Bug 299092

Summary:	[GLIB] [Debug] ASSERT error in accessibility/aria-flowto.html
Product:	WebKit	Reporter:	Diego Pino <dpino>
Component:	New Bugs	Assignee:	Nobody <webkit-unassigned>
Status:	NEW
Severity:	Normal	CC:	bugs-noreply, lmoura, zimmermann
Priority:	P2
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified
See Also:	https://bugs.webkit.org/show_bug.cgi?id=304211

Diego Pino

Reported 2025-09-18 07:42:54 PDT

The following A11y tests are crashing in GLIB ports due to an failing ASSERT: accessibility/aria-flowto.html accessibility/aria-selected.html accessibility/display-contents/element-roles.html accessibility/display-contents/list.html accessibility/display-contents/table-dynamic.html accessibility/display-contents/tree-and-treeitems.html accessibility/node-only-object-aria-owns-hang.html accessibility/node-only-object-element-rect.html accessibility/url-test.html Crash log: https://build.webkit.org/results/GTK-Linux-64-bit-Debug-Tests/299805@main%20(17114)/accessibility/aria-flowto-crash-log.txt Thread 1 (Thread 0x7f0b7d503c80 (LWP 973275)): #0 WTFCrash () at /home/buildbot-worker/GTK-Linux-64-bit-Debug-Build/build/Source/WTF/wtf/Assertions.cpp:382 #1 0x00007f0ba3178b62 in WTFCrashWithInfo () at /home/buildbot-worker/GTK-Linux-64-bit-Debug-Build/build/WebKitBuild/GTK/Debug/WTF/Headers/wtf/Assertions.h:980 #2 0x00007f0ba8fe7899 in WebCore::AXCoreObject::verifyChildrenIndexInParent (this=0x7f0b7329d080, children=...) at /home/buildbot-worker/GTK-Linux-64-bit-Debug-Build/build/Source/WebCore/accessibility/AXCoreObject.cpp:369 #3 0x00007f0ba900b103 in WebCore::AccessibilityObject::verifyChildrenIndexInParent (this=0x7f0b7329d080) at /home/buildbot-worker/GTK-Linux-64-bit-Debug-Build/build/WebKitBuild/GTK/Debug/WebCore/PrivateHeaders/WebCore/AccessibilityObject.h:945 #4 0x00007f0ba90d9890 in operator() (__closure=0x7ffddfc07cf0) at /home/buildbot-worker/GTK-Linux-64-bit-Debug-Build/build/Source/WebCore/accessibility/AccessibilityRenderObject.cpp:2862 #5 0x00007f0ba90ed720 in WTF::ScopeExit<WebCore::AccessibilityRenderObject::addChildren()::<lambda()> >::~ScopeExit(void) (this=0x7ffddfc07cf0, __in_chrg=<optimized out>) at /home/buildbot-worker/GTK-Linux-64-bit-Debug-Build/build/WebKitBuild/GTK/Debug/WTF/Headers/wtf/Scope.h:53 #6 0x00007f0ba90da052 in WebCore::AccessibilityRenderObject::addChildren (this=0x7f0b7329d080) at /home/buildbot-worker/GTK-Linux-64-bit-Debug-Build/build/Source/WebCore/accessibility/AccessibilityRenderObject.cpp:2990 #7 0x00007f0ba90c2383 in WebCore::AccessibilityObject::updateChildrenIfNecessary (this=0x7f0b7329d080) at /home/buildbot-worker/GTK-Linux-64-bit-Debug-Build/build/Source/WebCore/accessibility/AccessibilityObject.cpp:2223 #8 0x00007f0ba90a4a3b in WebCore::AccessibilityNodeObject::updateChildrenIfNecessary (this=0x7f0b7329d080) at /home/buildbot-worker/GTK-Linux-64-bit-Debug-Build/build/Source/WebCore/accessibility/AccessibilityNodeObject.cpp:729 #9 0x00007f0ba900c942 in WebCore::AccessibilityObject::children (this=0x7f0b7329d080, updateChildrenIfNeeded=true) at /home/buildbot-worker/GTK-Linux-64-bit-Debug-Build/build/Source/WebCore/accessibility/AccessibilityObjectInlines.h:252 #10 0x00007f0ba90bb212 in WebCore::AccessibilityObject::insertChild (this=0x7f0b7329d300, child=..., index=0, descendIfIgnored=WebCore::AccessibilityObject::DescendIfIgnored::Yes) at /home/buildbot-worker/GTK-Linux-64-bit-Debug-Build/build/Source/WebCore/accessibility/AccessibilityObject.cpp:678 #11 0x00007f0ba90933bf in WebCore::AccessibilityObject::addChild (this=0x7f0b7329d300, object=..., descend=WebCore::AccessibilityObject::DescendIfIgnored::Yes) at /home/buildbot-worker/GTK-Linux-64-bit-Debug-Build/build/WebKitBuild/GTK/Debug/WebCore/PrivateHeaders/WebCore/AccessibilityObject.h:563 #12 0x00007f0ba90d9935 in operator() (__closure=0x7ffddfc07ec8, object=...) at /home/buildbot-worker/GTK-Linux-64-bit-Debug-Build/build/Source/WebCore/accessibility/AccessibilityRenderObject.cpp:2880 #13 0x00007f0ba90d9da3 in WebCore::AccessibilityRenderObject::addChildren (this=0x7f0b7329d300) at /home/buildbot-worker/GTK-Linux-64-bit-Debug-Build/build/Source/WebCore/accessibility/AccessibilityRenderObject.cpp:2957 #14 0x00007f0ba90c2383 in WebCore::AccessibilityObject::updateChildrenIfNecessary (this=0x7f0b7329d300) at /home/buildbot-worker/GTK-Linux-64-bit-Debug-Build/build/Source/WebCore/accessibility/AccessibilityObject.cpp:2223 #15 0x00007f0ba90a4a3b in WebCore::AccessibilityNodeObject::updateChildrenIfNecessary (this=0x7f0b7329d300) at /home/buildbot-worker/GTK-Linux-64-bit-Debug-Build/build/Source/WebCore/accessibility/AccessibilityNodeObject.cpp:729 #16 0x00007f0ba900c942 in WebCore::AccessibilityObject::children (this=0x7f0b7329d300, updateChildrenIfNeeded=true) at /home/buildbot-worker/GTK-Linux-64-bit-Debug-Build/build/Source/WebCore/accessibility/AccessibilityObjectInlines.h:252 #17 0x00007f0ba90bb212 in WebCore::AccessibilityObject::insertChild (this=0x7f0b7329cae0, child=..., index=0, descendIfIgnored=WebCore::AccessibilityObject::DescendIfIgnored::Yes) at /home/buildbot-worker/GTK-Linux-64-bit-Debug-Build/build/Source/WebCore/accessibility/AccessibilityObject.cpp:678 Basically, the condition validated in `verifyChildrenIndexInParent` is not met: ```cpp for (unsigned i = 0; i < children.size(); i++) ASSERT(children[i]->indexInParent() == i); ``` I think it has to do with the fact that ATSPI still has its own code path for building the the A11y tree.

Attachments
Add attachment proposed patch, testcase, etc.

Lauro Moura

Comment 1 2025-12-15 14:31:30 PST

This is also affecting accessibility/non-data-table-cell-title-ui-element.html (constant) For WPE-Debug, according to webkit-testhunter: 300387@main NOERROR 300411@main CRASH (Expected: PASS) And for GTK-Debug: 289992@main NOERROR 300390@main CRASH (Expected: PASS) Although this NOERROR might be due to the test not being run, as I could not find it in the full_results for the good revision. Interestingly, we're also getting this as a flaky debug crash for the following test: imported/w3c/web-platform-tests/css/css-display/parsing/display-computed.html

Nikolas Zimmermann

Comment 2 2025-12-16 13:28:51 PST

Same flaky debug crash backtrace seen here: https://build.webkit.org/results/GTK-Linux-64-bit-Debug-Tests/304475@main%20(17735)/imported/w3c/web-platform-tests/css/css-display/focus/display-contents-focus-crash-log.txt

Nikolas Zimmermann

Comment 3 2025-12-16 14:42:42 PST

Gardened imported/w3c/web-platform-tests/css/css-display/focus/display-contents-focus.htm in https://commits.webkit.org/304545@main.

Note You need to log in before you can comment on or make changes to this bug.