Bug 93501

Summary: REGRESSION (r124997): Flaky crashes in two tests
Product: WebKit Reporter: Zan Dobersek <zan>
Component: AccessibilityAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: mario, mrobinson
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch proposal mrobinson: review+

Description Zan Dobersek 2012-08-08 11:41:16 PDT 
Crashes started occurring after r124997 in two tests. The crashes occur flakily, I'd guess only if the accessibility tests have been run before these two tests. The tests are:
- fast/css/first-letter-text-fragment-crash.html
- editing/inserting/insert-character-in-first-letter-crash.html

The crash log:

Crash log for DumpRenderTree (pid 11325):

[New LWP 11325]
[New LWP 11362]
[New LWP 11361]
[New LWP 11793]
[New LWP 11364]
[New LWP 11363]
[New LWP 11792]
[New LWP 11673]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/Programs/DumpR'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f3074384a4c in WebCore::emitTextChanged (object=0xf259500, textChange=WebCore::AXObjectCache::AXTextInserted, offset=0, text="Z") at ../../Source/WebCore/accessibility/gtk/AXObjectCacheAtk.cpp:163
163	    AtkObject* wrapper = object->parentObjectUnignored()->wrapper();

...

Thread 1 (Thread 0x7f3067979900 (LWP 11325)):
#0  0x00007f3074384a4c in WebCore::emitTextChanged (object=0xf259500, textChange=WebCore::AXObjectCache::AXTextInserted, offset=0, text="Z") at ../../Source/WebCore/accessibility/gtk/AXObjectCacheAtk.cpp:163
#1  0x00007f3074384d7d in WebCore::AXObjectCache::nodeTextChangePlatformNotification (this=0xf24a000, object=0xf259500, textChange=WebCore::AXObjectCache::AXTextInserted, offset=0, text="Z") at ../../Source/WebCore/accessibility/gtk/AXObjectCacheAtk.cpp:196
#2  0x00007f307301f4d7 in WebCore::AXObjectCache::nodeTextChangeNotification (this=0xf24a000, renderer=0xf082408, textChange=WebCore::AXObjectCache::AXTextInserted, offset=0, text="Z") at ../../Source/WebCore/accessibility/AXObjectCache.cpp:619
#3  0x00007f3073434e8b in WebCore::InsertIntoTextNodeCommand::doApply (this=0xf259730) at ../../Source/WebCore/editing/InsertIntoTextNodeCommand.cpp:63
#4  0x00007f30733e4188 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0xf084970, prpCommand=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:256
#5  0x00007f30733e5dcf in WebCore::CompositeEditCommand::replaceTextInNode (this=0xf084970, node=..., offset=0, count=1, replacementText="Z") at ../../Source/WebCore/editing/CompositeEditCommand.cpp:498
#6  0x00007f30733e5f3b in WebCore::CompositeEditCommand::replaceSelectedTextInNode (this=0xf084970, text="Z") at ../../Source/WebCore/editing/CompositeEditCommand.cpp:509
#7  0x00007f307343c410 in WebCore::InsertTextCommand::performTrivialReplace (this=0xf084970, text="Z", selectInsertedText=false) at ../../Source/WebCore/editing/InsertTextCommand.cpp:89
#8  0x00007f307343c658 in WebCore::InsertTextCommand::doApply (this=0xf084970) at ../../Source/WebCore/editing/InsertTextCommand.cpp:117
#9  0x00007f30733e42e4 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0xf07ddf0, command=..., selection=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:271
#10 0x00007f307346def8 in WebCore::TypingCommand::insertTextRunWithoutNewlines (this=0xf07ddf0, text="Z", selectInsertedText=false) at ../../Source/WebCore/editing/TypingCommand.cpp:367
#11 0x00007f307346fe69 in WebCore::TypingCommandLineOperation::operator() (this=0x7fffad32d5e0, lineOffset=0, lineLength=1, isLastLine=true) at ../../Source/WebCore/editing/TypingCommand.cpp:63
#12 0x00007f3073470140 in WebCore::forEachLineInString<WebCore::TypingCommandLineOperation> (string="Z", operation=...) at ../../Source/WebCore/editing/TextInsertionBaseCommand.h:61
#13 0x00007f307346de4c in WebCore::TypingCommand::insertText (this=0xf07ddf0, text="Z", selectInsertedText=false) at ../../Source/WebCore/editing/TypingCommand.cpp:359
#14 0x00007f307346da1b in WebCore::TypingCommand::doApply (this=0xf07ddf0) at ../../Source/WebCore/editing/TypingCommand.cpp:282
#15 0x00007f30733e3f3f in WebCore::CompositeEditCommand::apply (this=0xf07ddf0) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:204
#16 0x00007f30733e3c2a in WebCore::applyCommand (command=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:161
#17 0x00007f307346099d in WebCore::TextInsertionBaseCommand::applyTextInsertionCommand (frame=0x2468890, command=..., selectionForInsertion=..., endingSelection=...) at ../../Source/WebCore/editing/TextInsertionBaseCommand.cpp:49
#18 0x00007f307346d24a in WebCore::TypingCommand::insertText (document=0xf220ce0, text="Z", selectionForInsertion=..., options=0, compositionType=WebCore::TypingCommand::TextCompositionNone) at ../../Source/WebCore/editing/TypingCommand.cpp:198
#19 0x00007f307346cf04 in WebCore::TypingCommand::insertText (document=0xf220ce0, text="Z", options=0, composition=WebCore::TypingCommand::TextCompositionNone) at ../../Source/WebCore/editing/TypingCommand.cpp:166
#20 0x00007f3073409b0e in WebCore::executeInsertText (frame=0x2468890, value="Z") at ../../Source/WebCore/editing/EditorCommand.cpp:563
#21 0x00007f307340cace in WebCore::Editor::Command::execute (this=0x7fffad32d8d0, parameter="Z", triggeringEvent=0x0) at ../../Source/WebCore/editing/EditorCommand.cpp:1689
#22 0x00007f30732eb28a in WebCore::Document::execCommand (this=0xf220ce0, commandName="insertText", userInterface=false, value="Z") at ../../Source/WebCore/dom/Document.cpp:4570
#23 0x00007f3073f24bba in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7f302435e0a0) at DerivedSources/WebCore/JSDocument.cpp:2617
#24 0x00007f3027753265 in ?? ()
#25 0x00007fffad32da90 in ?? ()
#26 0x00007f3077cff137 in llint_op_call () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0
#27 0x00007fffad32da20 in ?? ()
#28 0x00007fffad32da50 in ?? ()
#29 0x00007f302432bf40 in ?? ()
#30 0x00007f3077bffb79 in JSC::Register::Register (this=0x0) at ../../Source/JavaScriptCore/interpreter/Register.h:105
#31 0x00007f3077cac19e in JSC::JITCode::execute (this=0x7f3024277288, registerFile=0x248cba8, callFrame=0x7f302435e040, globalData=0x2b063a0) at ../../Source/JavaScriptCore/jit/JITCode.h:133
#32 0x00007f3077ca8ab8 in JSC::Interpreter::executeCall (this=0x248cb90, callFrame=0x7f30242fdf88, function=0x7f302432bf40, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1322
#33 0x00007f3077d75dbd in JSC::call (exec=0x7f30242fdf88, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:39
#34 0x00007f307304bdf7 in WebCore::JSMainThreadExecState::call (exec=0x7f30242fdf88, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/WebCore/bindings/js/JSMainThreadExecState.h:56
#35 0x00007f307307b3c5 in WebCore::JSEventListener::handleEvent (this=0xf249ad0, scriptExecutionContext=0xf220e08, event=0xf24a1a0) at ../../Source/WebCore/bindings/js/JSEventListener.cpp:133
#36 0x00007f3073355dae in WebCore::EventTarget::fireEventListeners (this=0xf230fd0, event=0xf24a1a0, d=0xf231108, entry=WTF::Vector of length 1, capacity 1 = {...}) at ../../Source/WebCore/dom/EventTarget.cpp:231
#37 0x00007f3073355c0c in WebCore::EventTarget::fireEventListeners (this=0xf230fd0, event=0xf24a1a0) at ../../Source/WebCore/dom/EventTarget.cpp:198
#38 0x00007f30737bc238 in WebCore::DOMWindow::dispatchEvent (this=0xf230fd0, prpEvent=..., prpTarget=...) at ../../Source/WebCore/page/DOMWindow.cpp:1665
#39 0x00007f30737bbfac in WebCore::DOMWindow::dispatchLoadEvent (this=0xf230fd0) at ../../Source/WebCore/page/DOMWindow.cpp:1639
#40 0x00007f30732e97f7 in WebCore::Document::dispatchWindowLoadEvent (this=0xf220ce0) at ../../Source/WebCore/dom/Document.cpp:4083
#41 0x00007f30732e3b6f in WebCore::Document::implicitClose (this=0xf220ce0) at ../../Source/WebCore/dom/Document.cpp:2523
#42 0x00007f307371a5b9 in WebCore::FrameLoader::checkCallImplicitClose (this=0x2468928) at ../../Source/WebCore/loader/FrameLoader.cpp:763
#43 0x00007f307371a367 in WebCore::FrameLoader::checkCompleted (this=0x2468928) at ../../Source/WebCore/loader/FrameLoader.cpp:709
#44 0x00007f307371a0bb in WebCore::FrameLoader::finishedParsing (this=0x2468928) at ../../Source/WebCore/loader/FrameLoader.cpp:642
#45 0x00007f30732ec6f6 in WebCore::Document::finishedParsing (this=0xf220ce0) at ../../Source/WebCore/dom/Document.cpp:4862
#46 0x00007f3073595f55 in WebCore::HTMLTreeBuilder::finished (this=0xf239fe0) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2792
#47 0x00007f307356ad2a in WebCore::HTMLDocumentParser::end (this=0xf238c40) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:372
#48 0x00007f307356ae31 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0xf238c40) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:381
#49 0x00007f3073569f4e in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0xf238c40) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:149
#50 0x00007f307356ae76 in WebCore::HTMLDocumentParser::attemptToEnd (this=0xf238c40) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:393
#51 0x00007f307356af2f in WebCore::HTMLDocumentParser::finish (this=0xf238c40) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:420
#52 0x00007f3073712bb1 in WebCore::DocumentWriter::end (this=0xf1367c0) at ../../Source/WebCore/loader/DocumentWriter.cpp:241
#53 0x00007f3073705745 in WebCore::DocumentLoader::finishedLoading (this=0xf136700) at ../../Source/WebCore/loader/DocumentLoader.cpp:300
#54 0x00007f3073757328 in WebCore::MainResourceLoader::didFinishLoading (this=0xf15d660, finishTime=0) at ../../Source/WebCore/loader/MainResourceLoader.cpp:520
#55 0x00007f3073762de5 in WebCore::ResourceLoader::didFinishLoading (this=0xf15d660, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:436
#56 0x00007f3073921c59 in WebCore::readCallback (source=0x3610800, asyncResult=0xeab5cb0, data=0xf14a140) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:865
#57 0x00007f3070fd7ad3 in async_ready_callback_wrapper () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0
#58 0x00007f3070ff2bc8 in g_simple_async_result_complete () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0
#59 0x00007f3070ff2d90 in complete_in_idle_cb_for_thread () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0
#60 0x00007f3070e223e9 in g_idle_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#61 0x00007f3070e1fc91 in g_main_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#62 0x00007f3070e20956 in g_main_context_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#63 0x00007f3070e20b39 in g_main_context_iterate () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#64 0x00007f3070e20f69 in g_main_loop_run () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#65 0x00007f307170f7de in gtk_main () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0
#66 0x0000000000479dd5 in runTest (inputLine=...) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:752
#67 0x00000000004794a9 in runTestingServerLoop () at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:539
#68 0x000000000047c434 in main (argc=2, argv=0x7fffad32f188) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:1442
Comment 1 Mario Sanchez Prada 2012-08-09 05:18:10 PDT 
(In reply to comment #0)
> [...]
> #0  0x00007f3074384a4c in WebCore::emitTextChanged (object=0xf259500, textChange=WebCore::AXObjectCache::AXTextInserted, offset=0, text="Z") at ../../Source/WebCore/accessibility/gtk/AXObjectCacheAtk.cpp:163
> 163        AtkObject* wrapper = object->parentObjectUnignored()->wrapper();

Hmm... it seems a null check is in order there, specially now that we call to document->updateLayout() right before calling this function.

I'll try to reproduce this locally and check whether that assumption is right or not. Thanks for reporting
Comment 2 Mario Sanchez Prada 2012-08-09 09:20:18 PDT 
Created attachment 157469 [details]
Patch proposal

I haven't been able to reproduce this bug locally with a debug build, but still think this NULL check makes a lot of sense, so I think trying the attached patch might make sense.
Comment 3 Mario Sanchez Prada 2012-08-09 10:12:34 PDT 
Committed r125181: <http://trac.webkit.org/changeset/125181>