RESOLVED FIXED 187528
AX: Crash in accessing AXObjectCache in textMarkerDataForVisiblePosition 
https://bugs.webkit.org/show_bug.cgi?id=187528
Summary AX: Crash in accessing AXObjectCache in textMarkerDataForVisiblePosition
chris fleizach
Reported 2018-07-10 10:51:26 PDT
<rdar://problem/37231941> CrashTracer: com.apple.WebKit.WebContent.Development at com.apple.WebCore: WebCore::AXObjectCache::get + 75 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000020 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [0] VM Regions Near 0x20: --> __TEXT 0000000102505000-0000000102507000 [ 8K] r-x/rwx SM=COW /Volumes/VOLUME/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development Application Specific Information: CRASHING TEST: accessibility/mac/search-field-cancel-button.html Thread 0 Crashed: 0 com.apple.WebCore 0x00000007a0aae5db WebCore::AXObjectCache::get(WebCore::Node*) + 75 1 com.apple.WebCore 0x00000007a0aadf4b WebCore::AXObjectCache::getOrCreate(WebCore::Node*) + 43 2 com.apple.WebCore 0x00000007a0ab48e2 WebCore::AXObjectCache::textMarkerDataForVisiblePosition(WebCore::VisiblePosition const&) + 290 3 com.apple.WebCore 0x00000007a15a7dfe -[WebAccessibilityObjectWrapper textMarkerRangeFromVisiblePositions:endPosition:] + 62 4 com.apple.WebCore 0x00000007a03401ce WebCore::AXObjectCache::postTextStateChangePlatformNotification(WebCore::AccessibilityObject*, WebCore::AXTextStateChangeIntent const&, WebCore::VisibleSelection const&) + 494 5 com.apple.WebCore 0x00000007a0ab0c5c WebCore::AXObjectCache::postTextStateChangeNotification(WebCore::AccessibilityObject*, WebCore::AXTextStateChangeIntent const&, WebCore::VisibleSelection const&) + 188 6 com.apple.WebCore 0x00000007a037bfcb WebCore::FrameSelection::notifyAccessibilityForSelectionChange(WebCore::AXTextStateChangeIntent const&) + 203 7 com.apple.WebCore 0x00000007a0e02f87 WebCore::FrameSelection::updateAndRevealSelection(WebCore::AXTextStateChangeIntent const&) + 167 8 com.apple.WebCore 0x00000007a0e087e9 WebCore::FrameSelection::updateAppearanceAfterLayout() + 73 9 com.apple.WebCore 0x00000007a0040c25 WebCore::FrameView::performPostLayoutTasks() + 37 10 com.apple.WebCore 0x00000007a109b3ff WebCore::LayoutContext::runOrScheduleAsynchronousTasks() + 239 11 com.apple.WebCore 0x00000007a10910bc WebCore::LayoutContext::layout() + 1612 12 com.apple.WebCore 0x00000007a0098070 WebCore::Document::updateLayout() + 256 13 com.apple.WebCore 0x00000007a0d29e5c WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) + 92 14 com.apple.WebCore 0x00000007a0d55f36 WebCore::Element::boundingClientRect() + 38 1
Attachments
patch (1.48 KB, patch)
2018-07-10 10:59 PDT, chris fleizach 		no flags
DetailsFormatted DiffDiff
patch (2.22 KB, patch)
2018-07-10 11:12 PDT, chris fleizach 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2018-07-10 10:52:55 PDT
<rdar://problem/42031055>
chris fleizach
Comment 2 2018-07-10 10:59:21 PDT
Created attachment 344712 [details] patch
Nan Wang
Comment 3 2018-07-10 11:07:12 PDT
Comment on attachment 344712 [details] patch r=me There are other instances of calling someobject->document().axObjectCache(). Do we need to null check those as well? Or is there a better way to know that document is being destructed.
chris fleizach
Comment 4 2018-07-10 11:10:20 PDT
(In reply to Nan Wang from comment #3) > Comment on attachment 344712 [details] > patch > > r=me > There are other instances of calling someobject->document().axObjectCache(). > Do we need to null check those as well? Or is there a better way to know > that document is being destructed. I'll check those other instances in this area. we could check if the document is destroyed, but checking the cache seems a bit more straight-forward and does the same thing for our purposes.
chris fleizach
Comment 5 2018-07-10 11:12:48 PDT
Created attachment 344713 [details] patch
WebKit Commit Bot
Comment 6 2018-07-10 14:56:09 PDT
Comment on attachment 344713 [details] patch Clearing flags on attachment: 344713 Committed r233699: <https://trac.webkit.org/changeset/233699>
WebKit Commit Bot
Comment 7 2018-07-10 14:56:11 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.