Bug 100688 - REGRESSION (r132699): Crashes in WebCore::TextIterator::handleTextNodeFirstLetter
Summary: REGRESSION (r132699): Crashes in WebCore::TextIterator::handleTextNodeFirstLe...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Dominic Mazzoni
URL:
Keywords: Gtk, LayoutTestFailure
Depends on:
Blocks:
 
Reported: 2012-10-29 10:28 PDT by Zan Dobersek
Modified: 2013-07-31 07:30 PDT (History)
11 users (show)

See Also:


Attachments
Patch (1.75 KB, patch)
2013-01-17 15:54 PST, Dominic Mazzoni
no flags Details | Formatted Diff | Diff
Patch (1.91 KB, patch)
2013-01-17 16:10 PST, Dominic Mazzoni
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Zan Dobersek 2012-10-29 10:28:18 PDT
The following tests started (occasionally) crashing on the GTK builders after r132699:

fast/css-generated-content/first-letter-table-cell-format-block-crash.html
fast/text/text-fragment-first-letter-update-crash.html
fast/text/custom-font-data-crash2.html
fast/css/first-letter-text-fragment-crash.html
editing/selection/first-letter-selection-crash.html
editing/text-iterator/backward-textiterator-first-letter-crash.html

http://trac.webkit.org/changeset/132699
http://test-results.appspot.com/dashboards/flakiness_dashboard.html#group=%40ToT%20-%20webkit.org&tests=fast%2Fcss-generated-content%2Ffirst-letter-table-cell-format-block-crash.html%20fast%2Ftext%2Ftext-fragment-first-letter-update-crash.html%20fast%2Ftext%2Fcustom-font-data-crash2.html%20fast%2Fcss%2Ffirst-letter-text-fragment-crash.html%20editing%2Fselection%2Ffirst-letter-selection-crash.html%20editing%2Ftext-iterator%2Fbackward-textiterator-first-letter-crash.html

The tests only crash if the accessibility tests are run before them, probably because of the accessibility object cache being populated.
Here's the crash log for fast/text/custom-font-data-crash2.html crash that occurred on the 64-bit Release builder:
Crash log for DumpRenderTree (pid 5474):

...
[New LWP 6022]
[Thread debugging using libthread_db enabled]
Core was generated by `/home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/Programs/D'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007fb3bf1f57a3 in WebCore::TextIterator::handleTextNodeFirstLetter(WebCore::RenderTextFragment*) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0

...

Thread 1 (Thread 0x7fb3c0a03900 (LWP 5474)):
#0  0x00007fb3bf1f57a3 in WebCore::TextIterator::handleTextNodeFirstLetter(WebCore::RenderTextFragment*) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#1  0x00007fb3bf1f842f in WebCore::TextIterator::handleTextNode() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#2  0x00007fb3bf1f8aea in WebCore::TextIterator::advance() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#3  0x00007fb3bf1f991d in WebCore::plainTextToMallocAllocatedBuffer(WebCore::Range const*, unsigned int&, bool, WebCore::TextIteratorBehavior) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#4  0x00007fb3bf1f9cca in WebCore::plainText(WebCore::Range const*, WebCore::TextIteratorBehavior) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#5  0x00007fb3beeefca3 in WebCore::AccessibilityRenderObject::textUnderElement() const () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#6  0x00007fb3bff0f659 in WebCore::AccessibilityObject::accessibilityPlatformIncludesObject() const () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#7  0x00007fb3beef3f70 in WebCore::AccessibilityRenderObject::accessibilityIsIgnoredBase() const () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#8  0x00007fb3beef8c96 in WebCore::AccessibilityRenderObject::accessibilityIsIgnored() const () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#9  0x00007fb3beefe2c3 in WebCore::AXObjectCache::childrenChanged(WebCore::AccessibilityObject*) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#10 0x00007fb3bf743c64 in WebCore::RenderObject::willBeDestroyed() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#11 0x00007fb3bf78c2a1 in WebCore::RenderText::willBeDestroyed() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#12 0x00007fb3bf74278d in WebCore::RenderObject::destroy() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#13 0x00007fb3bf7380d4 in WebCore::RenderObjectChildList::destroyLeftoverChildren() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#14 0x00007fb3bf670cec in WebCore::RenderBlock::willBeDestroyed() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#15 0x00007fb3bf74278d in WebCore::RenderObject::destroy() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#16 0x00007fb3bf12eacf in WebCore::Node::detach() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#17 0x00007fb3bf0c767e in WebCore::ContainerNode::detach() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#18 0x00007fb3bf10fda4 in WebCore::Element::detach() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#19 0x00007fb3bf0cb800 in WebCore::ContainerNode::removeChildren() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#20 0x00007fb3bf1d34dc in WebCore::replaceChildrenWithFragment(WebCore::ContainerNode*, WTF::PassRefPtr<WebCore::DocumentFragment>, int&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#21 0x00007fb3bf27564a in WebCore::HTMLElement::setInnerHTML(WTF::String const&, int&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#22 0x00007fb3bfb43794 in WebCore::setJSHTMLElementInnerHTML(JSC::ExecState*, JSC::JSObject*, JSC::JSValue) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#23 0x00007fb3bfb42f0c in WebCore::JSHTMLElement::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#24 0x00007fb3bfb2a381 in WebCore::JSHTMLBodyElement::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#25 0x00007fb3c079e413 in llint_slow_path_put_by_id () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libjavascriptcoregtk-3.0.so.0
#26 0x00007fb3c07a946a in llint_op_put_by_id () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libjavascriptcoregtk-3.0.so.0
#27 0x00007fb300000000 in ?? ()
#28 0x0000000000000000 in ?? ()
Comment 1 Dominic Mazzoni 2012-10-29 14:51:05 PDT
Thanks. I will look at this.

FYI, it's quite likely that r132699 didn't cause these crashes, it exposed them. In particular, r132699 causes AccessibilityObjects to be created a little bit more often than before - and that is resulting in us testing codepaths that weren't well-tested before. It's worth fixing these bugs directly, rather than trying to revert r132699 or find a way to modify it to not trigger these crashes.
Comment 2 Jussi Kukkonen (jku) 2012-12-03 09:01:50 PST
These aren't as flaky on EFL, but I just saw the same backtrace for editing/selection/first-letter-selection-crash.html on EFL WK2 Debug bot.
Comment 3 Zan Dobersek 2013-01-17 03:52:07 PST
Here's the crash log for these crashes, scraped from the debug builder:
Crash log for DumpRenderTree (pid 28412):

...
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/Programs/DumpR'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007fcd5068a0b5 in WebCore::RenderObject::firstChild (this=0xf7db428) at ../../Source/WebCore/rendering/RenderObject.h:178
178	        if (const RenderObjectChildList* children = virtualChildren())

...

Thread 1 (Thread 0x7fcd45bfe900 (LWP 28412)):
#0  0x00007fcd5068a0b5 in WebCore::RenderObject::firstChild (this=0xf7db428) at ../../Source/WebCore/rendering/RenderObject.h:178
#1  0x00007fcd50b4f061 in WebCore::firstRenderTextInFirstLetter (firstLetter=0xf7db428) at ../../Source/WebCore/editing/TextIterator.cpp:648
#2  0x00007fcd50b4f128 in WebCore::TextIterator::handleTextNodeFirstLetter (this=0x7fffef44c840, renderer=0xf7db4b8) at ../../Source/WebCore/editing/TextIterator.cpp:661
#3  0x00007fcd50b4e85b in WebCore::TextIterator::handleTextNode (this=0x7fffef44c840) at ../../Source/WebCore/editing/TextIterator.cpp:531
#4  0x00007fcd50b4dfd0 in WebCore::TextIterator::advance (this=0x7fffef44c840) at ../../Source/WebCore/editing/TextIterator.cpp:407
#5  0x00007fcd50b4dd19 in WebCore::TextIterator::TextIterator (this=0x7fffef44c840, r=0xf78c880, behavior=28) at ../../Source/WebCore/editing/TextIterator.cpp:342
#6  0x00007fcd50b54843 in WebCore::plainText (r=0xf78c880, defaultBehavior=24, isDisplayString=false) at ../../Source/WebCore/editing/TextIterator.cpp:2569
#7  0x00007fcd5068faa1 in WebCore::AccessibilityRenderObject::textUnderElement (this=0xe43c080) at ../../Source/WebCore/accessibility/AccessibilityRenderObject.cpp:653
#8  0x00007fcd519a1486 in WebCore::AccessibilityObject::accessibilityPlatformIncludesObject (this=0xe43c080) at ../../Source/WebCore/accessibility/atk/AccessibilityObjectAtk.cpp:87
#9  0x00007fcd506915d0 in WebCore::AccessibilityRenderObject::accessibilityIsIgnoredBase (this=0xe43c080) at ../../Source/WebCore/accessibility/AccessibilityRenderObject.cpp:1118
#10 0x00007fcd50691618 in WebCore::AccessibilityRenderObject::accessibilityIsIgnored (this=0xe43c080) at ../../Source/WebCore/accessibility/AccessibilityRenderObject.cpp:1132
#11 0x00007fcd506a921a in WebCore::AXObjectCache::childrenChanged (this=0x9e7bd70, obj=0xe43c080) at ../../Source/WebCore/accessibility/AXObjectCache.cpp:591
#12 0x00007fcd506a919d in WebCore::AXObjectCache::childrenChanged (this=0x9e7bd70, renderer=0xf779b48) at ../../Source/WebCore/accessibility/AXObjectCache.cpp:581
#13 0x00007fcd511d0d9c in WebCore::RenderObject::willBeDestroyed (this=0xf7db4b8) at ../../Source/WebCore/rendering/RenderObject.cpp:2374
#14 0x00007fcd51228b7b in WebCore::RenderText::willBeDestroyed (this=0xf7db4b8) at ../../Source/WebCore/rendering/RenderText.cpp:248
#15 0x00007fcd51233d2f in WebCore::RenderTextFragment::willBeDestroyed (this=0xf7db4b8) at ../../Source/WebCore/rendering/RenderTextFragment.cpp:75
#16 0x00007fcd511d1641 in WebCore::RenderObject::destroy (this=0xf7db4b8) at ../../Source/WebCore/rendering/RenderObject.cpp:2536
#17 0x00007fcd511d161a in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers (this=0xf7db4b8) at ../../Source/WebCore/rendering/RenderObject.cpp:2529
#18 0x00007fcd50a5124e in WebCore::Node::detach (this=0xf807920) at ../../Source/WebCore/dom/Node.cpp:1108
#19 0x00007fcd5097de3a in WebCore::ContainerNode::removeBetween (this=0xa2f5970, previousChild=0xe34f550, nextChild=0x0, oldChild=0xf807920) at ../../Source/WebCore/dom/ContainerNode.cpp:528
#20 0x00007fcd5097dcb7 in WebCore::ContainerNode::removeChild (this=0xa2f5970, oldChild=0xf807920, ec=@0x7fffef44ce44: 0) at ../../Source/WebCore/dom/ContainerNode.cpp:510
#21 0x00007fcd50a4f856 in WebCore::Node::remove (this=0xf807920, ec=@0x7fffef44ce44: 0) at ../../Source/WebCore/dom/Node.cpp:583
#22 0x00007fcd50b382ee in WebCore::RemoveNodeCommand::doApply (this=0xe440430) at ../../Source/WebCore/editing/RemoveNodeCommand.cpp:55
#23 0x00007fcd50acecc2 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0xe3f5340, prpCommand=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:257
#24 0x00007fcd50acfcb9 in WebCore::CompositeEditCommand::removeNode (this=0xe3f5340, node=..., shouldAssumeContentIsAlwaysEditable=WebCore::DoNotAssumeContentIsAlwaysEditable) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:395
#25 0x00007fcd50ac65eb in WebCore::ApplyStyleCommand::surroundNodeRangeWithElement (this=0xe3f5340, passedStartNode=..., endNode=..., elementToInsert=...) at ../../Source/WebCore/editing/ApplyStyleCommand.cpp:1337
#26 0x00007fcd50ac7622 in WebCore::ApplyStyleCommand::applyInlineStyleChange (this=0xe3f5340, passedStart=..., passedEnd=..., styleChange=..., addStyledElement=WebCore::ApplyStyleCommand::AddStyledElement) at ../../Source/WebCore/editing/ApplyStyleCommand.cpp:1448
#27 0x00007fcd50ac2ee0 in WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange (this=0xe3f5340, style=0xe433450, startNode=..., pastEndNode=...) at ../../Source/WebCore/editing/ApplyStyleCommand.cpp:816
#28 0x00007fcd50ac248c in WebCore::ApplyStyleCommand::fixRangeAndApplyInlineStyle (this=0xe3f5340, style=0xe433450, start=..., end=...) at ../../Source/WebCore/editing/ApplyStyleCommand.cpp:702
#29 0x00007fcd50ac205d in WebCore::ApplyStyleCommand::applyInlineStyle (this=0xe3f5340, style=0xe433450) at ../../Source/WebCore/editing/ApplyStyleCommand.cpp:665
#30 0x00007fcd50abf15d in WebCore::ApplyStyleCommand::doApply (this=0xe3f5340) at ../../Source/WebCore/editing/ApplyStyleCommand.cpp:223
#31 0x00007fcd50acea78 in WebCore::CompositeEditCommand::apply (this=0xe3f5340) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:205
#32 0x00007fcd50ace778 in WebCore::applyCommand (command=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:162
#33 0x00007fcd50afd15f in WebCore::Editor::applyStyle (this=0x15cf568, style=0xf806ff0, editingAction=WebCore::EditActionUnspecified) at ../../Source/WebCore/editing/Editor.cpp:695
#34 0x00007fcd50af2968 in WebCore::applyCommandToFrame (frame=0x15cf000, source=WebCore::CommandFromDOM, action=WebCore::EditActionSetColor, style=0xf806ff0) at ../../Source/WebCore/editing/EditorCommand.cpp:111
#35 0x00007fcd50af2a40 in WebCore::executeApplyStyle (frame=0x15cf000, source=WebCore::CommandFromDOM, action=WebCore::EditActionSetColor, propertyID=WebCore::CSSPropertyColor, propertyValue="red") at ../../Source/WebCore/editing/EditorCommand.cpp:122
#36 0x00007fcd50af42f8 in WebCore::executeForeColor (frame=0x15cf000, source=WebCore::CommandFromDOM, value="red") at ../../Source/WebCore/editing/EditorCommand.cpp:439
#37 0x00007fcd50af7d62 in WebCore::Editor::Command::execute (this=0x7fffef44dc20, parameter="red", triggeringEvent=0x0) at ../../Source/WebCore/editing/EditorCommand.cpp:1704
#38 0x00007fcd5099bc7e in WebCore::Document::execCommand (this=0xf7c8c40, commandName="ForeColor", userInterface=false, value="red") at ../../Source/WebCore/dom/Document.cpp:4183
#39 0x00007fcd51462920 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fcd001180b0) at DerivedSources/WebCore/JSDocument.cpp:2603
#40 0x00007fcd034fa0e5 in ?? ()
#41 0x00007fffef44ddd0 in ?? ()
#42 0x00007fcd54916ac7 in llint_op_call () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0
#43 0x00007fcd00118058 in ?? ()
#44 0x00000000015f0980 in ?? ()
#45 0x00007fffef44dd90 in ?? ()
#46 0x00007fcd548bbdc7 in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at ../../Source/JavaScriptCore/interpreter/JSStackInlines.h:213
#47 0x00007fcd548bab34 in JSC::JITCode::execute (this=0x7fccf82dd620, stack=0x15f0980, callFrame=0x7fcd00118058, globalData=0x1c4e210) at ../../Source/JavaScriptCore/jit/JITCode.h:134
#48 0x00007fcd548b7c6e in JSC::Interpreter::execute (this=0x15f0970, program=0x7fccf82dd600, callFrame=0x7fcd0006e388, thisObj=0x7fcd000affc0) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:983
#49 0x00007fcd549a9600 in JSC::evaluate (exec=0x7fcd0006e388, source=..., thisValue=..., returnedException=0x7fffef44f3e0) at ../../Source/JavaScriptCore/runtime/Completion.cpp:75
#50 0x00007fcd5071be23 in WebCore::JSMainThreadExecState::evaluate (exec=0x7fcd0006e388, source=..., thisValue=..., exception=0x7fffef44f3e0) at ../../Source/WebCore/bindings/js/JSMainThreadExecState.h:77
#51 0x00007fcd5074a884 in WebCore::ScriptController::evaluateInWorld (this=0x15cf4e8, sourceCode=..., world=0x1c82ec0) at ../../Source/WebCore/bindings/js/ScriptController.cpp:141
#52 0x00007fcd5074a99a in WebCore::ScriptController::evaluate (this=0x15cf4e8, sourceCode=...) at ../../Source/WebCore/bindings/js/ScriptController.cpp:158
#53 0x00007fcd50a856dd in WebCore::ScriptElement::executeScript (this=0xf807a80, sourceCode=...) at ../../Source/WebCore/dom/ScriptElement.cpp:304
#54 0x00007fcd50a84ec6 in WebCore::ScriptElement::prepareScript (this=0xf807a80, scriptStartPosition=..., supportLegacyTypes=WebCore::ScriptElement::DisallowLegacyTypeInTypeAttribute) at ../../Source/WebCore/dom/ScriptElement.cpp:242
#55 0x00007fcd50ca8c7a in WebCore::HTMLScriptRunner::runScript (this=0xf7ab600, script=0xf807a10, scriptStartPosition=...) at ../../Source/WebCore/html/parser/HTMLScriptRunner.cpp:290
#56 0x00007fcd50ca82b5 in WebCore::HTMLScriptRunner::execute (this=0xf7ab600, scriptElement=..., scriptStartPosition=...) at ../../Source/WebCore/html/parser/HTMLScriptRunner.cpp:170
#57 0x00007fcd50c98d97 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder (this=0xf75bff0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:207
#58 0x00007fcd50c98e49 in WebCore::HTMLDocumentParser::canTakeNextToken (this=0xf75bff0, mode=WebCore::HTMLDocumentParser::AllowYield, session=...) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:224
#59 0x00007fcd50c9925c in WebCore::HTMLDocumentParser::pumpTokenizer (this=0xf75bff0, mode=WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:261
#60 0x00007fcd50c98c44 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0xf75bff0, mode=WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:180
#61 0x00007fcd50c99818 in WebCore::HTMLDocumentParser::append (this=0xf75bff0, source=...) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:368
#62 0x00007fcd50986e35 in WebCore::DecodedDataDocumentParser::flush (this=0xf75bff0, writer=0xf7982a8) at ../../Source/WebCore/dom/DecodedDataDocumentParser.cpp:60
#63 0x00007fcd50e9dd91 in WebCore::DocumentWriter::end (this=0xf7982a8) at ../../Source/WebCore/loader/DocumentWriter.cpp:241
#64 0x00007fcd50e8e68c in WebCore::DocumentLoader::finishedLoading (this=0xf798200) at ../../Source/WebCore/loader/DocumentLoader.cpp:295
#65 0x00007fcd50ee0afc in WebCore::MainResourceLoader::didFinishLoading (this=0xf7bf970, finishTime=0) at ../../Source/WebCore/loader/MainResourceLoader.cpp:563
#66 0x00007fcd50ee0c77 in WebCore::MainResourceLoader::notifyFinished (this=0xf7bf970, resource=0xf7e07e0) at ../../Source/WebCore/loader/MainResourceLoader.cpp:573
#67 0x00007fcd50e6d7fe in WebCore::CachedResource::checkNotify (this=0xf7e07e0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:336
#68 0x00007fcd50e6d858 in WebCore::CachedResource::data (this=0xf7e07e0, allDataReceived=true) at ../../Source/WebCore/loader/cache/CachedResource.cpp:345
#69 0x00007fcd50e6ae8c in WebCore::CachedRawResource::data (this=0xf7e07e0, data=..., allDataReceived=true) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:72
#70 0x00007fcd50ef7e12 in WebCore::SubresourceLoader::didFinishLoading (this=0xf747cc0, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:276
#71 0x00007fcd50eed7b9 in WebCore::ResourceLoader::didFinishLoading (this=0xf747cc0, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:457
#72 0x00007fcd518297ab in WebCore::readCallback (asyncResult=0xc08e350, data=0x9512b90) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1346
#73 0x00007fcd4f331e5f in async_ready_callback_wrapper () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0
#74 0x00007fcd4f34c7ea in g_simple_async_result_complete () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0
#75 0x00007fcd4f34c9b2 in complete_in_idle_cb_for_thread () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0
#76 0x00007fcd4f179fd1 in g_idle_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#77 0x00007fcd4f177903 in g_main_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#78 0x00007fcd4f1784b3 in g_main_context_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#79 0x00007fcd4f1786a3 in g_main_context_iterate () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#80 0x00007fcd4f178ad3 in g_main_loop_run () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#81 0x00007fcd4fcc0e22 in gtk_main () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0
#82 0x00000000004953bf in runTest (inputLine=...) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:761
#83 0x0000000000494afd in runTestingServerLoop () at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:551
#84 0x0000000000497da3 in main (argc=2, argv=0x7fffef450aa8) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:1503
Comment 4 Dominic Mazzoni 2013-01-17 15:54:02 PST
Created attachment 183303 [details]
Patch
Comment 5 Dominic Mazzoni 2013-01-17 15:56:24 PST
Here's my proposed fix, with the following reasoning:

* This will fix the crash and doesn't break any existing tests.

* accessibilityIsIgnored is a very hot function, it's called whenever an object is created, deleted, or modified. textUnderElement can be ridiculously expensive, especially when called on an element with a lot of descendants. So, ideally we want to avoid calling textUnderElement so often anyway.

* This will probably change the ignored status of a few objects in corner cases. If these are wrong, we should write tests for them and try to come up with better heuristics. It's probably better to err on the side of including more nodes in the tree.
Comment 6 Joanmarie Diggs (irc: joanie) 2013-01-17 16:07:34 PST
(In reply to comment #5)
> Here's my proposed fix, with the following reasoning:
> 
> * This will fix the crash and doesn't break any existing tests.
> 
> * accessibilityIsIgnored is a very hot function, it's called whenever an object is created, deleted, or modified. textUnderElement can be ridiculously expensive, especially when called on an element with a lot of descendants. So, ideally we want to avoid calling textUnderElement so often anyway.

Would you add a comment into the code to that effect? It was really hard to get rid of bogus elements and if we see a regression later on, it would be nice to know that we shouldn't call textUnderElement.

> It's probably better to err on the side of including more nodes in the tree.

That depends on if it results in accessible caret events going missing. ;) Having said that, I'll cross that bridge when I get to it. Thanks for hunting this one down.
Comment 7 Dominic Mazzoni 2013-01-17 16:10:30 PST
Created attachment 183305 [details]
Patch
Comment 8 Dominic Mazzoni 2013-01-17 16:11:38 PST
(In reply to comment #6)
> Would you add a comment into the code to that effect? It was really hard to get rid of bogus elements and if we see a regression later on, it would be nice to know that we shouldn't call textUnderElement.

Sure, done.

> > It's probably better to err on the side of including more nodes in the tree.
> 
> That depends on if it results in accessible caret events going missing. ;) Having said that, I'll cross that bridge when I get to it. Thanks for hunting this one down.

Ah, I see. If having an *extra* element in the tree causes a caret event to get lost in the future, let's debug it and see if there is another possible solution.
Comment 9 Joanmarie Diggs (irc: joanie) 2013-01-18 09:06:20 PST
Since this patch seems to accomplish the same thing and passes all the regression tests, I'm fine with this.

And we really need to eliminate these crashers....
Comment 10 WebKit Review Bot 2013-01-18 09:49:50 PST
Comment on attachment 183305 [details]
Patch

Clearing flags on attachment: 183305

Committed r140166: <http://trac.webkit.org/changeset/140166>
Comment 11 WebKit Review Bot 2013-01-18 09:49:55 PST
All reviewed patches have been landed.  Closing bug.