Bug 96199

Summary:

[GTK][a11y] editing/pasteboard/paste-blockquote-into-bluckquote-4.html crashes

Product:

WebKit

Reporter:

Zan Dobersek <zan>

Component:

WebKitGTK

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

jdiggs, mario, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none

Zan Dobersek

Reported 2012-09-09 00:32:42 PDT

editing/pasteboard/paste-blockquote-into-bluckquote-4.html has been crashing lately, both in debug and WK2 builds: http://test-results.appspot.com/dashboards/flakiness_dashboard.html#group=%40ToT%20-%20webkit.org&tests=editing%2Fpasteboard%2Fpaste-blockquote-into-blockquote-4.html The WK2 builder suggests the crashes have started at r127370 (but I'm not sure since the builder doesn't yet provide crash logs): http://trac.webkit.org/changeset/127370 Crash log for DumpRenderTree (pid 13426): ... Program terminated with signal 11, Segmentation fault. #0 0x00007f5a80edb20b in WebCore::AccessibilityObject::accessibilityPlatformIncludesObject (this=0xf543de0) at ../../Source/WebCore/accessibility/gtk/AccessibilityObjectAtk.cpp:92 92 if (child->isLink() || !child->firstAnonymousBlockChild()) ... Thread 1 (Thread 0x7f5a75172900 (LWP 13426)): #0 0x00007f5a80edb20b in WebCore::AccessibilityObject::accessibilityPlatformIncludesObject (this=0xf543de0) at ../../Source/WebCore/accessibility/gtk/AccessibilityObjectAtk.cpp:92 #1 0x00007f5a7fb0ac95 in WebCore::AccessibilityRenderObject::accessibilityIsIgnoredBase (this=0xf543de0) at ../../Source/WebCore/accessibility/AccessibilityRenderObject.cpp:1862 #2 0x00007f5a7fb0ace2 in WebCore::AccessibilityRenderObject::accessibilityIsIgnored (this=0xf543de0) at ../../Source/WebCore/accessibility/AccessibilityRenderObject.cpp:1876 #3 0x00007f5a7faf98f6 in WebCore::AccessibilityObject::parentObjectUnignored (this=0xf54ac70) at ../../Source/WebCore/accessibility/AccessibilityObject.cpp:342 #4 0x00007f5a80edbe7d in WebCore::AXObjectCache::nodeTextChangePlatformNotification (this=0xf53ea40, object=0xf54ac70, textChange=WebCore::AXObjectCache::AXTextInserted, offset=0, text="Two") at ../../Source/WebCore/accessibility/gtk/AXObjectCacheAtk.cpp:172 #5 0x00007f5a7fb21963 in WebCore::AXObjectCache::nodeTextChangeNotification (this=0xf53ea40, node=0xf54ad50, textChange=WebCore::AXObjectCache::AXTextInserted, offset=0, text="Two") at ../../Source/WebCore/accessibility/AXObjectCache.cpp:662 #6 0x00007f5a7fee1999 in WebCore::sendAXTextChangedIgnoringLineBreaks (node=0xf54ad50, textChange=WebCore::AXObjectCache::AXTextInserted) at ../../Source/WebCore/editing/AppendNodeCommand.cpp:54 #7 0x00007f5a7fee1a93 in WebCore::AppendNodeCommand::doApply (this=0xf54aa50) at ../../Source/WebCore/editing/AppendNodeCommand.cpp:66 #8 0x00007f5a7fef4018 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0xf54a7f0, prpCommand=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:256 #9 0x00007f5a7fef4e13 in WebCore::CompositeEditCommand::appendNode (this=0xf54a7f0, node=..., parent=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:375 #10 0x00007f5a7fef4868 in WebCore::CompositeEditCommand::insertNodeAfter (this=0xf54a7f0, insertChild=..., refChild=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:335 #11 0x00007f5a7ff637eb in WebCore::ReplaceSelectionCommand::doApply (this=0xf54a7f0) at ../../Source/WebCore/editing/ReplaceSelectionCommand.cpp:980 #12 0x00007f5a7fef3dcf in WebCore::CompositeEditCommand::apply (this=0xf54a7f0) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:204 #13 0x00007f5a7fef3aba in WebCore::applyCommand (command=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:161 #14 0x00007f5a7ff181e2 in WebCore::executeInsertFragment (frame=0x1668c90, fragment=...) at ../../Source/WebCore/editing/EditorCommand.cpp:196 #15 0x00007f5a7ff19890 in WebCore::executeInsertHTML (frame=0x1668c90, value="<blockquote type='cite'>One</blockquote>Two<blockquote type='cite'>Three</blockquote>Four") at ../../Source/WebCore/editing/EditorCommand.cpp:505 #16 0x00007f5a7ff1cd5c in WebCore::Editor::Command::execute (this=0x7fff1c8ca660, parameter="<blockquote type='cite'>One</blockquote>Two<blockquote type='cite'>Three</blockquote>Four", triggeringEvent=0x0) at ../../Source/WebCore/editing/EditorCommand.cpp:1705 #17 0x00007f5a7fdf3c98 in WebCore::Document::execCommand (this=0xf518ac0, commandName="InsertHTML", userInterface=false, value="<blockquote type='cite'>One</blockquote>Two<blockquote type='cite'>Three</blockquote>Four") at ../../Source/WebCore/dom/Document.cpp:4587 #18 0x00007f5a80a66b22 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7f5a31355090) at DerivedSources/WebCore/JSDocument.cpp:2627 #19 0x00007f5a34f4c265 in ?? () #20 0x00007fff1c8ca810 in ?? () #21 0x00007f5a83858930 in llint_op_call () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0 #22 0x00007fff1c8ca7a0 in ?? () #23 0x00007fff1c8ca7d0 in ?? () #24 0x0000000000000000 in ?? ()

Attachments
Patch (1.69 KB, patch) 2012-09-10 07:26 PDT, Joanmarie Diggs	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Joanmarie Diggs

Comment 1 2012-09-09 12:59:44 PDT

Any chance this fixes it? http://trac.webkit.org/changeset/127619

Joanmarie Diggs

Comment 2 2012-09-09 13:03:38 PDT

Argh, never mind. I was looking at the wrong changeset.

Zan Dobersek

Comment 3 2012-09-10 04:20:28 PDT

editing/deleting/25322-2.html is crashing in the same place, but with a slightly different backtrace: http://test-results.appspot.com/dashboards/flakiness_dashboard.html#group=%40ToT%20- %20webkit.org&tests=editing%2Fdeleting%2F25322-2.html Crash log for DumpRenderTree (pid 17223): ... Program terminated with signal 11, Segmentation fault. #0 0x00007ffc382780bf in WebCore::AccessibilityObject::accessibilityPlatformIncludesObject (this=0xc66b7a0) at ../../Source/WebCore/accessibility/gtk/AccessibilityObjectAtk.cpp:92 92 if (child->isLink() || !child->firstAnonymousBlockChild()) ... Thread 1 (Thread 0x7ffc2c525900 (LWP 17223)): #0 0x00007ffc382780bf in WebCore::AccessibilityObject::accessibilityPlatformIncludesObject (this=0xc66b7a0) at ../../Source/WebCore/accessibility/gtk/AccessibilityObjectAtk.cpp:92 #1 0x00007ffc36ebdb95 in WebCore::AccessibilityRenderObject::accessibilityIsIgnoredBase (this=0xc66b7a0) at ../../Source/WebCore/accessibility/AccessibilityRenderObject.cpp:1862 #2 0x00007ffc36ebdbe2 in WebCore::AccessibilityRenderObject::accessibilityIsIgnored (this=0xc66b7a0) at ../../Source/WebCore/accessibility/AccessibilityRenderObject.cpp:1876 #3 0x00007ffc38284556 in objectFocusedAndCaretOffsetUnignored (referenceObject=0xc66b7a0, offset=@0x7fff35178f6c: -1) at ../../Source/WebCore/accessibility/gtk/WebKitAccessibleWrapperAtk.cpp:1013 #4 0x00007ffc38284eba in WebCore::FrameSelection::notifyAccessibilityForSelectionChange (this=0x12682c0) at ../../Source/WebCore/editing/gtk/FrameSelectionGtk.cpp:96 #5 0x00007ffc372e0b24 in WebCore::FrameSelection::setSelection (this=0x12682c0, newSelection=..., options=0, align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:317 #6 0x00007ffc372d8a61 in WebCore::Editor::changeSelectionAfterCommand (this=0x12681f8, newSelection=..., options=0) at ../../Source/WebCore/editing/Editor.cpp:2484 #7 0x00007ffc372d0080 in WebCore::Editor::appliedEditing (this=0x12681f8, cmd=...) at ../../Source/WebCore/editing/Editor.cpp:794 #8 0x00007ffc3732b6be in WebCore::TypingCommand::typingAddedToOpenCommand (this=0xc780d90, commandTypeForAddedTyping=WebCore::TypingCommand::DeleteKey) at ../../Source/WebCore/editing/TypingCommand.cpp:347 #9 0x00007ffc3732c744 in WebCore::TypingCommand::deleteKeyPressed (this=0xc780d90, granularity=WebCore::CharacterGranularity, killRing=false) at ../../Source/WebCore/editing/TypingCommand.cpp:524 #10 0x00007ffc3732b25a in WebCore::TypingCommand::doApply (this=0xc780d90) at ../../Source/WebCore/editing/TypingCommand.cpp:267 #11 0x00007ffc372a1546 in WebCore::CompositeEditCommand::apply (this=0xc780d90) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:204 #12 0x00007ffc3732a3f0 in WebCore::TypingCommand::deleteKeyPressed (document=0xc5a31e0, options=0, granularity=WebCore::CharacterGranularity) at ../../Source/WebCore/editing/TypingCommand.cpp:125 #13 0x00007ffc372c6355 in WebCore::executeDelete (frame=0x1267c90, source=WebCore::CommandFromDOM) at ../../Source/WebCore/editing/EditorCommand.cpp:334 #14 0x00007ffc372ca3c4 in WebCore::Editor::Command::execute (this=0x7fff351798a0, parameter="(null)", triggeringEvent=0x0) at ../../Source/WebCore/editing/EditorCommand.cpp:1705 #15 0x00007ffc371a3da6 in WebCore::Document::execCommand (this=0xc5a31e0, commandName="Delete", userInterface=false, value="(null)") at ../../Source/WebCore/dom/Document.cpp:4587 #16 0x00007ffc37e0da9e in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7ffbe8708080) at DerivedSources/WebCore/JSDocument.cpp:2627 #17 0x00007ffbec2ff265 in ?? () #18 0x00007fff35179a50 in ?? () #19 0x00007ffc3abef49c in llint_op_call () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0 #20 0x00007fff351799e0 in ?? () #21 0x00007fff35179a10 in ?? () #22 0x00007ffbe86de500 in ?? () #23 0x00007ffc3aaf15a1 in JSC::Register::Register (this=0x0) at ../../Source/JavaScriptCore/interpreter/Register.h:105 #24 0x00007ffc3ab9bef4 in JSC::JITCode::execute (this=0x7ffbe861df08, registerFile=0x128baa8, callFrame=0x7ffbe8708038, globalData=0x1230800) at ../../Source/JavaScriptCore/jit/JITCode.h:134 #25 0x00007ffc3ab98a53 in JSC::Interpreter::executeCall (this=0x128ba90, callFrame=0x7ffbe869ee90, function=0x7ffbe86de500, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1070 #26 0x00007ffc3ac66ccd in JSC::call (exec=0x7ffbe869ee90, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:39 #27 0x00007ffc36f00d33 in WebCore::JSMainThreadExecState::call (exec=0x7ffbe869ee90, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/WebCore/bindings/js/JSMainThreadExecState.h:56 #28 0x00007ffc36f6e5be in WebCore::ScheduledAction::executeFunctionInContext (this=0xc861630, globalObject=0x7ffbe869ec80, thisValue=..., context=0xc5a3308) at ../../Source/WebCore/bindings/js/ScheduledAction.cpp:115 #29 0x00007ffc36f6e7aa in WebCore::ScheduledAction::execute (this=0xc861630, document=0xc5a31e0) at ../../Source/WebCore/bindings/js/ScheduledAction.cpp:137 #30 0x00007ffc36f6e32e in WebCore::ScheduledAction::execute (this=0xc861630, context=0xc5a3308) at ../../Source/WebCore/bindings/js/ScheduledAction.cpp:83 #31 0x00007ffc376b0de6 in WebCore::DOMTimer::fired (this=0xc861670) at ../../Source/WebCore/page/DOMTimer.cpp:149 #32 0x00007ffc37872890 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x127e6b0) at ../../Source/WebCore/platform/ThreadTimers.cpp:115 #33 0x00007ffc37872797 in WebCore::ThreadTimers::sharedTimerFired () at ../../Source/WebCore/platform/ThreadTimers.cpp:93 #34 0x00007ffc382c3c8e in WebCore::timeout_cb () at ../../Source/WebCore/platform/gtk/SharedTimerGtk.cpp:49 #35 0x00007ffc35b9fa42 in g_timeout_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #36 0x00007ffc35b9dc91 in g_main_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #37 0x00007ffc35b9e956 in g_main_context_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #38 0x00007ffc35b9eb39 in g_main_context_iterate () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #39 0x00007ffc35b9ef69 in g_main_loop_run () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #40 0x00007ffc3648d7de in gtk_main () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0 #41 0x0000000000477440 in runTest (inputLine=...) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:753 #42 0x0000000000476b14 in runTestingServerLoop () at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:540 #43 0x0000000000479ace in main (argc=2, argv=0x7fff3517ab58) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:1445

Joanmarie Diggs

Comment 4 2012-09-10 04:29:16 PDT

This is on my to-do list for today. Sorry about that!

Joanmarie Diggs

Comment 5 2012-09-10 07:26:04 PDT

Created attachment 163126 [details] Patch

Joanmarie Diggs

Comment 6 2012-09-10 07:29:18 PDT

Zan, I cannot repro the first crash in either debug and WK2. But I can reliably repro the second. The attached patch fixes that crash. Zan, if you have a chance to verify this also fixes the first it would be awesome. Sorry and thanks!

WebKit Review Bot

Comment 7 2012-09-10 10:12:33 PDT

Comment on attachment 163126 [details] Patch Clearing flags on attachment: 163126 Committed r128074: <http://trac.webkit.org/changeset/128074>

WebKit Review Bot

Comment 8 2012-09-10 10:12:36 PDT

All reviewed patches have been landed. Closing bug.

Zan Dobersek

Comment 9 2012-09-11 00:33:12 PDT

(In reply to comment #6) > Zan, I cannot repro the first crash in either debug and WK2. But I can reliably repro the second. The attached patch fixes that crash. Zan, if you have a chance to verify this also fixes the first it would be awesome. > > Sorry and thanks! The bots are free of crashes in these two tests after the patch landed, so I think everything is well. Thanks for fixing!

Note You need to log in before you can comment on or make changes to this bug.