[Webkit-unassigned] [Bug 221888] New: AX: Crash when hiding an element whilst using VoiceOver (SIGSEGV) if body has a fixed :before pseudo-element

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Feb 15 01:20:30 PST 2021 

https://bugs.webkit.org/show_bug.cgi?id=221888

            Bug ID: 221888
           Summary: AX: Crash when hiding an element whilst using
                    VoiceOver (SIGSEGV) if body has a fixed :before
                    pseudo-element
           Product: WebKit
           Version: Safari 14
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Accessibility
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: oliver.byford at digital.cabinet-office.gov.uk
                CC: webkit-bug-importer at group.apple.com

Created attachment 420279

  --> https://bugs.webkit.org/attachment.cgi?id=420279&action=review

Example (alternative to CodePen)

## Steps to reproduce

1. Open https://codepen.io/36degrees/pen/bGBVZqp or the attached example.html
2. Enable VoiceOver
3. Tab to the button 'Hide this message' and activate it by pressing enter

## Behaviour

The WebKit process crashes after a few moments. In Safari (macOS) a banner appears that says 'This web page was reloaded because a problem occurred'.

```
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                   0x00000001ac098cac WebCore::makeBoundaryPoint(WebCore::VisiblePosition const&) + 120
1   com.apple.WebCore                   0x00000001abf7e0ac WebCore::Range::contains(WebCore::VisiblePosition const&) const + 40
2   com.apple.WebCore                   0x00000001abf7e0ac WebCore::Range::contains(WebCore::VisiblePosition const&) const + 40
3   com.apple.WebCore                   0x00000001abc2493c WebCore::AccessibilityRenderObject::setSelectedVisiblePositionRange(WebCore::VisiblePositionRange const&) const + 1192
4   com.apple.WebCore                   0x00000001acc91018 -[WebAccessibilityObjectWrapper _accessibilitySetValue:forAttribute:] + 1056
5   com.apple.JavaScriptCore            0x00000001a8b4c308 WTF::RunLoop::performWork() + 484
6   com.apple.JavaScriptCore            0x00000001a8b4cff0 WTF::RunLoop::performWork(void*) + 36
7   com.apple.CoreFoundation            0x0000000192c1fc14 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 28
8   com.apple.CoreFoundation            0x0000000192c1fb60 __CFRunLoopDoSource0 + 208
9   com.apple.CoreFoundation            0x0000000192c1f84c __CFRunLoopDoSources0 + 268
10  com.apple.CoreFoundation            0x0000000192c1e1e4 __CFRunLoopRun + 824
11  com.apple.CoreFoundation            0x0000000192c1d740 CFRunLoopRunSpecific + 600
12  com.apple.Foundation                0x00000001939a6a88 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 232
13  com.apple.Foundation                0x0000000193a3a644 -[NSRunLoop(NSRunLoop) run] + 92
14  libxpc.dylib                        0x000000019289b9e0 _xpc_objc_main + 900
15  libxpc.dylib                        0x000000019289b3a0 xpc_main + 536
16  com.apple.WebKit                    0x00000001add8b114 WebKit::XPCServiceMain(int, char const**) + 644
17  libdyld.dylib                       0x0000000192b40f34 start + 4
```

This does not happen if the :before pseudo-element on the <body> is removed or is not `position: fixed`.

Have reproduced across multiple machines and Safari running a local build of WebKit.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210215/815b7552/attachment.htm>

More information about the webkit-unassigned mailing list