RESOLVED FIXED 158098
AX: crash at AccessibilityRenderObject::remoteSVGRootElement const 
https://bugs.webkit.org/show_bug.cgi?id=158098
Summary AX: crash at AccessibilityRenderObject::remoteSVGRootElement const
chris fleizach
Reported 2016-05-25 15:48:10 PDT
1 ??? 0000000000 0 + 0 > 2 com.apple.WebCore 0x002c7ca0 WebCore::AccessibilityRenderObject::remoteSVGRootElement() const + 32 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.31/rendering/RenderImage.h:138) 3 com.apple.WebCore 0x002c0936 WebCore::AccessibilityRenderObject::detach(WebCore::AccessibilityDetachmentType, WebCore::AXObjectCache*) + 22 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.31/accessibility/AccessibilityRenderObject.cpp:3000) 4 com.apple.WebCore 0x00337c30 WebCore::AXObjectCache::~AXObjectCache() + 160 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.31/accessibility/AXObjectCache.cpp:188) 5 com.apple.WebCore 0x004bd0e4 WebCore::Document::destroyRenderTree() + 116 (/Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.12.xctoolchain/usr/bin/../include/c++/v1/memory:2525) 6 com.apple.WebCore 0x00084436 WebCore::Document::prepareForDestruction() + 358 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.31/dom/Document.cpp:2353) 7 com.apple.WebCore 0x0063872e WebCore::Frame::setView(WTF::RefPtr<WebCore::FrameView>&&) + 62 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.31/page/Frame.cpp:249) 8 com.apple.WebCore 0x001094c0 WebCore::FrameLoader::detachFromParent() + 480 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.31/loader/FrameLoader.cpp:2521) 9 com.apple.WebKit 0x00036de8 WebKit::WebPage::close() + 992 (/Library/Caches/com.apple.xbs/Sources/WebKit2/WebKit2-7602.1.31/WebProcess/WebPage/WebPage.cpp:1084) 10 com.apple.WebKit 0x000d5607 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::MessageDecoder&) + 129 (/Library/Caches/com.apple.xbs/Sources/WebKit2/WebKit2-7602.1.31/Platform/IPC/MessageReceiverMap.cpp:102) 11 com.apple.WebKit 0x0023e510 WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) + 28 (/Library/Caches/com.apple.xbs/Sources/WebKit2/WebKit2-7602.1.31/WebProcess/WebProcess.cpp:634) 12 com.apple.WebKit 0x0009e243 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 127 (/Library/Caches/com.apple.xbs/Sources/WebKit2/WebKit2-7602.1.31/Platform/IPC/Connection.cpp:895) 13 com.apple.WebKit 0x000a0ff8 IPC::Connection::dispatchOneMessage() + 126 (/Library/Caches/com.apple.xbs/Sources/WebKit2/WebKit2-7602.1.31/Platform/IPC/Connection.cpp:957) 14 com.apple.JavaScriptCore 0x009ee505 WTF::RunLoop::performWork() + 437 (/BuildRoot/Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.12.xctoolchain/usr/bin/../include/c++/v1/functional:1817) 15 com.apple.JavaScriptCore 0x009ee8b2 WTF::RunLoop::performWork(void*) + 34 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WTF/WTF-7602.1.31/wtf/cf/RunLoopCF.cpp:38) 16 com.apple.CoreFoundation 0x000a7fc1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 (/Library/Caches/com.apple.xbs/Sources/CF/CF-1333.16/RunLoop.subproj/CFRunLoop.c:1943) 17 com.apple.CoreFoundation 0x0008833d __CFRunLoopDoSources0 + 557 (/Library/Caches/com.apple.xbs/Sources/CF/CF-1333.16/RunLoop.subproj/CFRunLoop.c:1989) 18 com.apple.CoreFoundation 0x00087836 __CFRunLoopRun + 934 (/Library/Caches/com.apple.xbs/Sources/CF/CF-1333.16/RunLoop.subproj/CFRunLoop.c:2821) 19 com.apple.CoreFoundation 0x0008722d CFRunLoopRunSpecific + 285 (/Library/Caches/com.apple.xbs/Sources/CF/CF-1333.16/RunLoop.subproj/CFRunLoop.c:3103) <rdar://problem/26324151>
Attachments
Patch (4.40 KB, patch)
2016-05-25 15:51 PDT, chris fleizach 		no flags
DetailsFormatted DiffDiff
Patch (1.39 KB, patch)
2016-05-27 09:22 PDT, chris fleizach 		darin: review+
cfleizach: commit-queue+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
chris fleizach
Comment 1 2016-05-25 15:51:09 PDT
Created attachment 279831 [details] Patch
Joanmarie Diggs
Comment 2 2016-05-25 20:35:32 PDT
Chris, I'm about to call it a night, so I don't have time to try this myself, but could you trigger it by putting it a child iframe and then changing that iframe's content or removing the iframe entirely?
chris fleizach
Comment 3 2016-05-25 21:00:02 PDT
(In reply to comment #2) > Chris, I'm about to call it a night, so I don't have time to try this > myself, but could you trigger it by putting it a child iframe and then > changing that iframe's content or removing the iframe entirely? Exactly what I thought and I have a test that does that but I can't make it trigger the document destruction since only the top level doc maintains the object cache So then I put in a WKTR only method to clear the cache on demand but then I couldn't trigger what I wanted which is NOT to ever create this ax object, only to retrieve it right at document destruction which presumably would cause us to access the bad object, and that's when I realized I needed the cache clearing to happen at the same time the render tree was going down and I couldn't do that in a frame (discovered that after two days of working on this test)
chris fleizach
Comment 4 2016-05-26 00:32:32 PDT
Comment on attachment 279831 [details] Patch Thanks!
WebKit Commit Bot
Comment 5 2016-05-26 00:53:32 PDT
Comment on attachment 279831 [details] Patch Clearing flags on attachment: 279831 Committed r201417: <http://trac.webkit.org/changeset/201417>
WebKit Commit Bot
Comment 6 2016-05-26 00:53:36 PDT
All reviewed patches have been landed. Closing bug.
Darin Adler
Comment 7 2016-05-27 09:05:45 PDT
Comment on attachment 279831 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=279831&action=review > Source/WebCore/accessibility/AccessibilityRenderObject.h:249 > + AccessibilitySVGRoot* remoteSVGRootElement(CreationChoice createIfNecessary) const; Argument name should be omitted here. The type makes its purpose clear without an argument name.
chris fleizach
Comment 8 2016-05-27 09:22:20 PDT
Created attachment 279965 [details] Patch
chris fleizach
Comment 9 2016-05-27 09:22:40 PDT
(In reply to comment #7) > Comment on attachment 279831 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=279831&action=review > > > Source/WebCore/accessibility/AccessibilityRenderObject.h:249 > > + AccessibilitySVGRoot* remoteSVGRootElement(CreationChoice createIfNecessary) const; > > Argument name should be omitted here. The type makes its purpose clear > without an argument name. Thanks. Updated patch https://bugs.webkit.org/attachment.cgi?id=279965&action=review
chris fleizach
Comment 10 2016-05-27 09:22:53 PDT
(In reply to comment #7) > Comment on attachment 279831 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=279831&action=review > > > Source/WebCore/accessibility/AccessibilityRenderObject.h:249 > > + AccessibilitySVGRoot* remoteSVGRootElement(CreationChoice createIfNecessary) const; > > Argument name should be omitted here. The type makes its purpose clear > without an argument name. Thanks. Updated patch https://bugs.webkit.org/attachment.cgi?id=279965&action=review
Note You need to log in before you can comment on or make changes to this bug.