Crash in WebCore::AXObjectCache::rangeMatchesTextNearRange.
<rdar://problem/64773177>
49 WebCore: WebCore::AXObjectCache::rangeMatchesTextNearRange(WebCore::SimpleRange const&, WTF::String const&) <== 49 WebCore: WebCore::AXObjectCache::rangeMatchesTextNearRange(WebCore::SimpleRange const&, WTF::String const&) 49 WebCore: -[WebAccessibilityObjectWrapper rangeFromMarkers:withText:] 49 WebCore: -[WebAccessibilityObjectWrapper textRectsFromMarkers:withText:] 49 WebCore: __107-[UIKitWebAccessibilityObjectWrapper _accessibilityTextRectsForSpeakThisStringRange:string:wantsSentences:]_block_invoke 49 AccessibilityUtilities: AXPerformSafeBlock 49 WebCore: -[UIKitWebAccessibilityObjectWrapper _accessibilityTextRectsForSpeakThisStringRange:string:wantsSentences:] 49 UIAccessibility: -[NSObject(AXPrivCategory) _iosAccessibilityAttributeValue:forParameter:] 27 WebProcess: __40+[AXWebProcessGlue _initializeAXRuntime]_block_invoke.175 | 27 AXRuntime: _copyParameterizedAttributeValueCallback | 27 AXRuntime: ___AXXMIGCopyParameterizedAttributeValue_block_invoke | 27 AXRuntime: _handleNonMainThreadCallback | 27 AXRuntime: _AXXMIGCopyParameterizedAttributeValue | 27 AXRuntime: _XCopyParameterizedAttributeValue | 27 AXRuntime: mshMIGPerform | 27 CoreFoundation: __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__ | 27 CoreFoundation: __CFRunLoopDoSource1 | 27 CoreFoundation: __CFRunLoopRun | 27 CoreFoundation: CFRunLoopRunSpecific | 27 Foundation: -[NSRunLoop(NSRunLoop) runMode:beforeDate:] | 27 Foundation: -[NSRunLoop(NSRunLoop) run] | 27 libxpc.dylib: _xpc_objc_main | 27 libxpc.dylib: xpc_main | 27 WebKit: WebKit::XPCServiceMain(int, char const**) | 27 libdyld.dylib: 22 WebProcess: __40+[AXWebProcessGlue _initializeAXRuntime]_block_invoke.128 22 AXRuntime: _copyParameterizedAttributeValueCallback 22 AXRuntime: ___AXXMIGCopyParameterizedAttributeValue_block_invoke 22 AXRuntime: _handleNonMainThreadCallback 22 AXRuntime: _AXXMIGCopyParameterizedAttributeValue 22 AXRuntime: _XCopyParameterizedAttributeValue 22 AXRuntime: mshMIGPerform 22 CoreFoundation: __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__ 22 CoreFoundation: __CFRunLoopDoSource1 22 CoreFoundation: __CFRunLoopRun 22 CoreFoundation: CFRunLoopRunSpecific 22 Foundation: -[NSRunLoop(NSRunLoop) runMode:beforeDate:] 22 Foundation: -[NSRunLoop(NSRunLoop) run] 22 libxpc.dylib: _xpc_objc_main 22 libxpc.dylib: xpc_main 22 WebKit: WebKit::XPCServiceMain(int, char const**) 22 libdyld.dylib:
Created attachment 406617 [details] Patch
Comment on attachment 406617 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=406617&action=review > Source/WebCore/accessibility/AXObjectCache.cpp:2009 > + if (startPosition.isNull() || endPosition.isNull()) > + return WTF::nullopt; > > auto searchRange = makeSimpleRange(startPosition, endPosition); > if (!searchRange || searchRange->collapsed()) This can’t be correct; it has no effect. When we call makeSimpleRange on start and end, if either is null, then the range returned is nullopt. So the check below this takes care of this case. So this change should have no effect, unless there is something further going on.
I am pretty sure this change won’t fix this bug, or any bug.
Committed r265705: <https://trac.webkit.org/changeset/265705> All reviewed patches have been landed. Closing bug and clearing flags on attachment 406617 [details].
(In reply to Darin Adler from comment #5) > I am pretty sure this change won’t fix this bug, or any bug. Any other ideas based on crash tracer?
Reopening for further investigation based on Darin Adler’s comment.
Based on our Apple internal CrashTracer data it looks like this was indeed on a crash on this line of code in this version of the file: https://trac.webkit.org/browser/webkit/tags/Safari-610.1.15.50.3/Source/WebCore/accessibility/AXObjectCache.cpp auto searchRange = SimpleRange { *makeBoundaryPoint(startPosition), *makeBoundaryPoint(endPosition) }; That code assumes startPosition and endPosition can't be null. I fixed the crash in <https://trac.webkit.org/changeset/265044> where I moved to the new null-checking version of makeSimpleRange and added a null check. So this additional change is unnecessary, since the bug was fixed 2 weeks ago. The CrashTracer reports are from before that point.
So that means that this patch was harmless, but unnecessary. And I suggest reverting it. Unless there is some branch that diverged before r260544; that branch might benefit form this fix.
So ... no rush, but please do revert these unnecessary additional checks at some point.
*** This bug has been marked as a duplicate of bug 214882 ***