106073 2013-01-03 18:38:30 -0800 REGRESSION: [Mac] Intermittent crash in WTR::AccessibilityUIElement::isEqual 2013-01-04 00:39:06 -0800 1 1 1 Unclassified WebKit Accessibility 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar, LayoutTestFailure, Regression P1 Normal --- 1 rniwa cfleizach aboxhall ap cfleizach dmazzoni enrica eric.carlson ggaren webkit-bug-importer oldest_to_newest 799890 0 rniwa 2013-01-03 18:38:30 -0800 Some tests in sputnik/Conformance are intermittently crashing in AccessibilityUIElement::isEqual. Here’s one example: http://build.webkit.org/results/Apple%20MountainLion%20Release%20WK2%20(Tests)/r138770%20(4442)/results.html There are several tests that crash with a similar stack trace: 0 WebKitTestRunnerInjectedBundle 0x00000001064415ba WTR::AccessibilityUIElement::isEqual(WTR::AccessibilityUIElement*) + 8 (AccessibilityUIElement.h:76) 1 WebKitTestRunnerInjectedBundle 0x0000000106447b45 WTR::JSAccessibilityUIElement::isEqual(OpaqueJSContext const*, OpaqueJSValue*, OpaqueJSValue*, unsigned long, OpaqueJSValue const* const*, OpaqueJSValue const**) + 65 (JSAccessibilityUIElement.cpp:203) 2 com.apple.JavaScriptCore 0x00000001022b9b4f JSC::JSCallbackFunction::call(JSC::ExecState*) + 431 (JSCallbackFunction.cpp:72) 3 com.apple.JavaScriptCore 0x00000001023d330e JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) + 206 (LLIntSlowPaths.cpp:1362) 4 com.apple.JavaScriptCore 0x00000001023d76db llint_op_call + 169 5 com.apple.JavaScriptCore 0x0000000102266304 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 548 (JSValueInlines.h:360) 6 com.apple.JavaScriptCore 0x000000010219e345 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69 (CallData.cpp:39) 7 com.apple.JavaScriptCore 0x00000001022e1961 JSObjectCallAsFunction + 545 (JSObjectRef.cpp:444) 8 WebKitTestRunnerInjectedBundle 0x000000010644b140 -[AccessibilityNotificationHandler _notificationReceived:] + 385 (AccessibilityNotificationHandler.mm:136) 9 com.apple.CoreFoundation 0x00007fff8d48247a _CFXNotificationPost + 2554 10 com.apple.Foundation 0x00007fff8846c846 -[NSNotificationCenter postNotificationName:object:userInfo:] + 64 11 com.apple.WebCore 0x00000001026a8837 WebCore::AXObjectCache::notificationPostTimerFired(WebCore::Timer<WebCore::AXObjectCache>*) + 71 (AXObjectCache.cpp:598) 12 com.apple.WebCore 0x000000010336836f WebCore::ThreadTimers::sharedTimerFiredInternal() + 159 (ThreadTimers.cpp:119) 13 com.apple.WebCore 0x00000001031f30a3 WebCore::timerFired(__CFRunLoopTimer*, void*) + 51 (SharedTimerMac.mm:167) 14 com.apple.CoreFoundation 0x00007fff8d48cda4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 15 com.apple.CoreFoundation 0x00007fff8d48c8bd __CFRunLoopDoTimer + 557 16 com.apple.CoreFoundation 0x00007fff8d472099 __CFRunLoopRun + 1513 17 com.apple.CoreFoundation 0x00007fff8d4716b2 CFRunLoopRunSpecific + 290 18 com.apple.HIToolbox 0x00007fff8c56e0a4 RunCurrentEventLoopInMode + 209 19 com.apple.HIToolbox 0x00007fff8c56de42 ReceiveNextEventCommon + 356 20 com.apple.HIToolbox 0x00007fff8c56dcd3 BlockUntilNextEventMatchingListInMode + 62 21 com.apple.AppKit 0x00007fff85d25613 _DPSNextEvent + 685 22 com.apple.AppKit 0x00007fff85d24ed2 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 23 com.apple.AppKit 0x00007fff85d1c283 -[NSApplication run] + 517 24 com.apple.WebCore 0x00000001031a1543 WebCore::RunLoop::run() + 67 (RunLoopMac.mm:36) 25 com.apple.WebKit2 0x0000000101c9fe8c WebKit::WebProcessMain(WebKit::CommandLine const&) + 3485 (RefPtr.h:56) 26 com.apple.WebKit2 0x0000000101c4317c WebKitMain + 324 (WebKitMain.cpp:58) 27 com.apple.WebProcess 0x0000000101b5fe7b main + 214 28 libdyld.dylib 0x00007fff843aa7e1 start + 1 799891 1 webkit-bug-importer 2013-01-03 18:38:51 -0800 <rdar://problem/12955023> 799892 2 rniwa 2013-01-03 18:42:39 -0800 I can’t really suppress it with test expectations here because it appears to occur on a random test in sputnik/Conformance :( 799949 3 rniwa 2013-01-03 21:47:12 -0800 Here's another example: http://build.webkit.org/results/Apple%20MountainLion%20Release%20WK2%20(Tests)/r138776%20(4447)/results.html 799950 4 rniwa 2013-01-03 21:47:43 -0800 Application Specific Information: CRASHING TEST: sputnik/Conformance/09_Type_Conversion/9.5_ToInt32/S9.5_A2.2_T2.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 WebKitTestRunnerInjectedBundle 0x000000010c9815ba WTR::AccessibilityUIElement::isEqual(WTR::AccessibilityUIElement*) + 8 (AccessibilityUIElement.h:76) 1 WebKitTestRunnerInjectedBundle 0x000000010c987b45 WTR::JSAccessibilityUIElement::isEqual(OpaqueJSContext const*, OpaqueJSValue*, OpaqueJSValue*, unsigned long, OpaqueJSValue const* const*, OpaqueJSValue const**) + 65 (JSAccessibilityUIElement.cpp:203) 2 com.apple.JavaScriptCore 0x00000001087f7b4f JSC::JSCallbackFunction::call(JSC::ExecState*) + 431 (JSCallbackFunction.cpp:72) 3 com.apple.JavaScriptCore 0x000000010891130e JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) + 206 (LLIntSlowPaths.cpp:1362) 4 com.apple.JavaScriptCore 0x00000001089156db llint_op_call + 169 5 com.apple.JavaScriptCore 0x00000001087a4304 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 548 (JSValueInlines.h:360) 6 com.apple.JavaScriptCore 0x00000001086dc345 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69 (CallData.cpp:39) 7 com.apple.JavaScriptCore 0x000000010881f961 JSObjectCallAsFunction + 545 (JSObjectRef.cpp:444) 8 WebKitTestRunnerInjectedBundle 0x000000010c98b140 -[AccessibilityNotificationHandler _notificationReceived:] + 385 (AccessibilityNotificationHandler.mm:136) 9 com.apple.CoreFoundation 0x00007fff8d48247a _CFXNotificationPost + 2554 10 com.apple.Foundation 0x00007fff8846c846 -[NSNotificationCenter postNotificationName:object:userInfo:] + 64 11 com.apple.WebCore 0x0000000108be6837 WebCore::AXObjectCache::notificationPostTimerFired(WebCore::Timer<WebCore::AXObjectCache>*) + 71 (AXObjectCache.cpp:598) 12 com.apple.WebCore 0x00000001098a636f WebCore::ThreadTimers::sharedTimerFiredInternal() + 159 (ThreadTimers.cpp:119) 13 com.apple.WebCore 0x00000001097310a3 WebCore::timerFired(__CFRunLoopTimer*, void*) + 51 (SharedTimerMac.mm:167) 14 com.apple.CoreFoundation 0x00007fff8d48cda4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 15 com.apple.CoreFoundation 0x00007fff8d48c8bd __CFRunLoopDoTimer + 557 16 com.apple.CoreFoundation 0x00007fff8d472099 __CFRunLoopRun + 1513 17 com.apple.CoreFoundation 0x00007fff8d4716b2 CFRunLoopRunSpecific + 290 18 com.apple.HIToolbox 0x00007fff8c56e0a4 RunCurrentEventLoopInMode + 209 19 com.apple.HIToolbox 0x00007fff8c56de42 ReceiveNextEventCommon + 356 20 com.apple.HIToolbox 0x00007fff8c56dcd3 BlockUntilNextEventMatchingListInMode + 62 21 com.apple.AppKit 0x00007fff85d25613 _DPSNextEvent + 685 22 com.apple.AppKit 0x00007fff85d24ed2 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 23 com.apple.AppKit 0x00007fff85d1c283 -[NSApplication run] + 517 24 com.apple.WebCore 0x00000001096df543 WebCore::RunLoop::run() + 67 (RunLoopMac.mm:36) 799962 5 181275 cfleizach 2013-01-04 00:01:09 -0800 Created attachment 181275 patch 799967 6 181275 rniwa 2013-01-04 00:08:38 -0800 Comment on attachment 181275 patch View in context: https://bugs.webkit.org/attachment.cgi?id=181275&action=review Do you know why this happens? It seems worth explaining why we need a null check in the change log. > Tools/ChangeLog:6 > + Check that the element being compared to is not nil. Nit: Please move this below "Reviewed by" line. 799976 7 cfleizach 2013-01-04 00:39:06 -0800 http://trac.webkit.org/changeset/138781 181275 2013-01-04 00:01:09 -0800 2013-01-04 00:09:04 -0800 patch patch text/plain 1892 cfleizach SW5kZXg6IFRvb2xzL1dlYktpdFRlc3RSdW5uZXIvSW5qZWN0ZWRCdW5kbGUvbWFjL0FjY2Vzc2li aWxpdHlVSUVsZW1lbnRNYWMubW0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gVG9vbHMvV2ViS2l0VGVzdFJ1bm5l ci9JbmplY3RlZEJ1bmRsZS9tYWMvQWNjZXNzaWJpbGl0eVVJRWxlbWVudE1hYy5tbQkocmV2aXNp b24gMTM4Nzc5KQorKysgVG9vbHMvV2ViS2l0VGVzdFJ1bm5lci9JbmplY3RlZEJ1bmRsZS9tYWMv QWNjZXNzaWJpbGl0eVVJRWxlbWVudE1hYy5tbQkod29ya2luZyBjb3B5KQpAQCAtODcsNiArODcs OCBAQAogCiBib29sIEFjY2Vzc2liaWxpdHlVSUVsZW1lbnQ6OmlzRXF1YWwoQWNjZXNzaWJpbGl0 eVVJRWxlbWVudCogb3RoZXJFbGVtZW50KQogeworICAgIGlmICghb3RoZXJFbGVtZW50KQorICAg ICAgICByZXR1cm4gZmFsc2U7CiAgICAgcmV0dXJuIHBsYXRmb3JtVUlFbGVtZW50KCkgPT0gb3Ro ZXJFbGVtZW50LT5wbGF0Zm9ybVVJRWxlbWVudCgpOwogfQogICAgIApJbmRleDogVG9vbHMvRHVt cFJlbmRlclRyZWUvQWNjZXNzaWJpbGl0eVVJRWxlbWVudC5jcHAKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gVG9v bHMvRHVtcFJlbmRlclRyZWUvQWNjZXNzaWJpbGl0eVVJRWxlbWVudC5jcHAJKHJldmlzaW9uIDEz ODc3OSkKKysrIFRvb2xzL0R1bXBSZW5kZXJUcmVlL0FjY2Vzc2liaWxpdHlVSUVsZW1lbnQuY3Bw CSh3b3JraW5nIGNvcHkpCkBAIC05NjEsNiArOTYxLDggQEAKICNpZiAhUExBVEZPUk0oV0lOKQog Ym9vbCBBY2Nlc3NpYmlsaXR5VUlFbGVtZW50Ojppc0VxdWFsKEFjY2Vzc2liaWxpdHlVSUVsZW1l bnQqIG90aGVyRWxlbWVudCkKIHsKKyAgICBpZiAoIW90aGVyRWxlbWVudCkKKyAgICAgICAgcmV0 dXJuIGZhbHNlOwogICAgIHJldHVybiBwbGF0Zm9ybVVJRWxlbWVudCgpID09IG90aGVyRWxlbWVu dC0+cGxhdGZvcm1VSUVsZW1lbnQoKTsKIH0KICNlbmRpZgpJbmRleDogVG9vbHMvQ2hhbmdlTG9n Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT0KLS0tIFRvb2xzL0NoYW5nZUxvZwkocmV2aXNpb24gMTM4Nzc5KQorKysgVG9v bHMvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTcgQEAKKzIwMTMtMDEtMDMg IENocmlzIEZsZWl6YWNoICA8Y2ZsZWl6YWNoQGFwcGxlLmNvbT4KKworICAgICAgICBSRUdSRVNT SU9OOiBbTWFjXSBJbnRlcm1pdHRlbnQgY3Jhc2ggaW4gV1RSOjpBY2Nlc3NpYmlsaXR5VUlFbGVt ZW50Ojppc0VxdWFsCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNn aT9pZD0xMDYwNzMKKworICAgICAgICBDaGVjayB0aGF0IHRoZSBlbGVtZW50IGJlaW5nIGNvbXBh cmVkIHRvIGlzIG5vdCBuaWwuCisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISku CisKKyAgICAgICAgKiBEdW1wUmVuZGVyVHJlZS9BY2Nlc3NpYmlsaXR5VUlFbGVtZW50LmNwcDoK KyAgICAgICAgKEFjY2Vzc2liaWxpdHlVSUVsZW1lbnQ6OmlzRXF1YWwpOgorICAgICAgICAqIFdl YktpdFRlc3RSdW5uZXIvSW5qZWN0ZWRCdW5kbGUvbWFjL0FjY2Vzc2liaWxpdHlVSUVsZW1lbnRN YWMubW06CisgICAgICAgIChXVFI6OkFjY2Vzc2liaWxpdHlVSUVsZW1lbnQ6OmlzRXF1YWwpOgor CiAyMDEzLTAxLTAzICBUaW0gJ21pdGhybycgQW5zZWxsICA8bWl0aHJvQG1pdGhpcy5jb20+CiAK ICAgICAgICAgRG93bmxvYWRzIGNhbiBiZSBmbGFreSwgc28gdHJ5IGRvd25sb2FkaW5nIG11bHRp cGxlIHRpbWVzLgo=