Bug 126073

Summary:

Crashes in AccessibilityRenderObject::computeAccessibilityIsIgnored()

Product:

WebKit

Reporter:

Antti Koivisto <koivisto>

Component:

Accessibility

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

aboxhall, apinheiro, ap, cfleizach, commit-queue, dmazzoni, eflews.bot, gyuyoung.kim, jcraig, jdiggs, kling, koivisto, mario, rego+ews, samuel_white, webkit-bug-importer, xan.lopez

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

126118

Bug Blocks:

Attachments:

Description	Flags
patch	rniwa: review+, eflews.bot: commit-queue-

Antti Koivisto

Reported 2013-12-20 10:47:58 PST

http://build.webkit.org/results/Apple%20Mavericks%20Debug%20WK1%20(Tests)/r160914%20(1262)/editing/spelling/spellcheck-async-mutation-crash-log.txt http://build.webkit.org/results/Apple%20MountainLion%20Release%20WK1%20(Tests)/r160914%20(15848)/dom/xhtml/level2/html/HTMLInputElement01-crash-log.txt

Attachments
patch (3.50 KB, patch) 2013-12-20 10:53 PST, Antti Koivisto	rniwa: review+ eflews.bot: commit-queue-	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2013-12-20 10:48:09 PST

<rdar://problem/15709541>

Antti Koivisto

Comment 2 2013-12-20 10:53:49 PST

Created attachment 219770 [details] patch

Ryosuke Niwa

Comment 3 2013-12-20 10:56:14 PST

Comment on attachment 219770 [details] patch rs=me

EFL EWS Bot

Comment 4 2013-12-20 10:58:30 PST

Comment on attachment 219770 [details] patch Attachment 219770 [details] did not pass efl-ews (efl): Output: http://webkit-queues.appspot.com/results/44378325

Alexey Proskuryakov

Comment 5 2013-12-20 10:59:13 PST

Comment on attachment 219770 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=219770&action=review > Source/WebCore/accessibility/AccessibilityRenderObject.cpp:1192 > + // FIXME: Somehow the renderer is becoming null. I'd say: // FIXME (bug number): Some regression tests flakily crash without this check. It is not clear whether the renderer may legitimately be null here.

EFL EWS Bot

Comment 6 2013-12-20 11:02:36 PST

Comment on attachment 219770 [details] patch Attachment 219770 [details] did not pass efl-wk2-ews (efl-wk2): Output: http://webkit-queues.appspot.com/results/49338291

Antti Koivisto

Comment 7 2013-12-20 11:02:46 PST

https://trac.webkit.org/r160916

chris fleizach

Comment 8 2013-12-20 11:37:46 PST

This is a bit risky to put in without having someone familiar with accessibility review it. I'm not sure what kind of negative effects it will have at all. Was another bug opened to have someone look at this again? Rather than ramming the other patch down WebKit and putting in temporary hacks, it might be better to work through the problems in tandem before committing

Antti Koivisto

Comment 9 2013-12-20 12:56:58 PST

(In reply to comment #8) > This is a bit risky to put in without having someone familiar with accessibility review it. I'm not sure what kind of negative effects it will have at all. > > Was another bug opened to have someone look at this again? > > Rather than ramming the other patch down WebKit and putting in temporary hacks, it might be better to work through the problems in tandem before committing We are trying to understand the crash. The changes are temporary.

Antti Koivisto

Comment 10 2013-12-20 12:58:47 PST

This is fallout from http://trac.webkit.org/changeset/160908

Antti Koivisto

Comment 11 2013-12-20 14:11:34 PST

Looks like there are some dead objects here http://build.webkit.org/results/Apple%20Mavericks%20Debug%20WK1%20(Tests)/r160922%20(1266)/fast/body-propagation/background-image/003-xhtml-crash-log.txt

Antti Koivisto

Comment 12 2013-12-20 14:12:55 PST

reopening

Antti Koivisto

Comment 13 2013-12-21 04:50:14 PST

This looks like the root cause: http://build.webkit.org/results/Apple%20Mavericks%20Debug%20WK1%20(Tests)/r160955%20(1283)/fast/events/nested-event-remove-node-crash-crash-log.txt 12 com.apple.WebCore 0x00000001079381c8 WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 520 (StyleResolveTree.cpp:880) 13 com.apple.WebCore 0x0000000107c4ace6 WebCore::Document::recalcStyle(WebCore::Style::Change) + 438 (Document.cpp:1760) 14 com.apple.WebCore 0x0000000107c474df WebCore::Document::updateStyleIfNeeded() + 431 (Document.cpp:1809) 15 com.apple.WebCore 0x00000001080d16df WebCore::HTMLElement::supportsFocus() const + 111 (HTMLElement.cpp:667) 16 com.apple.WebCore 0x00000001077169c6 WebCore::AccessibilityNodeObject::canSetFocusAttribute() const + 214 (AccessibilityNodeObject.cpp:1985) 17 com.apple.WebCore 0x0000000107723839 WebCore::AccessibilityRenderObject::inheritsPresentationalRole() const + 41 (AccessibilityRenderObject.cpp:2625) 18 com.apple.WebCore 0x0000000107722d95 WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const + 325 (AccessibilityRenderObject.cpp:1183) 19 com.apple.WebCore 0x000000010771e84f WebCore::AccessibilityObject::accessibilityIsIgnored() const + 191 (AccessibilityObject.cpp:2133) 20 com.apple.WebCore 0x00000001077080cd WebCore::AccessibilityObject::notifyIfIgnoredValueChanged() + 29 (AccessibilityObject.cpp:2033) 21 com.apple.WebCore 0x0000000107708dc8 WebCore::AXObjectCache::recomputeIsIgnored(WebCore::RenderObject*) + 56 (AXObjectCache.cpp:864) 22 com.apple.WebCore 0x0000000108be0359 WebCore::RenderBlock::deleteLines() + 73 (RenderBlock.cpp:932) 23 com.apple.WebCore 0x0000000109462ea2 WebCore::RenderBlockFlow::deleteLines() + 450 (RenderBlockFlow.cpp:1827) 24 com.apple.WebCore 0x0000000108be10cd WebCore::RenderBlock::removeChild(WebCore::RenderObject&) + 1709 (RenderBlock.cpp:1191) 25 com.apple.WebCore 0x0000000108d91e06 WebCore::RenderObject::removeFromParent() + 70 (RenderObject.cpp:187) 26 com.apple.WebCore 0x0000000108d9c2f3 WebCore::RenderObject::willBeDestroyed() + 163 (RenderObject.cpp:1865) 27 com.apple.WebCore 0x0000000108e77647 WebCore::RenderText::willBeDestroyed() + 167 (RenderText.cpp:284) 28 com.apple.WebCore 0x0000000108d9c8bd WebCore::RenderObject::destroy() + 29 (RenderObject.cpp:1985) 29 com.apple.WebCore 0x0000000108d9c892 WebCore::RenderObject::destroyAndCleanupAnonymousWrappers() + 274 (RenderObject.cpp:1975) 30 com.apple.WebCore 0x0000000107937012 WebCore::Style::detachTextRenderer(WebCore::Text&) + 50 (StyleResolveTree.cpp:414) 31 com.apple.WebCore 0x0000000107938661 WebCore::Style::detachChildren(WebCore::ContainerNode&, WebCore::Style::DetachType) + 81 We are entering style resolve from the middle of render tree destruction.

chris fleizach

Comment 14 2013-12-21 07:31:18 PST

(In reply to comment #13) > This looks like the root cause: > > http://build.webkit.org/results/Apple%20Mavericks%20Debug%20WK1%20(Tests)/r160955%20(1283)/fast/events/nested-event-remove-node-crash-crash-log.txt > > 12 com.apple.WebCore 0x00000001079381c8 WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 520 (StyleResolveTree.cpp:880) > 13 com.apple.WebCore 0x0000000107c4ace6 WebCore::Document::recalcStyle(WebCore::Style::Change) + 438 (Document.cpp:1760) > 14 com.apple.WebCore 0x0000000107c474df WebCore::Document::updateStyleIfNeeded() + 431 (Document.cpp:1809) > 15 com.apple.WebCore 0x00000001080d16df WebCore::HTMLElement::supportsFocus() const + 111 (HTMLElement.cpp:667) > 16 com.apple.WebCore 0x00000001077169c6 WebCore::AccessibilityNodeObject::canSetFocusAttribute() const + 214 (AccessibilityNodeObject.cpp:1985) > 17 com.apple.WebCore 0x0000000107723839 WebCore::AccessibilityRenderObject::inheritsPresentationalRole() const + 41 (AccessibilityRenderObject.cpp:2625) > 18 com.apple.WebCore 0x0000000107722d95 WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const + 325 (AccessibilityRenderObject.cpp:1183) > 19 com.apple.WebCore 0x000000010771e84f WebCore::AccessibilityObject::accessibilityIsIgnored() const + 191 (AccessibilityObject.cpp:2133) > 20 com.apple.WebCore 0x00000001077080cd WebCore::AccessibilityObject::notifyIfIgnoredValueChanged() + 29 (AccessibilityObject.cpp:2033) > 21 com.apple.WebCore 0x0000000107708dc8 WebCore::AXObjectCache::recomputeIsIgnored(WebCore::RenderObject*) + 56 (AXObjectCache.cpp:864) > 22 com.apple.WebCore 0x0000000108be0359 WebCore::RenderBlock::deleteLines() + 73 (RenderBlock.cpp:932) > 23 com.apple.WebCore 0x0000000109462ea2 WebCore::RenderBlockFlow::deleteLines() + 450 (RenderBlockFlow.cpp:1827) > 24 com.apple.WebCore 0x0000000108be10cd WebCore::RenderBlock::removeChild(WebCore::RenderObject&) + 1709 (RenderBlock.cpp:1191) > 25 com.apple.WebCore 0x0000000108d91e06 WebCore::RenderObject::removeFromParent() + 70 (RenderObject.cpp:187) > 26 com.apple.WebCore 0x0000000108d9c2f3 WebCore::RenderObject::willBeDestroyed() + 163 (RenderObject.cpp:1865) > 27 com.apple.WebCore 0x0000000108e77647 WebCore::RenderText::willBeDestroyed() + 167 (RenderText.cpp:284) > 28 com.apple.WebCore 0x0000000108d9c8bd WebCore::RenderObject::destroy() + 29 (RenderObject.cpp:1985) > 29 com.apple.WebCore 0x0000000108d9c892 WebCore::RenderObject::destroyAndCleanupAnonymousWrappers() + 274 (RenderObject.cpp:1975) > 30 com.apple.WebCore 0x0000000107937012 WebCore::Style::detachTextRenderer(WebCore::Text&) + 50 (StyleResolveTree.cpp:414) > 31 com.apple.WebCore 0x0000000107938661 WebCore::Style::detachChildren(WebCore::ContainerNode&, WebCore::Style::DetachType) + 81 > > We are entering style resolve from the middle of render tree destruction. Two thoughts: Does WebCore::HTMLElement::supportsFocus() really need to update the style calculations? It's possible this work WebCore::AXObjectCache::recomputeIsIgnored can be pended on a timer to run during the next runloop iteration

Antti Koivisto

Comment 15 2013-12-21 11:58:42 PST

Looks like https://trac.webkit.org/r160966 fixed this.

Antti Koivisto

Comment 16 2013-12-21 12:24:40 PST

Rolled out the hack fix in https://trac.webkit.org/r160968

Note You need to log in before you can comment on or make changes to this bug.