Bug 250406

Summary:

AX: crash in AXObjectCache::updateRelationsForTree.

Product:

WebKit

Reporter:

Andres Gonzalez <andresg_22>

Component:

Accessibility

Assignee:

Andres Gonzalez <andresg_22>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

aboxhall, alex, andresg_22, apinheiro, cfleizach, dmazzoni, ews-watchlist, jcraig, jdiggs, samuel_white, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch	none
Patch	none

Description Andres Gonzalez 2023-01-10 12:54:23 PST

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x30)
  * frame #0: 0x00000002814efe34 WebCore`WebCore::Node::parentNode(this=0x0000000000000000) const at Node.h:858:12
    frame #1: 0x0000000282d733dc WebCore`WebCore::AXObjectCache::updateRelationsForTree(this=0x0000000107192b10, rootNode=0x0000000000000000) at AXObjectCache.cpp:4080:5
    frame #2: 0x0000000282d735ac WebCore`WebCore::AXObjectCache::updateRelationsForTree(this=0x0000000107192b10, rootNode=0x0000000132120000) at AXObjectCache.cpp:4101:13
    frame #3: 0x0000000282d7334c WebCore`WebCore::AXObjectCache::updateRelationsIfNeeded(this=0x0000000107192b10) at AXObjectCache.cpp:4075:5
    frame #4: 0x0000000282d741ec WebCore`WebCore::AXObjectCache::relatedObjectIDsFor(this=0x0000000107192b10, object=0x00000001070b9000, relationType=FlowsTo) at AXObjectCache.cpp:4178:5
    frame #5: 0x0000000282e04f3c WebCore`WebCore::AccessibilityObject::relatedObjects(this=0x00000001070b9000, relationType=FlowsTo) const at AccessibilityObject.cpp:3877:36
    frame #6: 0x0000000282e0c468 WebCore`WebCore::AXCoreObject::flowToObjects(this=0x00000001070b9000) const at AccessibilityObjectInterface.h:1045:64
    frame #7: 0x0000000282e0c32c WebCore`WebCore::AccessibilityRenderObject::linkedObjects(this=0x00000001070b9000) const at AccessibilityRenderObject.cpp:1079:26
    frame #8: 0x0000000282e55928 WebCore`WebCore::AXIsolatedObject::initializeProperties(this=0x00000001071ffc00, coreObject=0x000000016b8ab130, isRoot=No) at AXIsolatedObject.cpp:290:67
    frame #9: 0x0000000282e50f54 WebCore`WebCore::AXIsolatedObject::AXIsolatedObject(this=0x00000001071ffc00, axObject=0x000000016b8ab130, tree=0x000000010722cbc0) at AXIsolatedObject.cpp:59:5
    frame #10: 0x0000000282e5684c WebCore`WebCore::AXIsolatedObject::AXIsolatedObject(this=0x00000001071ffc00, axObject=0x000000016b8ab130, tree=0x000000010722cbc0) at AXIsolatedObject.cpp:44:1
    frame #11: 0x0000000282e56894 WebCore`WebCore::AXIsolatedObject::create(object=0x000000016b8ab130, tree=0x000000010722cbc0) at AXIsolatedObject.cpp:64:26
    frame #12: 0x0000000282e61f94 WebCore`WebCore::AXIsolatedTree::nodeChangeForObject(this=0x000000010722cbc0, axObject=Ref<WebCore::AXCoreObject, WTF::RawPtrTraits<WebCore::AXCoreObject> > @ 0x000000016b8ab130, attachWrapper=OnMainThread) at AXIsolatedTree.cpp:197:19
    frame #13: 0x0000000282e61d40 WebCore`WebCore::AXIsolatedTree::queueRemovalsAndUnresolvedChanges(this=0x000000010722cbc0, subtreeRemovals=0x000000016b8ab220) at AXIsolatedTree.cpp:291:43
    frame #14: 0x0000000282e60cb8 WebCore`WebCore::AXIsolatedTree::generateSubtree(this=0x000000010722cbc0, axObject=0x000000010722c960) at AXIsolatedTree.cpp:180:5
    frame #15: 0x0000000282e60860 WebCore`WebCore::AXIsolatedTree::create(axObjectCache=0x0000000107192b10) at AXIsolatedTree.cpp:87:15
    frame #16: 0x0000000282daab38 WebCore`WebCore::AXObjectCache::getOrCreateIsolatedTree(this=0x000000016b8ab5c0) const::$_9::operator()() const at AXObjectCache.cpp:851:20
    frame #17: 0x0000000282daaae4 WebCore`WTF::RefPtr<WebCore::AXIsolatedTree, WTF::RawPtrTraits<WebCore::AXIsolatedTree>, WTF::DefaultRefDerefTraits<WebCore::AXIsolatedTree> > WebCore::Accessibility::retrieveValueFromMainThread<WTF::RefPtr<WebCore::AXIsolatedTree, WTF::RawPtrTraits<WebCore::AXIsolatedTree>, WTF::DefaultRefDerefTraits<WebCore::AXIsolatedTree> >, WebCore::AXObjectCache::getOrCreateIsolatedTree(this=0x000000010726aba8) const::$_9>(WebCore::AXObjectCache::getOrCreateIsolatedTree() const::$_9&&)::'lambda'()::operator()() const at AccessibilityObjectInterface.h:1621:17
    frame #18: 0x0000000282daaa54 WebCore`WTF::Detail::CallableWrapper<WTF::RefPtr<WebCore::AXIsolatedTree, WTF::RawPtrTraits<WebCore::AXIsolatedTree>, WTF::DefaultRefDerefTraits<WebCore::AXIsolatedTree> > WebCore::Accessibility::retrieveValueFromMainThread<WTF::RefPtr<WebCore::AXIsolatedTree, WTF::RawPtrTraits<WebCore::AXIsolatedTree>, WTF::DefaultRefDerefTraits<WebCore::AXIsolatedTree> >, WebCore::AXObjectCache::getOrCreateIsolatedTree() const::$_9>(WebCore::AXObjectCache::getOrCreateIsolatedTree() const::$_9&&)::'lambda'(), void>::call(this=0x000000010726aba0) at Function.h:53:39
    frame #19: 0x00000001396a146c JavaScriptCore`WTF::Function<void ()>::operator(this=0x000000016b8ab550)() const at Function.h:82:35
    frame #20: 0x00000001376716f0 JavaScriptCore`void WTF::callOnMainAndWait<(WTF::MainStyle)0>(function=0x000000016b8ab550)>&&) at MainThread.cpp:117:9
    frame #21: 0x00000001376716a4 JavaScriptCore`WTF::callOnMainThreadAndWait(function=0x000000016b8ab550)>&&) at MainThread.cpp:144:5
    frame #22: 0x0000000282d5f438 WebCore`WTF::RefPtr<WebCore::AXIsolatedTree, WTF::RawPtrTraits<WebCore::AXIsolatedTree>, WTF::DefaultRefDerefTraits<WebCore::AXIsolatedTree> > WebCore::Accessibility::retrieveValueFromMainThread<WTF::RefPtr<WebCore::AXIsolatedTree, WTF::RawPtrTraits<WebCore::AXIsolatedTree>, WTF::DefaultRefDerefTraits<WebCore::AXIsolatedTree> >, WebCore::AXObjectCache::getOrCreateIsolatedTree(lambda=0x000000016b8ab5c0) const::$_9>(WebCore::AXObjectCache::getOrCreateIsolatedTree() const::$_9&&) at AccessibilityObjectInterface.h:1620:5
    frame #23: 0x0000000282d5f334 WebCore`WebCore::AXObjectCache::getOrCreateIsolatedTree(this=0x0000000107192b10) const at AXObjectCache.cpp:850:16
    frame #24: 0x0000000282d5f174 WebCore`WebCore::AXObjectCache::isolatedTreeRootObject(this=0x0000000107192b10) at AXObjectCache.cpp:861:21
    frame #25: 0x0000000282d5f118 WebCore`WebCore::AXObjectCache::rootObject(this=0x0000000107192b10) at AXObjectCache.cpp:835:16
...

Comment 1 Radar WebKit Bug Importer 2023-01-10 12:54:38 PST

<rdar://problem/104090244>

Comment 2 Andres Gonzalez 2023-01-10 13:12:33 PST

Created attachment 464445 [details]
Patch

Comment 3 Andres Gonzalez 2023-01-10 16:26:22 PST

Created attachment 464449 [details]
Patch

Comment 4 chris fleizach 2023-01-10 16:38:53 PST

Comment on attachment 464449 [details]
Patch

looks good. thanks

Comment 5 EWS 2023-01-11 05:18:24 PST

Committed 258783@main (4b90132f4d9d): <https://commits.webkit.org/258783@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 464449 [details].

Comment 6 Sam Sneddon [:gsnedders] 2023-02-03 07:05:10 PST

*** Bug 251647 has been marked as a duplicate of this bug. ***