221888 – AX: Crash when hiding focused element whilst using VoiceOver (SIGSEGV) if body has a fixed :before pseudo-element

NEW 221888

AX: Crash when hiding focused element whilst using VoiceOver (SIGSEGV) if body has a fixed :before pseudo-element

https://bugs.webkit.org/show_bug.cgi?id=221888

Summary AX: Crash when hiding focused element whilst using VoiceOver (SIGSEGV) if bod...

Oliver Byford

Reported 2021-02-15 01:20:30 PST

Created attachment 420279 [details] Example (alternative to CodePen) ## Steps to reproduce 1. Open https://codepen.io/36degrees/pen/bGBVZqp or the attached example.html 2. Enable VoiceOver 3. Tab to the button 'Hide this message' and activate it by pressing enter ## Behaviour The WebKit process crashes after a few moments. In Safari (macOS) a banner appears that says 'This web page was reloaded because a problem occurred'. ``` Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001ac098cac WebCore::makeBoundaryPoint(WebCore::VisiblePosition const&) + 120 1 com.apple.WebCore 0x00000001abf7e0ac WebCore::Range::contains(WebCore::VisiblePosition const&) const + 40 2 com.apple.WebCore 0x00000001abf7e0ac WebCore::Range::contains(WebCore::VisiblePosition const&) const + 40 3 com.apple.WebCore 0x00000001abc2493c WebCore::AccessibilityRenderObject::setSelectedVisiblePositionRange(WebCore::VisiblePositionRange const&) const + 1192 4 com.apple.WebCore 0x00000001acc91018 -[WebAccessibilityObjectWrapper _accessibilitySetValue:forAttribute:] + 1056 5 com.apple.JavaScriptCore 0x00000001a8b4c308 WTF::RunLoop::performWork() + 484 6 com.apple.JavaScriptCore 0x00000001a8b4cff0 WTF::RunLoop::performWork(void*) + 36 7 com.apple.CoreFoundation 0x0000000192c1fc14 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 28 8 com.apple.CoreFoundation 0x0000000192c1fb60 __CFRunLoopDoSource0 + 208 9 com.apple.CoreFoundation 0x0000000192c1f84c __CFRunLoopDoSources0 + 268 10 com.apple.CoreFoundation 0x0000000192c1e1e4 __CFRunLoopRun + 824 11 com.apple.CoreFoundation 0x0000000192c1d740 CFRunLoopRunSpecific + 600 12 com.apple.Foundation 0x00000001939a6a88 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 232 13 com.apple.Foundation 0x0000000193a3a644 -[NSRunLoop(NSRunLoop) run] + 92 14 libxpc.dylib 0x000000019289b9e0 _xpc_objc_main + 900 15 libxpc.dylib 0x000000019289b3a0 xpc_main + 536 16 com.apple.WebKit 0x00000001add8b114 WebKit::XPCServiceMain(int, char const**) + 644 17 libdyld.dylib 0x0000000192b40f34 start + 4 ``` This does not happen if the :before pseudo-element on the <body> is removed or is not `position: fixed`. Have reproduced across multiple machines and Safari running a local build of WebKit.

Attachments
Example (alternative to CodePen) (1.03 KB, text/html) 2021-02-15 01:20 PST, Oliver Byford	no flags	Details
Crash Report (124.77 KB, text/plain) 2021-02-15 01:21 PST, Oliver Byford	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2021-02-15 01:20:55 PST

<rdar://problem/74341878>

Oliver Byford

Comment 2 2021-02-15 01:21:20 PST

Created attachment 420280 [details] Crash Report

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version Safari 14

Hardware All

OS All

Product WebKit

Component Accessibility

Assignee

Nobody

Reported

2021-02-15 01:20 PST

Modified

2021-02-22 11:11 PST History

CC List

3 users Show

URL

Keywords InRadar

Depends on

Blocks