Bug 93501

Crashes started occurring after r124997 in two tests. The crashes occur flakily, I'd guess only if the accessibility tests have been run before these two tests. The tests are: - fast/css/first-letter-text-fragment-crash.html - editing/inserting/insert-character-in-first-letter-crash.html The crash log: Crash log for DumpRenderTree (pid 11325): [New LWP 11325] [New LWP 11362] [New LWP 11361] [New LWP 11793] [New LWP 11364] [New LWP 11363] [New LWP 11792] [New LWP 11673] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/Programs/DumpR'. Program terminated with signal 11, Segmentation fault. #0 0x00007f3074384a4c in WebCore::emitTextChanged (object=0xf259500, textChange=WebCore::AXObjectCache::AXTextInserted, offset=0, text="Z") at ../../Source/WebCore/accessibility/gtk/AXObjectCacheAtk.cpp:163 163 AtkObject* wrapper = object->parentObjectUnignored()->wrapper(); ... Thread 1 (Thread 0x7f3067979900 (LWP 11325)): #0 0x00007f3074384a4c in WebCore::emitTextChanged (object=0xf259500, textChange=WebCore::AXObjectCache::AXTextInserted, offset=0, text="Z") at ../../Source/WebCore/accessibility/gtk/AXObjectCacheAtk.cpp:163 #1 0x00007f3074384d7d in WebCore::AXObjectCache::nodeTextChangePlatformNotification (this=0xf24a000, object=0xf259500, textChange=WebCore::AXObjectCache::AXTextInserted, offset=0, text="Z") at ../../Source/WebCore/accessibility/gtk/AXObjectCacheAtk.cpp:196 #2 0x00007f307301f4d7 in WebCore::AXObjectCache::nodeTextChangeNotification (this=0xf24a000, renderer=0xf082408, textChange=WebCore::AXObjectCache::AXTextInserted, offset=0, text="Z") at ../../Source/WebCore/accessibility/AXObjectCache.cpp:619 #3 0x00007f3073434e8b in WebCore::InsertIntoTextNodeCommand::doApply (this=0xf259730) at ../../Source/WebCore/editing/InsertIntoTextNodeCommand.cpp:63 #4 0x00007f30733e4188 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0xf084970, prpCommand=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:256 #5 0x00007f30733e5dcf in WebCore::CompositeEditCommand::replaceTextInNode (this=0xf084970, node=..., offset=0, count=1, replacementText="Z") at ../../Source/WebCore/editing/CompositeEditCommand.cpp:498 #6 0x00007f30733e5f3b in WebCore::CompositeEditCommand::replaceSelectedTextInNode (this=0xf084970, text="Z") at ../../Source/WebCore/editing/CompositeEditCommand.cpp:509 #7 0x00007f307343c410 in WebCore::InsertTextCommand::performTrivialReplace (this=0xf084970, text="Z", selectInsertedText=false) at ../../Source/WebCore/editing/InsertTextCommand.cpp:89 #8 0x00007f307343c658 in WebCore::InsertTextCommand::doApply (this=0xf084970) at ../../Source/WebCore/editing/InsertTextCommand.cpp:117 #9 0x00007f30733e42e4 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0xf07ddf0, command=..., selection=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:271 #10 0x00007f307346def8 in WebCore::TypingCommand::insertTextRunWithoutNewlines (this=0xf07ddf0, text="Z", selectInsertedText=false) at ../../Source/WebCore/editing/TypingCommand.cpp:367 #11 0x00007f307346fe69 in WebCore::TypingCommandLineOperation::operator() (this=0x7fffad32d5e0, lineOffset=0, lineLength=1, isLastLine=true) at ../../Source/WebCore/editing/TypingCommand.cpp:63 #12 0x00007f3073470140 in WebCore::forEachLineInString<WebCore::TypingCommandLineOperation> (string="Z", operation=...) at ../../Source/WebCore/editing/TextInsertionBaseCommand.h:61 #13 0x00007f307346de4c in WebCore::TypingCommand::insertText (this=0xf07ddf0, text="Z", selectInsertedText=false) at ../../Source/WebCore/editing/TypingCommand.cpp:359 #14 0x00007f307346da1b in WebCore::TypingCommand::doApply (this=0xf07ddf0) at ../../Source/WebCore/editing/TypingCommand.cpp:282 #15 0x00007f30733e3f3f in WebCore::CompositeEditCommand::apply (this=0xf07ddf0) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:204 #16 0x00007f30733e3c2a in WebCore::applyCommand (command=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:161 #17 0x00007f307346099d in WebCore::TextInsertionBaseCommand::applyTextInsertionCommand (frame=0x2468890, command=..., selectionForInsertion=..., endingSelection=...) at ../../Source/WebCore/editing/TextInsertionBaseCommand.cpp:49 #18 0x00007f307346d24a in WebCore::TypingCommand::insertText (document=0xf220ce0, text="Z", selectionForInsertion=..., options=0, compositionType=WebCore::TypingCommand::TextCompositionNone) at ../../Source/WebCore/editing/TypingCommand.cpp:198 #19 0x00007f307346cf04 in WebCore::TypingCommand::insertText (document=0xf220ce0, text="Z", options=0, composition=WebCore::TypingCommand::TextCompositionNone) at ../../Source/WebCore/editing/TypingCommand.cpp:166 #20 0x00007f3073409b0e in WebCore::executeInsertText (frame=0x2468890, value="Z") at ../../Source/WebCore/editing/EditorCommand.cpp:563 #21 0x00007f307340cace in WebCore::Editor::Command::execute (this=0x7fffad32d8d0, parameter="Z", triggeringEvent=0x0) at ../../Source/WebCore/editing/EditorCommand.cpp:1689 #22 0x00007f30732eb28a in WebCore::Document::execCommand (this=0xf220ce0, commandName="insertText", userInterface=false, value="Z") at ../../Source/WebCore/dom/Document.cpp:4570 #23 0x00007f3073f24bba in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7f302435e0a0) at DerivedSources/WebCore/JSDocument.cpp:2617 #24 0x00007f3027753265 in ?? () #25 0x00007fffad32da90 in ?? () #26 0x00007f3077cff137 in llint_op_call () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0 #27 0x00007fffad32da20 in ?? () #28 0x00007fffad32da50 in ?? () #29 0x00007f302432bf40 in ?? () #30 0x00007f3077bffb79 in JSC::Register::Register (this=0x0) at ../../Source/JavaScriptCore/interpreter/Register.h:105 #31 0x00007f3077cac19e in JSC::JITCode::execute (this=0x7f3024277288, registerFile=0x248cba8, callFrame=0x7f302435e040, globalData=0x2b063a0) at ../../Source/JavaScriptCore/jit/JITCode.h:133 #32 0x00007f3077ca8ab8 in JSC::Interpreter::executeCall (this=0x248cb90, callFrame=0x7f30242fdf88, function=0x7f302432bf40, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1322 #33 0x00007f3077d75dbd in JSC::call (exec=0x7f30242fdf88, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:39 #34 0x00007f307304bdf7 in WebCore::JSMainThreadExecState::call (exec=0x7f30242fdf88, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/WebCore/bindings/js/JSMainThreadExecState.h:56 #35 0x00007f307307b3c5 in WebCore::JSEventListener::handleEvent (this=0xf249ad0, scriptExecutionContext=0xf220e08, event=0xf24a1a0) at ../../Source/WebCore/bindings/js/JSEventListener.cpp:133 #36 0x00007f3073355dae in WebCore::EventTarget::fireEventListeners (this=0xf230fd0, event=0xf24a1a0, d=0xf231108, entry=WTF::Vector of length 1, capacity 1 = {...}) at ../../Source/WebCore/dom/EventTarget.cpp:231 #37 0x00007f3073355c0c in WebCore::EventTarget::fireEventListeners (this=0xf230fd0, event=0xf24a1a0) at ../../Source/WebCore/dom/EventTarget.cpp:198 #38 0x00007f30737bc238 in WebCore::DOMWindow::dispatchEvent (this=0xf230fd0, prpEvent=..., prpTarget=...) at ../../Source/WebCore/page/DOMWindow.cpp:1665 #39 0x00007f30737bbfac in WebCore::DOMWindow::dispatchLoadEvent (this=0xf230fd0) at ../../Source/WebCore/page/DOMWindow.cpp:1639 #40 0x00007f30732e97f7 in WebCore::Document::dispatchWindowLoadEvent (this=0xf220ce0) at ../../Source/WebCore/dom/Document.cpp:4083 #41 0x00007f30732e3b6f in WebCore::Document::implicitClose (this=0xf220ce0) at ../../Source/WebCore/dom/Document.cpp:2523 #42 0x00007f307371a5b9 in WebCore::FrameLoader::checkCallImplicitClose (this=0x2468928) at ../../Source/WebCore/loader/FrameLoader.cpp:763 #43 0x00007f307371a367 in WebCore::FrameLoader::checkCompleted (this=0x2468928) at ../../Source/WebCore/loader/FrameLoader.cpp:709 #44 0x00007f307371a0bb in WebCore::FrameLoader::finishedParsing (this=0x2468928) at ../../Source/WebCore/loader/FrameLoader.cpp:642 #45 0x00007f30732ec6f6 in WebCore::Document::finishedParsing (this=0xf220ce0) at ../../Source/WebCore/dom/Document.cpp:4862 #46 0x00007f3073595f55 in WebCore::HTMLTreeBuilder::finished (this=0xf239fe0) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2792 #47 0x00007f307356ad2a in WebCore::HTMLDocumentParser::end (this=0xf238c40) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:372 #48 0x00007f307356ae31 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0xf238c40) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:381 #49 0x00007f3073569f4e in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0xf238c40) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:149 #50 0x00007f307356ae76 in WebCore::HTMLDocumentParser::attemptToEnd (this=0xf238c40) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:393 #51 0x00007f307356af2f in WebCore::HTMLDocumentParser::finish (this=0xf238c40) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:420 #52 0x00007f3073712bb1 in WebCore::DocumentWriter::end (this=0xf1367c0) at ../../Source/WebCore/loader/DocumentWriter.cpp:241 #53 0x00007f3073705745 in WebCore::DocumentLoader::finishedLoading (this=0xf136700) at ../../Source/WebCore/loader/DocumentLoader.cpp:300 #54 0x00007f3073757328 in WebCore::MainResourceLoader::didFinishLoading (this=0xf15d660, finishTime=0) at ../../Source/WebCore/loader/MainResourceLoader.cpp:520 #55 0x00007f3073762de5 in WebCore::ResourceLoader::didFinishLoading (this=0xf15d660, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:436 #56 0x00007f3073921c59 in WebCore::readCallback (source=0x3610800, asyncResult=0xeab5cb0, data=0xf14a140) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:865 #57 0x00007f3070fd7ad3 in async_ready_callback_wrapper () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0 #58 0x00007f3070ff2bc8 in g_simple_async_result_complete () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0 #59 0x00007f3070ff2d90 in complete_in_idle_cb_for_thread () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0 #60 0x00007f3070e223e9 in g_idle_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #61 0x00007f3070e1fc91 in g_main_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #62 0x00007f3070e20956 in g_main_context_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #63 0x00007f3070e20b39 in g_main_context_iterate () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #64 0x00007f3070e20f69 in g_main_loop_run () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #65 0x00007f307170f7de in gtk_main () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0 #66 0x0000000000479dd5 in runTest (inputLine=...) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:752 #67 0x00000000004794a9 in runTestingServerLoop () at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:539 #68 0x000000000047c434 in main (argc=2, argv=0x7fffad32f188) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:1442