Bug 206828

Summary: Crash in AXIsolatedObject destruction.
Product: WebKit Reporter: Andres Gonzalez <andresg_22>
Component: New BugsAssignee: Andres Gonzalez <andresg_22>
Status: RESOLVED FIXED    
Severity: Normal CC: aakash_jain, aboxhall, annulen, apinheiro, cfleizach, clopez, commit-queue, dmazzoni, ews-watchlist, gyuyoung.kim, jcraig, jdiggs, lmoura, pnormand, ryuan.choi, samuel_white, sergio, tsavell, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=206868
Attachments:
Description Flags
Patch
none
Patch none

Description Andres Gonzalez 2020-01-27 08:57:31 PST
Crash in AXIsolatedObject destruction.
Comment 1 Andres Gonzalez 2020-01-27 09:17:06 PST
Created attachment 388866 [details]
Patch
Comment 2 WebKit Commit Bot 2020-01-27 13:30:26 PST
The commit-queue encountered the following flaky tests while processing attachment 388866 [details]:

editing/spelling/spellcheck-attribute.html bug 206178 (authors: g.czajkowski@samsung.com, mark.lam@apple.com, and rniwa@webkit.org)
The commit-queue is continuing to process your patch.
Comment 3 WebKit Commit Bot 2020-01-27 13:31:06 PST
Comment on attachment 388866 [details]
Patch

Clearing flags on attachment: 388866

Committed r255167: <https://trac.webkit.org/changeset/255167>
Comment 4 WebKit Commit Bot 2020-01-27 13:31:08 PST
All reviewed patches have been landed.  Closing bug.
Comment 5 Radar WebKit Bug Importer 2020-01-27 13:32:19 PST
<rdar://problem/58931972>
Comment 6 Truitt Savell 2020-01-28 10:17:51 PST
The changes in https://trac.webkit.org/changeset/255167/webkit

appear to have broken testing for windows https://build.webkit.org/builders/Apple%20Win%2010%20Release%20%28Tests%29/builds/4754

there are 48+ crashing accessibility/ tests:
https://build.webkit.org/builders/Apple%20Win%2010%20Release%20%28Tests%29/builds/4754/steps/layout-test/logs/stdio

It looks like EWS caught this.
Comment 7 Philippe Normand 2020-01-29 05:47:55 PST
WPE and GTK bots also now crashing in accessibility tests since this landed.
Comment 8 Lauro Moura 2020-01-29 08:07:07 PST
Looks like the AXObjectCache destructor ends up triggering some code that make the objects being detached trying to access the cache again.

Top of the back trace of the GTK crash from the debug bot:

https://build.webkit.org/results/GTK%20Linux%2064-bit%20Debug%20(Tests)/r255337%20(5852)/accessibility/aria-hidden-negates-no-visibility-crash-log.txt

Thread 1 (Thread 0x7f60ee9899c0 (LWP 42862)):
#0  0x00007f610730f8fc in _ZN3WTF9HashTableIPN7WebCore4NodeENS_12KeyValuePairIS3_jEENS_24KeyValuePairKeyExtractorIS5_EENS_7PtrHashIS3_EENS_7HashMapIS3_jS9_NS_10HashTraitsIS3_EENSB_IjEEE18KeyValuePairTraitsESC_E12inlineLookupINS_24HashMapTranslatorAdapterISF_NS_22IdentityHashTranslatorISF_S9_EEEES3_EEPS5_RKT0_ (this=0x90, key=@0x7ffd201b8500: 0x7f60995fb950) at DerivedSources/ForwardingHeaders/wtf/HashTable.h:652
#1  0x00007f6107308e77 in _ZN3WTF9HashTableIPN7WebCore4NodeENS_12KeyValuePairIS3_jEENS_24KeyValuePairKeyExtractorIS5_EENS_7PtrHashIS3_EENS_7HashMapIS3_jS9_NS_10HashTraitsIS3_EENSB_IjEEE18KeyValuePairTraitsESC_E6lookupINS_24HashMapTranslatorAdapterISF_NS_22IdentityHashTranslatorISF_S9_EEEES3_EEPS5_RKT0_ (this=0x90, key=@0x7ffd201b8500: 0x7f60995fb950) at DerivedSources/ForwardingHeaders/wtf/HashTable.h:642
#2  0x00007f6107301087 in _ZNK3WTF7HashMapIPN7WebCore4NodeEjNS_7PtrHashIS3_EENS_10HashTraitsIS3_EENS6_IjEEE3getINS_22IdentityHashTranslatorINS9_18KeyValuePairTraitsES5_EES3_EEjRKT0_ (this=0x90, value=@0x7ffd201b8500: 0x7f60995fb950) at DerivedSources/ForwardingHeaders/wtf/HashMap.h:321
#3  0x00007f61072f9145 in _ZNK3WTF7HashMapIPN7WebCore4NodeEjNS_7PtrHashIS3_EENS_10HashTraitsIS3_EENS6_IjEEE3getERKS3_ (this=0x90, key=@0x7ffd201b8500: 0x7f60995fb950) at DerivedSources/ForwardingHeaders/wtf/HashMap.h:436
#4  0x00007f61072e3479 in _ZN7WebCore13AXObjectCache3getEPNS_4NodeE (this=0x0, node=0x7f60995fb950) at ../../Source/WebCore/accessibility/AXObjectCache.cpp:472
#5  0x00007f61072e4671 in _ZN7WebCore13AXObjectCache11getOrCreateEPNS_4NodeE (this=0x0, node=0x7f60995fb950) at ../../Source/WebCore/accessibility/AXObjectCache.cpp:649
#6  0x00007f610731feaa in _ZNK7WebCore26AccessibilityListBoxOption12parentObjectEv (this=0x7f607b463600) at ../../Source/WebCore/accessibility/AccessibilityListBoxOption.cpp:168
#7  0x00007f6107336d8a in _ZNK7WebCore19AccessibilityObject17documentFrameViewEv (this=0x7f607b463600) at ../../Source/WebCore/accessibility/AccessibilityObject.cpp:1732
#8  0x00007f6107336cb9 in _ZNK7WebCore19AccessibilityObject8documentEv (this=0x7f607b463600) at ../../Source/WebCore/accessibility/AccessibilityObject.cpp:1713
#9  0x00007f610733b27d in _ZNK7WebCore19AccessibilityObject13axObjectCacheEv (this=0x7f607b463600) at ../../Source/WebCore/accessibility/AccessibilityObject.cpp:2625
#10 0x00007f61073731c4 in _ZN7WebCore19AccessibilityObject21detachPlatformWrapperENS_27AccessibilityDetachmentTypeE (this=0x7f607b463600, detachmentType=WebCore::AccessibilityDetachmentType::CacheDestroyed) at ../../Source/WebCore/accessibility/atk/AccessibilityObjectAtk.cpp:40
#11 0x00007f61072f479f in _ZN7WebCore12AXCoreObject13detachWrapperENS_27AccessibilityDetachmentTypeE (this=0x7f607b463600, detachmentType=WebCore::AccessibilityDetachmentType::CacheDestroyed) at ../../Source/WebCore/accessibility/AccessibilityObjectInterface.h:1157
#12 0x00007f61072f4732 in _ZN7WebCore12AXCoreObject6detachENS_27AccessibilityDetachmentTypeE (this=0x7f607b463600, detachmentType=WebCore::AccessibilityDetachmentType::CacheDestroyed) at ../../Source/WebCore/accessibility/AccessibilityObjectInterface.h:1150
#13 0x00007f61072e27df in _ZN7WebCore13AXObjectCacheD2Ev (this=0x7f607ae4e000, __in_chrg=<optimized out>) at ../../Source/WebCore/accessibility/AXObjectCache.cpp:243
#14 0x00007f610784a6f4 in _ZNKSt14default_deleteIN7WebCore13AXObjectCacheEEclEPS1_ (this=0x7f60a0da62d8, __ptr=0x7f607ae4e000) at /usr/include/c++/8/bits/unique_ptr.h:81
#15 0x00007f610784f3f1 in _ZNSt10unique_ptrIN7WebCore13AXObjectCacheESt14default_deleteIS1_EE5resetEPS1_ (this=0x7f60a0da62d8, __p=0x7f607ae4e000) at /usr/include/c++/8/bits/unique_ptr.h:382
#16 0x00007f610783fa4d in _ZNSt10unique_ptrIN7WebCore13AXObjectCacheESt14default_deleteIS1_EEaSEDn (this=0x7f60a0da62d8) at /usr/include/c++/8/bits/unique_ptr.h:318
#17 0x00007f6107813af9 in _ZN7WebCore8Document18clearAXObjectCacheEv (this=0x7f60a0da5df0) at ../../Source/WebCore/dom/Document.cpp:2691
#18 0x00007f6107812f06 in _ZN7WebCore8Document17destroyRenderTreeEv (this=0x7f60a0da5df0) at ../../Source/WebCore/dom/Document.cpp:2452
Comment 9 Andres Gonzalez 2020-01-29 08:27:59 PST
Reopening to attach new patch.
Comment 10 Andres Gonzalez 2020-01-29 08:28:01 PST
Created attachment 389141 [details]
Patch
Comment 11 Lauro Moura 2020-01-29 08:42:41 PST
(In reply to Andres Gonzalez from comment #10)
> Created attachment 389141 [details]
> Patch

With this patch I could not reproduce the error locally. Thanks!
Comment 12 WebKit Commit Bot 2020-01-29 10:01:19 PST
Comment on attachment 389141 [details]
Patch

Clearing flags on attachment: 389141

Committed r255364: <https://trac.webkit.org/changeset/255364>
Comment 13 WebKit Commit Bot 2020-01-29 10:01:22 PST
All reviewed patches have been landed.  Closing bug.