[Webkit-unassigned] [Bug 158685] New: AX: CrashTracer: com.apple.WebKit.WebContent at WebCore::AccessibilityRenderObject::remoteSVGRootElement const + 227

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Jun 12 23:10:33 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=158685

            Bug ID: 158685
           Summary: AX: CrashTracer: com.apple.WebKit.WebContent at
                    WebCore::AccessibilityRenderObject::remoteSVGRootEleme
                    nt const + 227
    Classification: Unclassified
           Product: WebKit
           Version: Safari 9
          Hardware: All
                OS: All
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P2
         Component: Accessibility
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: cfleizach at apple.com
                CC: webkit-bug-importer at group.apple.com

Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000

Thread 0 Crashed ↩:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                 0x1102ec6d3 WebCore::AccessibilityRenderObject::remoteSVGRootElement(WebCore::AccessibilityRenderObject::CreationChoice) const + 227 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.35/accessibility/AccessibilitySVGRoot.h:55)
1   com.apple.WebCore                 0x1102e427b WebCore::AccessibilityRenderObject::detach(WebCore::AccessibilityDetachmentType, WebCore::AXObjectCache*) + 27 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.35/accessibility/AccessibilityRenderObject.cpp:2976)
2   com.apple.WebCore                 0x11035bfb9 WebCore::AXObjectCache::~AXObjectCache() + 153 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.35/accessibility/AXObjectCache.cpp:193)
3   com.apple.WebCore                 0x1104dc4d4 WebCore::Document::destroyRenderTree() + 116 (/Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.11.xctoolchain/usr/bin/../include/c++/v1/memory:2459)
4   com.apple.WebCore                 0x1100a4a06 WebCore::Document::prepareForDestruction() + 358 (/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7602.1.35/dom/Document.cpp:2325)

---

Smoking gun

    if (!is<AccessibilitySVGRoot>(*rootSVGObject))

Trying to take nil ptr rootSVGObject and dereference it


<rdar://problem/26755269>

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160613/281c78cf/attachment-0001.html>

More information about the webkit-unassigned mailing list