RESOLVED DUPLICATE of bug 214882 215521
Crash in WebCore::AXObjectCache::rangeMatchesTextNearRange. 
https://bugs.webkit.org/show_bug.cgi?id=215521
Summary Crash in WebCore::AXObjectCache::rangeMatchesTextNearRange.
Andres Gonzalez
Reported 2020-08-14 13:30:38 PDT
Crash in WebCore::AXObjectCache::rangeMatchesTextNearRange.
Attachments
Patch (1.79 KB, patch)
2020-08-14 13:43 PDT, Andres Gonzalez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Andres Gonzalez
Comment 1 2020-08-14 13:40:06 PDT
<rdar://problem/64773177>
Andres Gonzalez
Comment 2 2020-08-14 13:42:49 PDT
49 WebCore: WebCore::AXObjectCache::rangeMatchesTextNearRange(WebCore::SimpleRange const&, WTF::String const&) <== 49 WebCore: WebCore::AXObjectCache::rangeMatchesTextNearRange(WebCore::SimpleRange const&, WTF::String const&) 49 WebCore: -[WebAccessibilityObjectWrapper rangeFromMarkers:withText:] 49 WebCore: -[WebAccessibilityObjectWrapper textRectsFromMarkers:withText:] 49 WebCore: __107-[UIKitWebAccessibilityObjectWrapper _accessibilityTextRectsForSpeakThisStringRange:string:wantsSentences:]_block_invoke 49 AccessibilityUtilities: AXPerformSafeBlock 49 WebCore: -[UIKitWebAccessibilityObjectWrapper _accessibilityTextRectsForSpeakThisStringRange:string:wantsSentences:] 49 UIAccessibility: -[NSObject(AXPrivCategory) _iosAccessibilityAttributeValue:forParameter:] 27 WebProcess: __40+[AXWebProcessGlue _initializeAXRuntime]_block_invoke.175 | 27 AXRuntime: _copyParameterizedAttributeValueCallback | 27 AXRuntime: ___AXXMIGCopyParameterizedAttributeValue_block_invoke | 27 AXRuntime: _handleNonMainThreadCallback | 27 AXRuntime: _AXXMIGCopyParameterizedAttributeValue | 27 AXRuntime: _XCopyParameterizedAttributeValue | 27 AXRuntime: mshMIGPerform | 27 CoreFoundation: __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__ | 27 CoreFoundation: __CFRunLoopDoSource1 | 27 CoreFoundation: __CFRunLoopRun | 27 CoreFoundation: CFRunLoopRunSpecific | 27 Foundation: -[NSRunLoop(NSRunLoop) runMode:beforeDate:] | 27 Foundation: -[NSRunLoop(NSRunLoop) run] | 27 libxpc.dylib: _xpc_objc_main | 27 libxpc.dylib: xpc_main | 27 WebKit: WebKit::XPCServiceMain(int, char const**) | 27 libdyld.dylib: 22 WebProcess: __40+[AXWebProcessGlue _initializeAXRuntime]_block_invoke.128 22 AXRuntime: _copyParameterizedAttributeValueCallback 22 AXRuntime: ___AXXMIGCopyParameterizedAttributeValue_block_invoke 22 AXRuntime: _handleNonMainThreadCallback 22 AXRuntime: _AXXMIGCopyParameterizedAttributeValue 22 AXRuntime: _XCopyParameterizedAttributeValue 22 AXRuntime: mshMIGPerform 22 CoreFoundation: __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__ 22 CoreFoundation: __CFRunLoopDoSource1 22 CoreFoundation: __CFRunLoopRun 22 CoreFoundation: CFRunLoopRunSpecific 22 Foundation: -[NSRunLoop(NSRunLoop) runMode:beforeDate:] 22 Foundation: -[NSRunLoop(NSRunLoop) run] 22 libxpc.dylib: _xpc_objc_main 22 libxpc.dylib: xpc_main 22 WebKit: WebKit::XPCServiceMain(int, char const**) 22 libdyld.dylib:
Andres Gonzalez
Comment 3 2020-08-14 13:43:59 PDT
Created attachment 406617 [details] Patch
Darin Adler
Comment 4 2020-08-14 14:45:26 PDT
Comment on attachment 406617 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=406617&action=review > Source/WebCore/accessibility/AXObjectCache.cpp:2009 > + if (startPosition.isNull() || endPosition.isNull()) > + return WTF::nullopt; > > auto searchRange = makeSimpleRange(startPosition, endPosition); > if (!searchRange || searchRange->collapsed()) This can’t be correct; it has no effect. When we call makeSimpleRange on start and end, if either is null, then the range returned is nullopt. So the check below this takes care of this case. So this change should have no effect, unless there is something further going on.
Darin Adler
Comment 5 2020-08-14 14:54:02 PDT
I am pretty sure this change won’t fix this bug, or any bug.
EWS
Comment 6 2020-08-14 14:55:35 PDT
Committed r265705: <https://trac.webkit.org/changeset/265705> All reviewed patches have been landed. Closing bug and clearing flags on attachment 406617 [details].
chris fleizach
Comment 7 2020-08-14 15:04:47 PDT
(In reply to Darin Adler from comment #5) > I am pretty sure this change won’t fix this bug, or any bug. Any other ideas based on crash tracer?
Andres Gonzalez
Comment 8 2020-08-14 15:13:14 PDT
Reopening for further investigation based on Darin Adler’s comment.
Darin Adler
Comment 9 2020-08-14 15:15:41 PDT
Based on our Apple internal CrashTracer data it looks like this was indeed on a crash on this line of code in this version of the file: https://trac.webkit.org/browser/webkit/tags/Safari-610.1.15.50.3/Source/WebCore/accessibility/AXObjectCache.cpp auto searchRange = SimpleRange { *makeBoundaryPoint(startPosition), *makeBoundaryPoint(endPosition) }; That code assumes startPosition and endPosition can't be null. I fixed the crash in <https://trac.webkit.org/changeset/265044> where I moved to the new null-checking version of makeSimpleRange and added a null check. So this additional change is unnecessary, since the bug was fixed 2 weeks ago. The CrashTracer reports are from before that point.
Darin Adler
Comment 10 2020-08-14 15:18:27 PDT
So that means that this patch was harmless, but unnecessary. And I suggest reverting it. Unless there is some branch that diverged before r260544; that branch might benefit form this fix.
Darin Adler
Comment 11 2020-08-14 15:35:11 PDT
So ... no rush, but please do revert these unnecessary additional checks at some point.
Andres Gonzalez
Comment 12 2020-08-15 10:16:25 PDT
*** This bug has been marked as a duplicate of bug 214882 ***
Note You need to log in before you can comment on or make changes to this bug.