56:25 PST

Comment on attachment 270901 [details] patch Rejecting attachment 270901 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-02', 'validate-changelog', '--check-oops', '--non-interactive', 270901, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit ChangeLog entry in LayoutTests/ChangeLog contains OOPS!. Full output: http://webkit-queues.webkit.org/results/802367

Nan Wang

Comment 10 2016-02-08 17:58:28 PST

Created attachment 270902 [details] patch This one should be good.

WebKit Commit Bot

Comment 11 2016-02-08 19:04:22 PST

Comment on attachment 270902 [details] patch Clearing flags on attachment: 270902 Committed r196287: <http://trac.webkit.org/changeset/196287>

WebKit Commit Bot

Comment 12 2016-02-08 19:04:27 PST

All reviewed patches have been landed. Closing bug.

Ryan Haddad

Comment 13 2016-02-09 10:28:07 PST

The test added with this change seems to be crashing on ios-simulator: <https://build.webkit.org/results/Apple%20iOS%209%20Simulator%20Release%20WK2%20(Tests)/r196313%20(2965)/results.html> <http://webkit-test-results.webkit.org/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=accessibility%2Ftext-marker%2Ftext-marker-range-stale-node-crash.html> Filed: <https://bugs.webkit.org/show_bug.cgi?id=154039>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware All

OS All

Product WebKit

Component Accessibility

Assignee

Nobody

Reported

2016-02-08 16:30 PST

Modified

2016-02-09 10:28 PST History

CC List

12 users Show

URL

Keywords InRadar

Depends on

Blocks