158685 – AX: CrashTracer: com.apple.WebKit.WebContent at WebCore::AccessibilityRenderObject::remoteSVGRootElement const + 227

Bug 158685 - AX: CrashTracer: com.apple.WebKit.WebContent at WebCore::AccessibilityRenderObject::remoteSVGRootElement const + 227

Summary: AX: CrashTracer: com.apple.WebKit.WebContent at WebCore::AccessibilityRenderO...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Accessibility (show other bugs)
Version:	Safari 9
Hardware:	All All

Importance:	P2 Normal
Assignee:	chris fleizach

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2016-06-12 23:10 PDT by chris fleizach
Modified:	2016-06-13 16:03 PDT (History)
CC List:	9 users (show)

See Also:

Attachments
Patch (1.62 KB, patch) 2016-06-12 23:12 PDT, chris fleizach	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description chris fleizach 2016-06-12 23:10:33 PDT

Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000

Thread 0 Crashed ↩:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x1102ec6d3 WebCore::AccessibilityRenderObject::remoteSVGRootElement(WebCore::AccessibilityRenderObject::CreationChoice) const + 227 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.35/accessibility/AccessibilitySVGRoot.h:55)
1   com.apple.WebCore             	0x1102e427b WebCore::AccessibilityRenderObject::detach(WebCore::AccessibilityDetachmentType, WebCore::AXObjectCache*) + 27 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.35/accessibility/AccessibilityRenderObject.cpp:2976)
2   com.apple.WebCore             	0x11035bfb9 WebCore::AXObjectCache::~AXObjectCache() + 153 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.35/accessibility/AXObjectCache.cpp:193)
3   com.apple.WebCore             	0x1104dc4d4 WebCore::Document::destroyRenderTree() + 116 (/Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.11.xctoolchain/usr/bin/../include/c++/v1/memory:2459)
4   com.apple.WebCore             	0x1100a4a06 WebCore::Document::prepareForDestruction() + 358 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.35/dom/Document.cpp:2325)

---

Smoking gun

    if (!is<AccessibilitySVGRoot>(*rootSVGObject))

Trying to take nil ptr rootSVGObject and dereference it


<rdar://problem/26755269>

Comment 1 chris fleizach 2016-06-12 23:12:55 PDT

Created attachment 281159 [details]
Patch

Comment 2 David Kilzer (:ddkilzer) 2016-06-13 14:00:30 PDT

Comment on attachment 281159 [details]
Patch

r=me

Comment 3 WebKit Commit Bot 2016-06-13 16:03:44 PDT

Comment on attachment 281159 [details]
Patch

Clearing flags on attachment: 281159

Committed r202014: <http://trac.webkit.org/changeset/202014>

Comment 4 WebKit Commit Bot 2016-06-13 16:03:49 PDT

All reviewed patches have been landed.  Closing bug.