250406 – AX: crash in AXObjectCache::updateRelationsForTree.

Bug 250406 - AX: crash in AXObjectCache::updateRelationsForTree.

Summary: AX: crash in AXObjectCache::updateRelationsForTree.

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Accessibility (show other bugs)
Version:	WebKit Nightly Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	Andres Gonzalez

URL:
Keywords:	InRadar

Duplicates (1):	251647 (view as bug list)
Depends on:
Blocks:

Reported:	2023-01-10 12:54 PST by Andres Gonzalez
Modified:	2023-02-03 07:05 PST (History)
CC List:	11 users (show)

See Also:

Attachments
Patch (4.57 KB, patch) 2023-01-10 13:12 PST, Andres Gonzalez	no flags	Details \| Formatted Diff \| Diff
Patch (4.45 KB, patch) 2023-01-10 16:26 PST, Andres Gonzalez	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andres Gonzalez 2023-01-10 12:54:23 PST

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x30)
  * frame #0: 0x00000002814efe34 WebCore`WebCore::Node::parentNode(this=0x0000000000000000) const at Node.h:858:12
    frame #1: 0x0000000282d733dc WebCore`WebCore::AXObjectCache::updateRelationsForTree(this=0x0000000107192b10, rootNode=0x0000000000000000) at AXObjectCache.cpp:4080:5
    frame #2: 0x0000000282d735ac WebCore`WebCore::AXObjectCache::updateRelationsForTree(this=0x0000000107192b10, rootNode=0x0000000132120000) at AXObjectCache.cpp:4101:13
    frame #3: 0x0000000282d7334c WebCore`WebCore::AXObjectCache::updateRelationsIfNeeded(this=0x0000000107192b10) at AXObjectCache.cpp:4075:5
    frame #4: 0x0000000282d741ec WebCore`WebCore::AXObjectCache::relatedObjectIDsFor(this=0x0000000107192b10, object=0x00000001070b9000, relationType=FlowsTo) at AXObjectCache.cpp:4178:5
    frame #5: 0x0000000282e04f3c WebCore`WebCore::AccessibilityObject::relatedObjects(this=0x00000001070b9000, relationType=FlowsTo) const at AccessibilityObject.cpp:3877:36
    frame #6: 0x0000000282e0c468 WebCore`WebCore::AXCoreObject::flowToObjects(this=0x00000001070b9000) const at AccessibilityObjectInterface.h:1045:64
    frame #7: 0x0000000282e0c32c WebCore`WebCore::AccessibilityRenderObject::linkedObjects(this=0x00000001070b9000) const at AccessibilityRenderObject.cpp:1079:26
    frame #8: 0x0000000282e55928 WebCore`WebCore::AXIsolatedObject::initializeProperties(this=0x00000001071ffc00, coreObject=0x000000016b8ab130, isRoot=No) at AXIsolatedObject.cpp:290:67
    frame #9: 0x0000000282e50f54 WebCore`WebCore::AXIsolatedObject::AXIsolatedObject(this=0x00000001071ffc00, axObject=0x000000016b8ab130, tree=0x000000010722cbc0) at AXIsolatedObject.cpp:59:5
    frame #10: 0x0000000282e5684c WebCore`WebCore::AXIsolatedObject::AXIsolatedObject(this=0x00000001071ffc00, axObject=0x000000016b8ab130, tree=0x000000010722cbc0) at AXIsolatedObject.cpp:44:1
    frame #11: 0x0000000282e56894 WebCore`WebCore::AXIsolatedObject::create(object=0x000000016b8ab130, tree=0x000000010722cbc0) at AXIsolatedObject.cpp:64:26
    frame #12: 0x0000000282e61f94 WebCore`WebCore::AXIsolatedTree::nodeChangeForObject(this=0x000000010722cbc0, axObject=Ref<WebCore::AXCoreObject, WTF::RawPtrTraits<WebCore::AXCoreObject> > @ 0x000000016b8ab130, attachWrapper=OnMainThread) at AXIsolatedTree.cpp:197:19
    frame #13: 0x0000000282e61d40 WebCore`WebCore::AXIsolatedTree::queueRemovalsAndUnresolvedChanges(this=0x000000010722cbc0, subtreeRemovals=0x000000016b8ab220) at AXIsolatedTree.cpp:291:43
    frame #14: 0x0000000282e60cb8 WebCore`WebCore::AXIsolatedTree::generateSubtree(this=0x000000010722cbc0, axObject=0x000000010722c960) at AXIsolatedTree.cpp:180:5
    frame #15: 0x0000000282e60860 WebCore`WebCore::AXIsolatedTree::create(axObjectCache=0x0000000107192b10) at AXIsolatedTree.cpp:87:15
    frame #16: 0x0000000282daab38 WebCore`WebCore::AXObjectCache::getOrCreateIsolatedTree(this=0x000000016b8ab5c0) const::$_9::operator()() const at AXObjectCache.cpp:851:20
    frame #17: 0x0000000282daaae4 WebCore`WTF::RefPtr<WebCore::AXIsolatedTree, WTF::RawPtrTraits<WebCore::AXIsolatedTree>, WTF::DefaultRefDerefTraits<WebCore::AXIsolatedTree> > WebCore::Accessibility::retrieveValueFromMainThread<WTF::RefPtr<WebCore::AXIsolatedTree, WTF::RawPtrTraits<WebCore::AXIsolatedTree>, WTF::DefaultRefDerefTraits<WebCore::AXIsolatedTree> >, WebCore::AXObjectCache::getOrCreateIsolatedTree(this=0x000000010726aba8) const::$_9>(WebCore::AXObjectCache::getOrCreateIsolatedTree() const::$_9&&)::'lambda'()::operator()() const at AccessibilityObjectInterface.h:1621:17
    frame #18: 0x0000000282daaa54 WebCore`WTF::Detail::CallableWrapper<WTF::RefPtr<WebCore::AXIsolatedTree, WTF::RawPtrTraits<WebCore::AXIsolatedTree>, WTF::DefaultRefDerefTraits<WebCore::AXIsolatedTree> > WebCore::Accessibility::retrieveValueFromMainThread<WTF::RefPtr<WebCore::AXIsolatedTree, WTF::RawPtrTraits<WebCore::AXIsolatedTree>, WTF::DefaultRefDerefTraits<WebCore::AXIsolatedTree> >, WebCore::AXObjectCache::getOrCreateIsolatedTree() const::$_9>(WebCore::AXObjectCache::getOrCreateIsolatedTree() const::$_9&&)::'lambda'(), void>::call(this=0x000000010726aba0) at Function.h:53:39
    frame #19: 0x00000001396a146c JavaScriptCore`WTF::Function<void ()>::operator(this=0x000000016b8ab550)() const at Function.h:82:35
    frame #20: 0x00000001376716f0 JavaScriptCore`void WTF::callOnMainAndWait<(WTF::MainStyle)0>(function=0x000000016b8ab550)>&&) at MainThread.cpp:117:9
    frame #21: 0x00000001376716a4 JavaScriptCore`WTF::callOnMainThreadAndWait(function=0x000000016b8ab550)>&&) at MainThread.cpp:144:5
    frame #22: 0x0000000282d5f438 WebCore`WTF::RefPtr<WebCore::AXIsolatedTree, WTF::RawPtrTraits<WebCore::AXIsolatedTree>, WTF::DefaultRefDerefTraits<WebCore::AXIsolatedTree> > WebCore::Accessibility::retrieveValueFromMainThread<WTF::RefPtr<WebCore::AXIsolatedTree, WTF::RawPtrTraits<WebCore::AXIsolatedTree>, WTF::DefaultRefDerefTraits<WebCore::AXIsolatedTree> >, WebCore::AXObjectCache::getOrCreateIsolatedTree(lambda=0x000000016b8ab5c0) const::$_9>(WebCore::AXObjectCache::getOrCreateIsolatedTree() const::$_9&&) at AccessibilityObjectInterface.h:1620:5
    frame #23: 0x0000000282d5f334 WebCore`WebCore::AXObjectCache::getOrCreateIsolatedTree(this=0x0000000107192b10) const at AXObjectCache.cpp:850:16
    frame #24: 0x0000000282d5f174 WebCore`WebCore::AXObjectCache::isolatedTreeRootObject(this=0x0000000107192b10) at AXObjectCache.cpp:861:21
    frame #25: 0x0000000282d5f118 WebCore`WebCore::AXObjectCache::rootObject(this=0x0000000107192b10) at AXObjectCache.cpp:835:16
...

Comment 1 Radar WebKit Bug Importer 2023-01-10 12:54:38 PST

<rdar://problem/104090244>

Comment 2 Andres Gonzalez 2023-01-10 13:12:33 PST

Created attachment 464445 [details]
Patch

Comment 3 Andres Gonzalez 2023-01-10 16:26:22 PST

Created attachment 464449 [details]
Patch

Comment 4 chris fleizach 2023-01-10 16:38:53 PST

Comment on attachment 464449 [details]
Patch

looks good. thanks

Comment 5 EWS 2023-01-11 05:18:24 PST

Committed 258783@main (4b90132f4d9d): <https://commits.webkit.org/258783@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 464449 [details].

Comment 6 Sam Sneddon [:gsnedders] 2023-02-03 07:05:10 PST

*** Bug 251647 has been marked as a duplicate of this bug. ***