221888 – AX: Crash when hiding focused element whilst using VoiceOver (SIGSEGV) if body has a fixed :before pseudo-element

Bug 221888 - AX: Crash when hiding focused element whilst using VoiceOver (SIGSEGV) if body has a fixed :before pseudo-element

Summary: AX: Crash when hiding focused element whilst using VoiceOver (SIGSEGV) if bod...

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Accessibility (show other bugs)
Version:	Safari 14
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-02-15 01:20 PST by Oliver Byford
Modified:	2021-02-22 11:11 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Example (alternative to CodePen) (1.03 KB, text/html) 2021-02-15 01:20 PST, Oliver Byford	no flags	Details
Crash Report (124.77 KB, text/plain) 2021-02-15 01:21 PST, Oliver Byford	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Oliver Byford 2021-02-15 01:20:30 PST

Created attachment 420279 [details]
Example (alternative to CodePen)

## Steps to reproduce

1. Open https://codepen.io/36degrees/pen/bGBVZqp or the attached example.html
2. Enable VoiceOver
3. Tab to the button 'Hide this message' and activate it by pressing enter

## Behaviour

The WebKit process crashes after a few moments. In Safari (macOS) a banner appears that says 'This web page was reloaded because a problem occurred'.

```
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001ac098cac WebCore::makeBoundaryPoint(WebCore::VisiblePosition const&) + 120
1   com.apple.WebCore             	0x00000001abf7e0ac WebCore::Range::contains(WebCore::VisiblePosition const&) const + 40
2   com.apple.WebCore             	0x00000001abf7e0ac WebCore::Range::contains(WebCore::VisiblePosition const&) const + 40
3   com.apple.WebCore             	0x00000001abc2493c WebCore::AccessibilityRenderObject::setSelectedVisiblePositionRange(WebCore::VisiblePositionRange const&) const + 1192
4   com.apple.WebCore             	0x00000001acc91018 -[WebAccessibilityObjectWrapper _accessibilitySetValue:forAttribute:] + 1056
5   com.apple.JavaScriptCore      	0x00000001a8b4c308 WTF::RunLoop::performWork() + 484
6   com.apple.JavaScriptCore      	0x00000001a8b4cff0 WTF::RunLoop::performWork(void*) + 36
7   com.apple.CoreFoundation      	0x0000000192c1fc14 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 28
8   com.apple.CoreFoundation      	0x0000000192c1fb60 __CFRunLoopDoSource0 + 208
9   com.apple.CoreFoundation      	0x0000000192c1f84c __CFRunLoopDoSources0 + 268
10  com.apple.CoreFoundation      	0x0000000192c1e1e4 __CFRunLoopRun + 824
11  com.apple.CoreFoundation      	0x0000000192c1d740 CFRunLoopRunSpecific + 600
12  com.apple.Foundation          	0x00000001939a6a88 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 232
13  com.apple.Foundation          	0x0000000193a3a644 -[NSRunLoop(NSRunLoop) run] + 92
14  libxpc.dylib                  	0x000000019289b9e0 _xpc_objc_main + 900
15  libxpc.dylib                  	0x000000019289b3a0 xpc_main + 536
16  com.apple.WebKit              	0x00000001add8b114 WebKit::XPCServiceMain(int, char const**) + 644
17  libdyld.dylib                 	0x0000000192b40f34 start + 4
```

This does not happen if the :before pseudo-element on the <body> is removed or is not `position: fixed`.

Have reproduced across multiple machines and Safari running a local build of WebKit.

Comment 1 Radar WebKit Bug Importer 2021-02-15 01:20:55 PST

<rdar://problem/74341878>

Comment 2 Oliver Byford 2021-02-15 01:21:20 PST

Created attachment 420280 [details]
Crash Report