Bug 126073

Summary: Crashes in AccessibilityRenderObject::computeAccessibilityIsIgnored()
Product: WebKit Reporter: Antti Koivisto <koivisto>
Component: AccessibilityAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: aboxhall, apinheiro, ap, cfleizach, commit-queue, dmazzoni, eflews.bot, gyuyoung.kim, jcraig, jdiggs, kling, koivisto, mario, rego+ews, samuel_white, webkit-bug-importer, xan.lopez
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 126118    
Bug Blocks:    
Attachments:
Description Flags
patch rniwa: review+, eflews.bot: commit-queue-

Comment 1 Radar WebKit Bug Importer 2013-12-20 10:48:09 PST 
<rdar://problem/15709541>
Comment 2 Antti Koivisto 2013-12-20 10:53:49 PST 
Created attachment 219770 [details]
patch
Comment 3 Ryosuke Niwa 2013-12-20 10:56:14 PST 
Comment on attachment 219770 [details]
patch

rs=me
Comment 4 EFL EWS Bot 2013-12-20 10:58:30 PST 
Comment on attachment 219770 [details]
patch

Attachment 219770 [details] did not pass efl-ews (efl):
Output: http://webkit-queues.appspot.com/results/44378325
Comment 5 Alexey Proskuryakov 2013-12-20 10:59:13 PST 
Comment on attachment 219770 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=219770&action=review

> Source/WebCore/accessibility/AccessibilityRenderObject.cpp:1192
> +    // FIXME: Somehow the renderer is becoming null.

I'd say:

// FIXME (bug number): Some regression tests flakily crash without this check. It is not clear whether the renderer may legitimately be null here.
Comment 6 EFL EWS Bot 2013-12-20 11:02:36 PST 
Comment on attachment 219770 [details]
patch

Attachment 219770 [details] did not pass efl-wk2-ews (efl-wk2):
Output: http://webkit-queues.appspot.com/results/49338291
Comment 7 Antti Koivisto 2013-12-20 11:02:46 PST 
https://trac.webkit.org/r160916
Comment 8 chris fleizach 2013-12-20 11:37:46 PST 
This is a bit risky to put in without having someone familiar with accessibility review it. I'm not sure what kind of negative effects it will have at all.

Was another bug opened to have someone look at this again?

Rather than ramming the other patch down WebKit and putting in temporary hacks, it might be better to work through the problems in tandem before committing
Comment 9 Antti Koivisto 2013-12-20 12:56:58 PST 
(In reply to comment #8)
> This is a bit risky to put in without having someone familiar with accessibility review it. I'm not sure what kind of negative effects it will have at all.
> 
> Was another bug opened to have someone look at this again?
> 
> Rather than ramming the other patch down WebKit and putting in temporary hacks, it might be better to work through the problems in tandem before committing

We are trying to understand the crash. The changes are temporary.
Comment 10 Antti Koivisto 2013-12-20 12:58:47 PST 
This is fallout from http://trac.webkit.org/changeset/160908
Comment 12 Antti Koivisto 2013-12-20 14:12:55 PST 
reopening
Comment 13 Antti Koivisto 2013-12-21 04:50:14 PST 
This looks like the root cause:

http://build.webkit.org/results/Apple%20Mavericks%20Debug%20WK1%20(Tests)/r160955%20(1283)/fast/events/nested-event-remove-node-crash-crash-log.txt

12  com.apple.WebCore             	0x00000001079381c8 WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 520 (StyleResolveTree.cpp:880)
13  com.apple.WebCore             	0x0000000107c4ace6 WebCore::Document::recalcStyle(WebCore::Style::Change) + 438 (Document.cpp:1760)
14  com.apple.WebCore             	0x0000000107c474df WebCore::Document::updateStyleIfNeeded() + 431 (Document.cpp:1809)
15  com.apple.WebCore             	0x00000001080d16df WebCore::HTMLElement::supportsFocus() const + 111 (HTMLElement.cpp:667)
16  com.apple.WebCore             	0x00000001077169c6 WebCore::AccessibilityNodeObject::canSetFocusAttribute() const + 214 (AccessibilityNodeObject.cpp:1985)
17  com.apple.WebCore             	0x0000000107723839 WebCore::AccessibilityRenderObject::inheritsPresentationalRole() const + 41 (AccessibilityRenderObject.cpp:2625)
18  com.apple.WebCore             	0x0000000107722d95 WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const + 325 (AccessibilityRenderObject.cpp:1183)
19  com.apple.WebCore             	0x000000010771e84f WebCore::AccessibilityObject::accessibilityIsIgnored() const + 191 (AccessibilityObject.cpp:2133)
20  com.apple.WebCore             	0x00000001077080cd WebCore::AccessibilityObject::notifyIfIgnoredValueChanged() + 29 (AccessibilityObject.cpp:2033)
21  com.apple.WebCore             	0x0000000107708dc8 WebCore::AXObjectCache::recomputeIsIgnored(WebCore::RenderObject*) + 56 (AXObjectCache.cpp:864)
22  com.apple.WebCore             	0x0000000108be0359 WebCore::RenderBlock::deleteLines() + 73 (RenderBlock.cpp:932)
23  com.apple.WebCore             	0x0000000109462ea2 WebCore::RenderBlockFlow::deleteLines() + 450 (RenderBlockFlow.cpp:1827)
24  com.apple.WebCore             	0x0000000108be10cd WebCore::RenderBlock::removeChild(WebCore::RenderObject&) + 1709 (RenderBlock.cpp:1191)
25  com.apple.WebCore             	0x0000000108d91e06 WebCore::RenderObject::removeFromParent() + 70 (RenderObject.cpp:187)
26  com.apple.WebCore             	0x0000000108d9c2f3 WebCore::RenderObject::willBeDestroyed() + 163 (RenderObject.cpp:1865)
27  com.apple.WebCore             	0x0000000108e77647 WebCore::RenderText::willBeDestroyed() + 167 (RenderText.cpp:284)
28  com.apple.WebCore             	0x0000000108d9c8bd WebCore::RenderObject::destroy() + 29 (RenderObject.cpp:1985)
29  com.apple.WebCore             	0x0000000108d9c892 WebCore::RenderObject::destroyAndCleanupAnonymousWrappers() + 274 (RenderObject.cpp:1975)
30  com.apple.WebCore             	0x0000000107937012 WebCore::Style::detachTextRenderer(WebCore::Text&) + 50 (StyleResolveTree.cpp:414)
31  com.apple.WebCore             	0x0000000107938661 WebCore::Style::detachChildren(WebCore::ContainerNode&, WebCore::Style::DetachType) + 81 

We are entering style resolve from the middle of render tree destruction.
Comment 14 chris fleizach 2013-12-21 07:31:18 PST 
(In reply to comment #13)
> This looks like the root cause:
> 
> http://build.webkit.org/results/Apple%20Mavericks%20Debug%20WK1%20(Tests)/r160955%20(1283)/fast/events/nested-event-remove-node-crash-crash-log.txt
> 
> 12  com.apple.WebCore                 0x00000001079381c8 WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 520 (StyleResolveTree.cpp:880)
> 13  com.apple.WebCore                 0x0000000107c4ace6 WebCore::Document::recalcStyle(WebCore::Style::Change) + 438 (Document.cpp:1760)
> 14  com.apple.WebCore                 0x0000000107c474df WebCore::Document::updateStyleIfNeeded() + 431 (Document.cpp:1809)
> 15  com.apple.WebCore                 0x00000001080d16df WebCore::HTMLElement::supportsFocus() const + 111 (HTMLElement.cpp:667)
> 16  com.apple.WebCore                 0x00000001077169c6 WebCore::AccessibilityNodeObject::canSetFocusAttribute() const + 214 (AccessibilityNodeObject.cpp:1985)
> 17  com.apple.WebCore                 0x0000000107723839 WebCore::AccessibilityRenderObject::inheritsPresentationalRole() const + 41 (AccessibilityRenderObject.cpp:2625)
> 18  com.apple.WebCore                 0x0000000107722d95 WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const + 325 (AccessibilityRenderObject.cpp:1183)
> 19  com.apple.WebCore                 0x000000010771e84f WebCore::AccessibilityObject::accessibilityIsIgnored() const + 191 (AccessibilityObject.cpp:2133)
> 20  com.apple.WebCore                 0x00000001077080cd WebCore::AccessibilityObject::notifyIfIgnoredValueChanged() + 29 (AccessibilityObject.cpp:2033)
> 21  com.apple.WebCore                 0x0000000107708dc8 WebCore::AXObjectCache::recomputeIsIgnored(WebCore::RenderObject*) + 56 (AXObjectCache.cpp:864)
> 22  com.apple.WebCore                 0x0000000108be0359 WebCore::RenderBlock::deleteLines() + 73 (RenderBlock.cpp:932)
> 23  com.apple.WebCore                 0x0000000109462ea2 WebCore::RenderBlockFlow::deleteLines() + 450 (RenderBlockFlow.cpp:1827)
> 24  com.apple.WebCore                 0x0000000108be10cd WebCore::RenderBlock::removeChild(WebCore::RenderObject&) + 1709 (RenderBlock.cpp:1191)
> 25  com.apple.WebCore                 0x0000000108d91e06 WebCore::RenderObject::removeFromParent() + 70 (RenderObject.cpp:187)
> 26  com.apple.WebCore                 0x0000000108d9c2f3 WebCore::RenderObject::willBeDestroyed() + 163 (RenderObject.cpp:1865)
> 27  com.apple.WebCore                 0x0000000108e77647 WebCore::RenderText::willBeDestroyed() + 167 (RenderText.cpp:284)
> 28  com.apple.WebCore                 0x0000000108d9c8bd WebCore::RenderObject::destroy() + 29 (RenderObject.cpp:1985)
> 29  com.apple.WebCore                 0x0000000108d9c892 WebCore::RenderObject::destroyAndCleanupAnonymousWrappers() + 274 (RenderObject.cpp:1975)
> 30  com.apple.WebCore                 0x0000000107937012 WebCore::Style::detachTextRenderer(WebCore::Text&) + 50 (StyleResolveTree.cpp:414)
> 31  com.apple.WebCore                 0x0000000107938661 WebCore::Style::detachChildren(WebCore::ContainerNode&, WebCore::Style::DetachType) + 81 
> 
> We are entering style resolve from the middle of render tree destruction.

Two thoughts:
   Does  WebCore::HTMLElement::supportsFocus()   really need to update the style calculations?
   
   It's possible this work
      WebCore::AXObjectCache::recomputeIsIgnored
   can be pended on a timer to run during the next runloop iteration
Comment 15 Antti Koivisto 2013-12-21 11:58:42 PST 
Looks like https://trac.webkit.org/r160966 fixed this.
Comment 16 Antti Koivisto 2013-12-21 12:24:40 PST 
Rolled out the hack fix in https://trac.webkit.org/r160968