207093 2020-02-01 09:26:39 -0800 [ATK] Crash in WebKitAccessible 2020-02-03 02:27:33 -0800 1 1 1 Unclassified WebKit Accessibility WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=206828 https://bugs.webkit.org/show_bug.cgi?id=207035 InRadar P2 Normal --- 1 jonathan webkit-unassigned aboxhall andresg_22 annulen apinheiro bugs-noreply cfleizach cgarcia commit-queue dmazzoni ews-watchlist jcraig jdiggs mcatanzaro samuel_white sam svillar webkit-bug-importer oldest_to_newest 1613737 0 jonathan 2020-02-01 09:26:39 -0800 This appears to be caused by Bug 206828 which added `webkitAccessibleDetach(WEBKIT_ACCESSIBLE(wrapper))` to an already cleared wrapper. When loading URLs in MiniBrowser in a debug build I get the following stacktrace: #0 WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:305 #1 0x00007fffed64760b in CRASH_WITH_INFO(...) () at DerivedSources/ForwardingHeaders/wtf/Assertions.h:660 #2 0x00007fffef941d51 in webkitAccessibleDetach (accessible=0x5555556c8870) at ../../Source/WebCore/accessibility/atk/WebKitAccessible.cpp:1308 #3 0x00007fffef93befe in WebCore::AccessibilityObject::detachPlatformWrapper (this=0x7fffd6f90ac8, detachmentType=WebCore::AccessibilityDetachmentType::ElementDestroyed) at ../../Source/WebCore/accessibility/atk/AccessibilityObjectAtk.cpp:47 #4 0x00007fffef8b1607 in WebCore::AXCoreObject::detachWrapper (this=0x7fffd6f90ac8, detachmentType=WebCore::AccessibilityDetachmentType::ElementDestroyed) at ../../Source/WebCore/accessibility/AccessibilityObjectInterface.h:1158 #5 0x00007fffef8b1596 in WebCore::AXCoreObject::detach (this=0x7fffd6f90ac8, detachmentType=WebCore::AccessibilityDetachmentType::ElementDestroyed) at ../../Source/WebCore/accessibility/AccessibilityObjectInterface.h:1150 #6 0x00007fffef8a0326 in WebCore::AXObjectCache::remove (this=0x7fffd6f47000, axID=1) at ../../Source/WebCore/accessibility/AXObjectCache.cpp:853 #7 0x00007fffef8a0662 in WebCore::AXObjectCache::remove (this=0x7fffd6f47000, view=0x7fffd700c010) at ../../Source/WebCore/accessibility/AXObjectCache.cpp:895 #8 0x00007ffff082a02a in WebCore::FrameView::removeFromAXObjectCache (this=0x7fffd700c010) at ../../Source/WebCore/page/FrameView.cpp:280 #9 0x00007ffff082a2d4 in WebCore::FrameView::prepareForDetach (this=0x7fffd700c010) at ../../Source/WebCore/page/FrameView.cpp:329 #10 0x00007ffff0823860 in WebCore::Frame::setView (this=0x7fffd6fca348, view=...) at ../../Source/WebCore/page/Frame.cpp:228 #11 0x00007ffff08261a9 in WebCore::Frame::createView (this=0x7fffd6fca348, viewportSize=..., backgroundColor=..., fixedLayoutSize=..., fixedVisibleContentRect=..., useFixedLayout=false, horizontalScrollbarMode=WebCore::ScrollbarAuto, horizontalLock=false, verticalScrollbarMode=WebCore::ScrollbarAuto, verticalLock=false) at ../../Source/WebCore/page/Frame.cpp:806 #12 0x00007fffee6d08a4 in WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage (this=0x7fffd6ff3340) at ../../Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:1510 #13 0x00007ffff068bda0 in WebCore::FrameLoader::transitionToCommitted (this=0x7fffd6f80000, cachedPage=0x0) at ../../Source/WebCore/loader/FrameLoader.cpp:2222 #14 0x00007ffff068b062 in WebCore::FrameLoader::commitProvisionalLoad (this=0x7fffd6f80000) at ../../Source/WebCore/loader/FrameLoader.cpp:2041 #15 0x00007ffff06432f5 in WebCore::DocumentLoader::commitIfReady (this=0x7fffd6f4f000) at ../../Source/WebCore/loader/DocumentLoader.cpp:367 #16 0x00007ffff0646a31 in WebCore::DocumentLoader::commitLoad (this=0x7fffd6f4f000, `AccessibilityObject::detachPlatformWrapper` gets called after `AXObjectCache::detachWrapper` with the new patch, it looks as if the if statement should return early perhaps. 1613738 1 webkit-bug-importer 2020-02-01 09:26:54 -0800 <rdar://problem/59088456> 1613739 2 389461 jonathan 2020-02-01 09:39:00 -0800 Created attachment 389461 Patch 1613887 3 389461 cgarcia 2020-02-03 01:44:11 -0800 Comment on attachment 389461 Patch Thanks! 1613889 4 cgarcia 2020-02-03 01:44:25 -0800 *** Bug 207035 has been marked as a duplicate of this bug. *** 1613893 5 389461 commit-queue 2020-02-03 02:27:31 -0800 Comment on attachment 389461 Patch Clearing flags on attachment: 389461 Committed r255556: <https://trac.webkit.org/changeset/255556> 1613894 6 commit-queue 2020-02-03 02:27:33 -0800 All reviewed patches have been landed. Closing bug. 389461 2020-02-01 09:39:00 -0800 2020-02-03 02:27:31 -0800 Patch bug-207093-20200201173858.patch text/plain 1660 jonathan U3VidmVyc2lvbiBSZXZpc2lvbjogMjU1NTQyCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggODZjMGI4YTA1MjljNTMz NjE5YjkxMWExNjQ1ZTk4ZjhkOGFlZWY2OS4uNTFlNzY0OWY4YjA4YjA4YzZhNjI0ODQxNGFiMGFk MDQ3ODNhYzA3MCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE2IEBACisyMDIwLTAyLTAxICBKb25h dGhhbiBLaW5nc3RvbiAgPGpvbmF0aGFuQGpvb3BlZC5jby51az4KKworICAgICAgICBDcmFzaCBp biBXZWJLaXRBY2Nlc3NpYmxlCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3df YnVnLmNnaT9pZD0yMDcwOTMKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzU5MDg4NDU2PgorCisg ICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIEZpeGVkIGEgZGVi dWcgY3Jhc2ggaW4gV2ViS2l0QWNjZXNzaWJsZSBjYXVzZWQgYnkgZGV0YXRjaGluZyBhbiBhY2Nl c3NpYmlsaXR5IHdyYXBwZXIgbXVsdGlwbGUgdGltZXMuCisKKyAgICAgICAgKiBhY2Nlc3NpYmls aXR5L2F0ay9BY2Nlc3NpYmlsaXR5T2JqZWN0QXRrLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkFj Y2Vzc2liaWxpdHlPYmplY3Q6OmRldGFjaFBsYXRmb3JtV3JhcHBlcik6CisKIDIwMjAtMDEtMzEg IFdlbnNvbiBIc2llaCAgPHdlbnNvbl9oc2llaEBhcHBsZS5jb20+CiAKICAgICAgICAgQWRkIHN1 cHBvcnQgZm9yIHNwZWNpZnlpbmcgYmFja2dyb3VuZCBjb2xvcnMgd2hlbiBzZXR0aW5nIG1hcmtl ZCB0ZXh0CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9hY2Nlc3NpYmlsaXR5L2F0ay9BY2Nl c3NpYmlsaXR5T2JqZWN0QXRrLmNwcCBiL1NvdXJjZS9XZWJDb3JlL2FjY2Vzc2liaWxpdHkvYXRr L0FjY2Vzc2liaWxpdHlPYmplY3RBdGsuY3BwCmluZGV4IDY3MDQ5Y2I2ZjYzMDc0MGI4ZmVjODdl OGJkYjkxYjQ5MTFmY2ZhZTMuLmExZTZhZmI4Y2YwOWZmNzY0N2U4ZWVkZWE5YmVlNWJiOGVhOGM2 N2MgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL2FjY2Vzc2liaWxpdHkvYXRrL0FjY2Vzc2li aWxpdHlPYmplY3RBdGsuY3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL2FjY2Vzc2liaWxpdHkvYXRr L0FjY2Vzc2liaWxpdHlPYmplY3RBdGsuY3BwCkBAIC0zOCw4ICszOCwxMCBAQCBuYW1lc3BhY2Ug V2ViQ29yZSB7CiB2b2lkIEFjY2Vzc2liaWxpdHlPYmplY3Q6OmRldGFjaFBsYXRmb3JtV3JhcHBl cihBY2Nlc3NpYmlsaXR5RGV0YWNobWVudFR5cGUgZGV0YWNobWVudFR5cGUpCiB7CiAgICAgaWYg KGRldGFjaG1lbnRUeXBlICE9IEFjY2Vzc2liaWxpdHlEZXRhY2htZW50VHlwZTo6Q2FjaGVEZXN0 cm95ZWQpIHsKLSAgICAgICAgaWYgKGF1dG8qIGNhY2hlID0gYXhPYmplY3RDYWNoZSgpKQorICAg ICAgICBpZiAoYXV0byogY2FjaGUgPSBheE9iamVjdENhY2hlKCkpIHsKICAgICAgICAgICAgIGNh Y2hlLT5kZXRhY2hXcmFwcGVyKHRoaXMsIGRldGFjaG1lbnRUeXBlKTsKKyAgICAgICAgICAgIHJl dHVybjsKKyAgICAgICAgfQogICAgIH0KIAogICAgIGF1dG8qIHdyYXBwZXIgPSB0aGlzLT53cmFw cGVyKCk7Cg==