Crash ASSERT in AccessibilityRenderObject::textUnderElement during AXIsolatedObject initialization.
(lldb) bt * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) * frame #0: 0x00000005ff7e01ee JavaScriptCore`::WTFCrash() at Assertions.cpp:295:35 frame #1: 0x00000005ff7e0209 JavaScriptCore`::WTFCrashWithSecurityImplication() at Assertions.cpp:316:5 frame #2: 0x00000005e1f2349d WebCore`WebCore::AccessibilityRenderObject::textUnderElement(this=0x00000006169b6100, mode=AccessibilityTextUnderElementMode @ 0x00007ffee16cc0a8) const at AccessibilityRenderObject.cpp:677:17 frame #3: 0x00000005e1f0d05f WebCore`WebCore::AccessibilityNodeObject::textUnderElement(this=0x0000000613be1580, mode=AccessibilityTextUnderElementMode @ 0x00007ffee16cc1e8) const at AccessibilityNodeObject.cpp:1869:35 frame #4: 0x00000005e1f236c8 WebCore`WebCore::AccessibilityRenderObject::textUnderElement(this=0x0000000613be1580, mode=AccessibilityTextUnderElementMode @ 0x00007ffee16cc368) const at AccessibilityRenderObject.cpp:700:37 frame #5: 0x00000005e1f0bb27 WebCore`WebCore::AccessibilityNodeObject::visibleText(this=0x0000000613be1580, textOrder=0x00007ffee16cc5b0) const at AccessibilityNodeObject.cpp:1495:23 frame #6: 0x00000005e1f0c132 WebCore`WebCore::AccessibilityNodeObject::accessibilityText(this=0x0000000613be1580, textOrder=0x00007ffee16cc5b0) const at AccessibilityNodeObject.cpp:1542:5 frame #7: 0x00000005dff7bb20 WebCore`WebCore::AccessibilityObject::descriptionAttributeValue(this=0x0000000613be1580) const at AccessibilityObjectBase.mm:101:5 frame #8: 0x00000005e1f62740 WebCore`WebCore::AXIsolatedObject::initializeAttributeData(this=0x000000061678dd20, object=0x0000000613be1580, isRoot=false) at AXIsolatedObject.cpp:73:53 frame #9: 0x00000005e1f624d7 WebCore`WebCore::AXIsolatedObject::AXIsolatedObject(this=0x000000061678dd20, object=0x0000000613be1580, tree=0x00000006139967d0, parentID=17) at AXIsolatedObject.cpp:46:9 frame #10: 0x00000005e1f687dd WebCore`WebCore::AXIsolatedObject::AXIsolatedObject(this=0x000000061678dd20, object=0x0000000613be1580, tree=0x00000006139967d0, parentID=17) at AXIsolatedObject.cpp:43:1 frame #11: 0x00000005e1f6883b WebCore`WebCore::AXIsolatedObject::create(object=0x0000000613be1580, tree=0x00000006139967d0, parentID=17) at AXIsolatedObject.cpp:55:26 frame #12: 0x00000005e1f75327 WebCore`WebCore::AXIsolatedTree::createSubtree(this=0x00000006139967d0, axObject=0x0000000613be1580, parentID=17, attachWrapper=true) at AXIsolatedTree.cpp:202:19 frame #13: 0x00000005e1f74441 WebCore`WebCore::AXIsolatedTree::generateSubtree(this=0x00000006139967d0, axObject=0x0000000613be1580, axParent=0x000000060f727900, attachWrapper=true) at AXIsolatedTree.cpp:189:19 frame #14: 0x00000005e1f76aa9 WebCore`WebCore::AXIsolatedTree::updateChildren(this=0x00000006139967d0, axObject=0x000000060f727300) at AXIsolatedTree.cpp:336:13 frame #15: 0x00000005e1ea83c3 WebCore`WebCore::AXObjectCache::updateIsolatedTree(this=0x000000060d45c800, notifications=0x00007ffee16d0558) at AXObjectCache.cpp:3274:23 frame #16: 0x00000005e1ea0c89 WebCore`WebCore::AXObjectCache::notificationPostTimerFired(this=0x000000060d45c800) at AXObjectCache.cpp:1104:5 frame #17: 0x00000005e1ecff47 WebCore`decltype(__f=0x000000060d2e46c8, __a0=0x000000060d2e46d8)).*fp()) std::__1::__invoke<void (WebCore::AXObjectCache::*&)(), WebCore::AXObjectCache*&, void>(void (WebCore::AXObjectCache::*&)(), WebCore::AXObjectCache*&) at type_traits:3688:1 frame #18: 0x00000005e1ecfec0 WebCore`std::__1::__bind_return<void (WebCore::AXObjectCache::*)(), std::__1::tuple<WebCore::AXObjectCache*>, std::__1::tuple<>, __is_valid_bind_return<void (WebCore::AXObjectCache::*)(), std::__1::tuple<WebCore::AXObjectCache*>, std::__1::tuple<> >::value>::type std::__1::__apply_functor<void (__f=0x000000060d2e46c8, __bound_args=size=1, (null)=__tuple_indices<0> @ 0x00007ffee16d0618, __args=size=0)(), std::__1::tuple<WebCore::AXObjectCache*>, 0ul, std::__1::tuple<> >(void (WebCore::AXObjectCache::*&)(), std::__1::tuple<WebCore::AXObjectCache*>&, std::__1::__tuple_indices<0ul>, std::__1::tuple<>&&) at functional:2852:12 frame #19: 0x00000005e1ecfe79 WebCore`std::__1::__bind_return<void (WebCore::AXObjectCache::*)(), std::__1::tuple<WebCore::AXObjectCache*>, std::__1::tuple<>, __is_valid_bind_return<void (WebCore::AXObjectCache::*)(), std::__1::tuple<WebCore::AXObjectCache*>, std::__1::tuple<> >::value>::type std::__1::__bind<void (this=0x000000060d2e46c8)(), WebCore::AXObjectCache*>::operator()<>() at functional:2885:20 frame #20: 0x00000005e1ecfe1e WebCore`WTF::Detail::CallableWrapper<std::__1::__bind<void (WebCore::AXObjectCache::*&)(), WebCore::AXObjectCache*>, void>::call(this=0x000000060d2e46c0) at Function.h:52:39 frame #21: 0x00000005df84b6d2 WebCore`WTF::Function<void ()>::operator(this=0x000000060d45c8f8)() const at Function.h:83:35 frame #22: 0x00000005df8876de WebCore`WebCore::Timer::fired(this=0x000000060d45c8d0) at Timer.h:136:9 frame #23: 0x00000005e36c8b64 WebCore`WebCore::ThreadTimers::sharedTimerFiredInternal(this=0x0000000606e84aa0) at ThreadTimers.cpp:127:23 frame #24: 0x00000005e36d3991 WebCore`WebCore::ThreadTimers::setSharedTimer(this=0x0000000606efaa98)::$_0::operator()() const at ThreadTimers.cpp:67:80 frame #25: 0x00000005e36d393e WebCore`WTF::Detail::CallableWrapper<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, void>::call(this=0x0000000606efaa90) at Function.h:52:39 frame #26: 0x00000005df84b6d2 WebCore`WTF::Function<void ()>::operator(this=0x00000005e7330468)() const at Function.h:83:35 frame #27: 0x00000005e368f6eb WebCore`WebCore::MainThreadSharedTimer::fired(this=0x00000005e7330460) at MainThreadSharedTimer.cpp:83:5 frame #28: 0x00000005e3738276 WebCore`WebCore::timerFired((null)=0x00007fa3f3408930, (null)=0x0000000000000000) at MainThreadSharedTimerCF.cpp:74:40 frame #29: 0x00007fff204916f9 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 frame #30: 0x00007fff204911ed CoreFoundation`__CFRunLoopDoTimer + 927 frame #31: 0x00007fff20490d4a CoreFoundation`__CFRunLoopDoTimers + 307 frame #32: 0x00007fff20477383 CoreFoundation`__CFRunLoopRun + 1988 frame #33: 0x00007fff204764ec CoreFoundation`CFRunLoopRunSpecific + 563 frame #34: 0x00007fff211f5047 Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212 frame #35: 0x00007fff21282f11 Foundation`-[NSRunLoop(NSRunLoop) run] + 76 frame #36: 0x00007fff200cf35d libxpc.dylib`_xpc_objc_main + 825 frame #37: 0x00007fff200ceca3 libxpc.dylib`xpc_main + 116 frame #38: 0x00000005d0cd9a2c WebKit`WebKit::XPCServiceMain(argc=1, argv=0x00007ffee16d2990) at XPCServiceMain.mm:208:5 frame #39: 0x00000005d21ad4cb WebKit`WKXPCServiceMain(argc=1, argv=0x00007ffee16d2990) at WKMain.mm:33:12 frame #40: 0x000000010e530ea2 com.apple.WebKit.WebContent.Development`main(argc=1, argv=0x00007ffee16d2990) at AuxiliaryProcessMain.cpp:30:12 frame #41: 0x00007fff2039af4d libdyld.dylib`start + 1 (lldb)
To reproduce, run VoiceOver and browse to: https://reverb.com/p/phil-jones-bg-400-suitcase-compact-bass-combo-amp?review_page=3#reviews-section.
Created attachment 417228 [details] Patch
Can you report what the perf numbers say before and after this change?
Abandoning this approach because it causes many test failures in isolated tree mode. Upon further investigation and discussion with Chris, it turns out that the actual cause of the issue is that we are not calling updateBackingStore on the associated AXObject when the isolated object forwards a call to it on the main thread.
Created attachment 417580 [details] Patch
Committed r271476: <https://trac.webkit.org/changeset/271476> All reviewed patches have been landed. Closing bug and clearing flags on attachment 417580 [details].
<rdar://problem/73173625>