157830 – AX: Crash when backspacing in number field with spin button

RESOLVED FIXED 157830

AX: Crash when backspacing in number field with spin button

https://bugs.webkit.org/show_bug.cgi?id=157830

Summary AX: Crash when backspacing in number field with spin button

chris fleizach

Reported 2016-05-18 00:14:22 PDT

Backspacing repeatedly with VoiceOver on in an input type="number" will eventually crash Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00007fff94f6312a WebCore::AXObjectCache::platformGenerateAXID() const + 10 1 com.apple.WebCore 0x00007fff94f62e3b WebCore::AXObjectCache::getOrCreate(WebCore::AccessibilityRole) + 363 2 com.apple.WebCore 0x00007fff94f0a816 WebCore::AccessibilitySpinButton::addChildren() + 38 3 com.apple.WebCore 0x00007fff94ef63c2 WebCore::AccessibilityObject::updateChildrenIfNecessary() + 66 4 com.apple.WebCore 0x00007fff94ef084d WebCore::AccessibilityObject::updateBackingStore() + 77 5 com.apple.WebCore 0x00007fff95ad83ed -[WebAccessibilityObjectWrapperBase updateObjectBackingStore] + 61 6 com.apple.WebCore 0x00007fff95ae1f47 -[WebAccessibilityObjectWrapper accessibilityAttributeValue:] + 39 7 com.apple.AppKit 0x00007fff8b33d164 NSAccessibilityGetObjectForAttributeUsingLegacyAPI + 392 8 com.apple.AppKit 0x00007fff8b33b7d8 _NSAccessibilityEntryPointValueForAttribute + 1879 9 com.apple.AppKit 0x00007fff8bc41ca4 -[NSObject(NSRemoteUIElementAccessibility) accessibilityPresenterProcessIdentifier] + 111 10 com.apple.AppKit 0x00007fff8b468ef0 NSAccessibilityCreateAXUIElementRef + 883 11 com.apple.AppKit 0x00007fff8b6d3659 ConvertOutgoingValue + 1733 12 com.apple.AppKit 0x00007fff8b6d3052 ConvertOutgoingValue + 190 13 com.apple.AppKit 0x00007fff8b6d4c12 CopyAttributeValues + 289 14 com.apple.HIServices 0x00007fff89f86018 _AXXMIGCopyAttributeValues + 308 15 com.apple.HIServices 0x00007fff89f8ee37 _XCopyAttributeValues + 512 16 com.apple.HIServices 0x00007fff89f68dad mshMIGPerform + 199 17 com.apple.CoreFoundation 0x00007fff83324839 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__ + 41 18 com.apple.CoreFoundation 0x00007fff833247a9 __CFRunLoopDoSource1 + 473 19 com.apple.CoreFoundation 0x00007fff83315e1b __CFRunLoopRun + 2171 20 com.apple.CoreFoundation 0x00007fff83315338 CFRunLoopRunSpecific + 296 21 com.apple.HIToolbox 0x00007fff829f4935 RunCurrentEventLoopInMode + 235 22 com.apple.HIToolbox 0x00007fff829f476f ReceiveNextEventCommon + 432 23 com.apple.HIToolbox 0x00007fff829f45af _BlockUntilNextEventMatchingListInModeWithFilter + 71 24 com.apple.AppKit 0x00007fff8b31f0ee _DPSNextEvent + 1067 25 com.apple.AppKit 0x00007fff8b6eb943 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454 26 com.apple.AppKit 0x00007fff8b314fc8 -[NSApplication run] + 682 27 com.apple.AppKit 0x00007fff8b297520 NSApplicationMain + 1176 28 libxpc.dylib 0x00007fff944aff6c _xpc_objc_main + 793 29 libxpc.dylib 0x00007fff944b16bb xpc_main + 494 30 com.apple.WebKit.WebContent 0x0000000101d90b4a 0x101d90000 + 2890 31 libdyld.dylib 0x00007fff86b8c5ad start + 1 <rdar://problem/24458212>

Attachments
Patch (6.87 KB, patch) 2016-05-18 00:22 PDT, chris fleizach	darin: review- buildbot: commit-queue-	Details Formatted Diff Diff
Archive of layout-test-results from ews102 for mac-yosemite (805.39 KB, application/zip) 2016-05-18 01:07 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews105 for mac-yosemite-wk2 (829.95 KB, application/zip) 2016-05-18 01:09 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews117 for mac-yosemite (1.42 MB, application/zip) 2016-05-18 01:27 PDT, Build Bot	no flags	Details
patch (5.60 KB, patch) 2016-07-11 12:34 PDT, Nan Wang	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

chris fleizach

Comment 1 2016-05-18 00:22:09 PDT

Created attachment 279225 [details] Patch

Build Bot

Comment 2 2016-05-18 01:07:23 PDT

Comment on attachment 279225 [details] Patch Attachment 279225 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/1341494 New failing tests: accessibility/mac/html5-input-number.html accessibility/spinbutton-crash.html

Build Bot

Comment 3 2016-05-18 01:07:27 PDT

Created attachment 279226 [details] Archive of layout-test-results from ews102 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews102 Port: mac-yosemite Platform: Mac OS X 10.10.5

Build Bot

Comment 4 2016-05-18 01:09:37 PDT

Comment on attachment 279225 [details] Patch Attachment 279225 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/1341495 New failing tests: accessibility/mac/html5-input-number.html accessibility/spinbutton-crash.html

Build Bot

Comment 5 2016-05-18 01:09:40 PDT

Created attachment 279228 [details] Archive of layout-test-results from ews105 for mac-yosemite-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews105 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5

Build Bot

Comment 6 2016-05-18 01:26:56 PDT

Comment on attachment 279225 [details] Patch Attachment 279225 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/1341532 New failing tests: accessibility/mac/html5-input-number.html accessibility/spinbutton-crash.html

Build Bot

Comment 7 2016-05-18 01:27:03 PDT

Created attachment 279230 [details] Archive of layout-test-results from ews117 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews117 Port: mac-yosemite Platform: Mac OS X 10.10.5

Joanmarie Diggs

Comment 8 2016-05-18 12:45:51 PDT

Looks like your tests need some adjustment. That said.... Sanity checks seem like a good idea, but if you don't mind my asking: Is backspacing over the contents of the input causing spin button parts to become detached? If so, that strikes me as odd and possibly worthy of a sentence in your ChangeLog. Also, "safe guards" in this context is one word.

chris fleizach

Comment 9 2016-05-18 12:47:00 PDT

(In reply to comment #8) > Looks like your tests need some adjustment. > > That said.... Sanity checks seem like a good idea, but if you don't mind my > asking: Is backspacing over the contents of the input causing spin button > parts to become detached? If so, that strikes me as odd and possibly worthy > of a sentence in your ChangeLog. > That is what it seems like. I can't figure out why one of these tests is failing now so this is requiring some more work sadly > Also, "safe guards" in this context is one word. Thanks

Darin Adler

Comment 10 2016-05-25 04:02:44 PDT

Comment on attachment 279225 [details] Patch Setting review- since we don’t want to review this until after we resolve the crashing tests. Code changes look fine to me, by the way.

Nan Wang

Comment 11 2016-07-11 12:34:45 PDT

Created attachment 283332 [details] patch It seems putting isDetachedFromParent() in updateObjectBackingStore will affect lots of stuff.

WebKit Commit Bot

Comment 12 2016-07-11 14:05:12 PDT

Comment on attachment 283332 [details] patch Clearing flags on attachment: 283332 Committed r203083: <http://trac.webkit.org/changeset/203083>

WebKit Commit Bot

Comment 13 2016-07-11 14:05:18 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Safari 9

Hardware All

OS All

Product WebKit

Component Accessibility

Assignee

chris fleizach

Reported

2016-05-18 00:14 PDT

Modified

2016-07-11 14:05 PDT History

CC List

11 users Show

URL

Keywords InRadar

Depends on

Blocks