Bug 158098 - AX: crash at AccessibilityRenderObject::remoteSVGRootElement const
Summary: AX: crash at AccessibilityRenderObject::remoteSVGRootElement const
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Accessibility (show other bugs)
Version: Other
Hardware: All All
: P2 Normal
Assignee: chris fleizach
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2016-05-25 15:48 PDT by chris fleizach
Modified: 2016-05-27 16:18 PDT (History)
9 users (show)

See Also:


Attachments
Patch (4.40 KB, patch)
2016-05-25 15:51 PDT, chris fleizach
no flags Details | Formatted Diff | Diff
Patch (1.39 KB, patch)
2016-05-27 09:22 PDT, chris fleizach
darin: review+
cfleizach: commit-queue+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description chris fleizach 2016-05-25 15:48:10 PDT
1 ???                            0000000000 0 + 0
>  2 com.apple.WebCore              0x002c7ca0 WebCore::AccessibilityRenderObject::remoteSVGRootElement() const + 32 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.31/rendering/RenderImage.h:138)
   3 com.apple.WebCore              0x002c0936 WebCore::AccessibilityRenderObject::detach(WebCore::AccessibilityDetachmentType, WebCore::AXObjectCache*) + 22 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.31/accessibility/AccessibilityRenderObject.cpp:3000)
   4 com.apple.WebCore              0x00337c30 WebCore::AXObjectCache::~AXObjectCache() + 160 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.31/accessibility/AXObjectCache.cpp:188)
   5 com.apple.WebCore              0x004bd0e4 WebCore::Document::destroyRenderTree() + 116 (/Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.12.xctoolchain/usr/bin/../include/c++/v1/memory:2525)
   6 com.apple.WebCore              0x00084436 WebCore::Document::prepareForDestruction() + 358 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.31/dom/Document.cpp:2353)
   7 com.apple.WebCore              0x0063872e WebCore::Frame::setView(WTF::RefPtr<WebCore::FrameView>&&) + 62 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.31/page/Frame.cpp:249)
   8 com.apple.WebCore              0x001094c0 WebCore::FrameLoader::detachFromParent() + 480 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.31/loader/FrameLoader.cpp:2521)
   9 com.apple.WebKit               0x00036de8 WebKit::WebPage::close() + 992 (/Library/Caches/com.apple.xbs/Sources/WebKit2/WebKit2-7602.1.31/WebProcess/WebPage/WebPage.cpp:1084)
  10 com.apple.WebKit               0x000d5607 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::MessageDecoder&) + 129 (/Library/Caches/com.apple.xbs/Sources/WebKit2/WebKit2-7602.1.31/Platform/IPC/MessageReceiverMap.cpp:102)
  11 com.apple.WebKit               0x0023e510 WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) + 28 (/Library/Caches/com.apple.xbs/Sources/WebKit2/WebKit2-7602.1.31/WebProcess/WebProcess.cpp:634)
  12 com.apple.WebKit               0x0009e243 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 127 (/Library/Caches/com.apple.xbs/Sources/WebKit2/WebKit2-7602.1.31/Platform/IPC/Connection.cpp:895)
  13 com.apple.WebKit               0x000a0ff8 IPC::Connection::dispatchOneMessage() + 126 (/Library/Caches/com.apple.xbs/Sources/WebKit2/WebKit2-7602.1.31/Platform/IPC/Connection.cpp:957)
  14 com.apple.JavaScriptCore       0x009ee505 WTF::RunLoop::performWork() + 437 (/BuildRoot/Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.12.xctoolchain/usr/bin/../include/c++/v1/functional:1817)
  15 com.apple.JavaScriptCore       0x009ee8b2 WTF::RunLoop::performWork(void*) + 34 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WTF/WTF-7602.1.31/wtf/cf/RunLoopCF.cpp:38)
  16 com.apple.CoreFoundation       0x000a7fc1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 (/Library/Caches/com.apple.xbs/Sources/CF/CF-1333.16/RunLoop.subproj/CFRunLoop.c:1943)
  17 com.apple.CoreFoundation       0x0008833d __CFRunLoopDoSources0 + 557 (/Library/Caches/com.apple.xbs/Sources/CF/CF-1333.16/RunLoop.subproj/CFRunLoop.c:1989)
  18 com.apple.CoreFoundation       0x00087836 __CFRunLoopRun + 934 (/Library/Caches/com.apple.xbs/Sources/CF/CF-1333.16/RunLoop.subproj/CFRunLoop.c:2821)
  19 com.apple.CoreFoundation       0x0008722d CFRunLoopRunSpecific + 285 (/Library/Caches/com.apple.xbs/Sources/CF/CF-1333.16/RunLoop.subproj/CFRunLoop.c:3103)


<rdar://problem/26324151>
Comment 1 chris fleizach 2016-05-25 15:51:09 PDT
Created attachment 279831 [details]
Patch
Comment 2 Joanmarie Diggs 2016-05-25 20:35:32 PDT
Chris, I'm about to call it a night, so I don't have time to try this myself, but could you trigger it by putting it a child iframe and then changing that iframe's content or removing the iframe entirely?
Comment 3 chris fleizach 2016-05-25 21:00:02 PDT
(In reply to comment #2)
> Chris, I'm about to call it a night, so I don't have time to try this
> myself, but could you trigger it by putting it a child iframe and then
> changing that iframe's content or removing the iframe entirely?

Exactly what I thought and I have a test that does that but I can't make it trigger the document destruction since only the top level doc maintains the object cache

So then I put in a WKTR only method to clear the cache on demand but then I couldn't trigger what I wanted which is NOT to ever create this ax object, only to retrieve it right at document destruction which presumably would cause us to access the bad object, and that's when I realized I needed the cache clearing to happen at the same time the render tree was going down and I couldn't do that in a frame (discovered that after two days of working on this test)
Comment 4 chris fleizach 2016-05-26 00:32:32 PDT
Comment on attachment 279831 [details]
Patch

Thanks!
Comment 5 WebKit Commit Bot 2016-05-26 00:53:32 PDT
Comment on attachment 279831 [details]
Patch

Clearing flags on attachment: 279831

Committed r201417: <http://trac.webkit.org/changeset/201417>
Comment 6 WebKit Commit Bot 2016-05-26 00:53:36 PDT
All reviewed patches have been landed.  Closing bug.
Comment 7 Darin Adler 2016-05-27 09:05:45 PDT
Comment on attachment 279831 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=279831&action=review

> Source/WebCore/accessibility/AccessibilityRenderObject.h:249
> +    AccessibilitySVGRoot* remoteSVGRootElement(CreationChoice createIfNecessary) const;

Argument name should be omitted here. The type makes its purpose clear without an argument name.
Comment 8 chris fleizach 2016-05-27 09:22:20 PDT
Created attachment 279965 [details]
Patch
Comment 9 chris fleizach 2016-05-27 09:22:40 PDT
(In reply to comment #7)
> Comment on attachment 279831 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=279831&action=review
> 
> > Source/WebCore/accessibility/AccessibilityRenderObject.h:249
> > +    AccessibilitySVGRoot* remoteSVGRootElement(CreationChoice createIfNecessary) const;
> 
> Argument name should be omitted here. The type makes its purpose clear
> without an argument name.

Thanks. Updated patch

https://bugs.webkit.org/attachment.cgi?id=279965&action=review
Comment 10 chris fleizach 2016-05-27 09:22:53 PDT
(In reply to comment #7)
> Comment on attachment 279831 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=279831&action=review
> 
> > Source/WebCore/accessibility/AccessibilityRenderObject.h:249
> > +    AccessibilitySVGRoot* remoteSVGRootElement(CreationChoice createIfNecessary) const;
> 
> Argument name should be omitted here. The type makes its purpose clear
> without an argument name.

Thanks. Updated patch

https://bugs.webkit.org/attachment.cgi?id=279965&action=review