RESOLVED FIXED 154018
AX: crash at WebCore::Range::selectNodeContents(WebCore::Node*, int&)
https://bugs.webkit.org/show_bug.cgi?id=154018
Summary AX: crash at WebCore::Range::selectNodeContents(WebCore::Node*, int&)
Nan Wang
Reported 2016-02-08 16:30:15 PST
5 com.apple.WebCore 0x7fff9eb912f4 WebCore::Range::selectNodeContents(WebCore::Node*, int&) + 36 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/dom/Node.h:412) 6 com.apple.WebCore 0x7fff9ecf58eb WebCore::AXObjectCache::rangeForNodeContents(WebCore::Node*) + 75 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/accessibility/AXObjectCache.cpp:1531) 7 com.apple.WebCore 0x7fff9ecf5be8 WebCore::AXObjectCache::rangeForUnorderedCharacterOffsets(WebCore::CharacterOffset const&, WebCore::CharacterOffset const&) + 312 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/accessibility/AXObjectCache.cpp:1561) 8 com.apple.WebCore 0x7fff9fa449b1 -[WebAccessibilityObjectWrapper accessibilityAttributeValue:forParameter:] + 9249 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.17/accessibility/mac/WebAccessibilityObjectWrapperMac.mm:4032) Seems selectNodeContents is accessing some garbage data.
Attachments
patch (5.45 KB, patch)
2016-02-08 16:52 PST, Nan Wang
no flags
patch (7.54 KB, patch)
2016-02-08 17:38 PST, Nan Wang
cfleizach: review+
patch (7.47 KB, patch)
2016-02-08 17:45 PST, Nan Wang
commit-queue: commit-queue-
patch (7.47 KB, patch)
2016-02-08 17:58 PST, Nan Wang
no flags
Radar WebKit Bug Importer
Comment 1 2016-02-08 16:32:43 PST
Nan Wang
Comment 2 2016-02-08 16:52:43 PST
chris fleizach
Comment 3 2016-02-08 16:55:59 PST
Comment on attachment 270894 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=270894&action=review > Source/WebCore/accessibility/AXObjectCache.cpp:1586 > + if (nodeIsDerefed(characterOffset1.node) || nodeIsDerefed(characterOffset2.node)) can we use our nodeInUse cache to handle this case? seems like we should be doing that when creating the CharacterOffsets too
Nan Wang
Comment 4 2016-02-08 17:37:54 PST
Comment on attachment 270894 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=270894&action=review >> Source/WebCore/accessibility/AXObjectCache.cpp:1586 >> + if (nodeIsDerefed(characterOffset1.node) || nodeIsDerefed(characterOffset2.node)) > > can we use our nodeInUse cache to handle this case? seems like we should be doing that when creating the CharacterOffsets too Good point, will do.
Nan Wang
Comment 5 2016-02-08 17:38:58 PST
Created attachment 270899 [details] patch review comments.
chris fleizach
Comment 6 2016-02-08 17:40:50 PST
Comment on attachment 270899 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=270899&action=review > Source/WebCore/ChangeLog:5 > + <rdar://problem/24559206> don't include rdar numbers (unless there is some new dictate to include them) > LayoutTests/ChangeLog:5 > + <rdar://problem/24559206> don't include rdar numbers > LayoutTests/accessibility/text-marker/text-marker-range-stale-node-crash.html:29 > + textElement.innerHTML=""; textElement.innerHTML = "";
Nan Wang
Comment 7 2016-02-08 17:45:53 PST
Created attachment 270901 [details] patch Addressed minor issues.
chris fleizach
Comment 8 2016-02-08 17:49:22 PST
Comment on attachment 270901 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=270901&action=review > LayoutTests/accessibility/text-marker/text-marker-range-stale-node-crash.html:29 > + textElement.innerHTML= ""; still need another space before HTML=
WebKit Commit Bot
Comment 9 2016-02-08 17:56:25 PST
Comment on attachment 270901 [details] patch Rejecting attachment 270901 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-02', 'validate-changelog', '--check-oops', '--non-interactive', 270901, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit ChangeLog entry in LayoutTests/ChangeLog contains OOPS!. Full output: http://webkit-queues.webkit.org/results/802367
Nan Wang
Comment 10 2016-02-08 17:58:28 PST
Created attachment 270902 [details] patch This one should be good.
WebKit Commit Bot
Comment 11 2016-02-08 19:04:22 PST
Comment on attachment 270902 [details] patch Clearing flags on attachment: 270902 Committed r196287: <http://trac.webkit.org/changeset/196287>
WebKit Commit Bot
Comment 12 2016-02-08 19:04:27 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.