RESOLVED FIXED 106073
REGRESSION: [Mac] Intermittent crash in WTR::AccessibilityUIElement::isEqual 
https://bugs.webkit.org/show_bug.cgi?id=106073
Summary REGRESSION: [Mac] Intermittent crash in WTR::AccessibilityUIElement::isEqual
Ryosuke Niwa
Reported 2013-01-03 18:38:30 PST
Some tests in sputnik/Conformance are intermittently crashing in AccessibilityUIElement::isEqual. Here’s one example: http://build.webkit.org/results/Apple%20MountainLion%20Release%20WK2%20(Tests)/r138770%20(4442)/results.html There are several tests that crash with a similar stack trace: 0 WebKitTestRunnerInjectedBundle 0x00000001064415ba WTR::AccessibilityUIElement::isEqual(WTR::AccessibilityUIElement*) + 8 (AccessibilityUIElement.h:76) 1 WebKitTestRunnerInjectedBundle 0x0000000106447b45 WTR::JSAccessibilityUIElement::isEqual(OpaqueJSContext const*, OpaqueJSValue*, OpaqueJSValue*, unsigned long, OpaqueJSValue const* const*, OpaqueJSValue const**) + 65 (JSAccessibilityUIElement.cpp:203) 2 com.apple.JavaScriptCore 0x00000001022b9b4f JSC::JSCallbackFunction::call(JSC::ExecState*) + 431 (JSCallbackFunction.cpp:72) 3 com.apple.JavaScriptCore 0x00000001023d330e JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) + 206 (LLIntSlowPaths.cpp:1362) 4 com.apple.JavaScriptCore 0x00000001023d76db llint_op_call + 169 5 com.apple.JavaScriptCore 0x0000000102266304 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 548 (JSValueInlines.h:360) 6 com.apple.JavaScriptCore 0x000000010219e345 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69 (CallData.cpp:39) 7 com.apple.JavaScriptCore 0x00000001022e1961 JSObjectCallAsFunction + 545 (JSObjectRef.cpp:444) 8 WebKitTestRunnerInjectedBundle 0x000000010644b140 -[AccessibilityNotificationHandler _notificationReceived:] + 385 (AccessibilityNotificationHandler.mm:136) 9 com.apple.CoreFoundation 0x00007fff8d48247a _CFXNotificationPost + 2554 10 com.apple.Foundation 0x00007fff8846c846 -[NSNotificationCenter postNotificationName:object:userInfo:] + 64 11 com.apple.WebCore 0x00000001026a8837 WebCore::AXObjectCache::notificationPostTimerFired(WebCore::Timer<WebCore::AXObjectCache>*) + 71 (AXObjectCache.cpp:598) 12 com.apple.WebCore 0x000000010336836f WebCore::ThreadTimers::sharedTimerFiredInternal() + 159 (ThreadTimers.cpp:119) 13 com.apple.WebCore 0x00000001031f30a3 WebCore::timerFired(__CFRunLoopTimer*, void*) + 51 (SharedTimerMac.mm:167) 14 com.apple.CoreFoundation 0x00007fff8d48cda4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 15 com.apple.CoreFoundation 0x00007fff8d48c8bd __CFRunLoopDoTimer + 557 16 com.apple.CoreFoundation 0x00007fff8d472099 __CFRunLoopRun + 1513 17 com.apple.CoreFoundation 0x00007fff8d4716b2 CFRunLoopRunSpecific + 290 18 com.apple.HIToolbox 0x00007fff8c56e0a4 RunCurrentEventLoopInMode + 209 19 com.apple.HIToolbox 0x00007fff8c56de42 ReceiveNextEventCommon + 356 20 com.apple.HIToolbox 0x00007fff8c56dcd3 BlockUntilNextEventMatchingListInMode + 62 21 com.apple.AppKit 0x00007fff85d25613 _DPSNextEvent + 685 22 com.apple.AppKit 0x00007fff85d24ed2 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 23 com.apple.AppKit 0x00007fff85d1c283 -[NSApplication run] + 517 24 com.apple.WebCore 0x00000001031a1543 WebCore::RunLoop::run() + 67 (RunLoopMac.mm:36) 25 com.apple.WebKit2 0x0000000101c9fe8c WebKit::WebProcessMain(WebKit::CommandLine const&) + 3485 (RefPtr.h:56) 26 com.apple.WebKit2 0x0000000101c4317c WebKitMain + 324 (WebKitMain.cpp:58) 27 com.apple.WebProcess 0x0000000101b5fe7b main + 214 28 libdyld.dylib 0x00007fff843aa7e1 start + 1
Attachments
patch (1.85 KB, patch)
2013-01-04 00:01 PST, chris fleizach 		rniwa: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2013-01-03 18:38:51 PST
<rdar://problem/12955023>
Ryosuke Niwa
Comment 2 2013-01-03 18:42:39 PST
I can’t really suppress it with test expectations here because it appears to occur on a random test in sputnik/Conformance :(
Ryosuke Niwa
Comment 4 2013-01-03 21:47:43 PST
Application Specific Information: CRASHING TEST: sputnik/Conformance/09_Type_Conversion/9.5_ToInt32/S9.5_A2.2_T2.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 WebKitTestRunnerInjectedBundle 0x000000010c9815ba WTR::AccessibilityUIElement::isEqual(WTR::AccessibilityUIElement*) + 8 (AccessibilityUIElement.h:76) 1 WebKitTestRunnerInjectedBundle 0x000000010c987b45 WTR::JSAccessibilityUIElement::isEqual(OpaqueJSContext const*, OpaqueJSValue*, OpaqueJSValue*, unsigned long, OpaqueJSValue const* const*, OpaqueJSValue const**) + 65 (JSAccessibilityUIElement.cpp:203) 2 com.apple.JavaScriptCore 0x00000001087f7b4f JSC::JSCallbackFunction::call(JSC::ExecState*) + 431 (JSCallbackFunction.cpp:72) 3 com.apple.JavaScriptCore 0x000000010891130e JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) + 206 (LLIntSlowPaths.cpp:1362) 4 com.apple.JavaScriptCore 0x00000001089156db llint_op_call + 169 5 com.apple.JavaScriptCore 0x00000001087a4304 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 548 (JSValueInlines.h:360) 6 com.apple.JavaScriptCore 0x00000001086dc345 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 69 (CallData.cpp:39) 7 com.apple.JavaScriptCore 0x000000010881f961 JSObjectCallAsFunction + 545 (JSObjectRef.cpp:444) 8 WebKitTestRunnerInjectedBundle 0x000000010c98b140 -[AccessibilityNotificationHandler _notificationReceived:] + 385 (AccessibilityNotificationHandler.mm:136) 9 com.apple.CoreFoundation 0x00007fff8d48247a _CFXNotificationPost + 2554 10 com.apple.Foundation 0x00007fff8846c846 -[NSNotificationCenter postNotificationName:object:userInfo:] + 64 11 com.apple.WebCore 0x0000000108be6837 WebCore::AXObjectCache::notificationPostTimerFired(WebCore::Timer<WebCore::AXObjectCache>*) + 71 (AXObjectCache.cpp:598) 12 com.apple.WebCore 0x00000001098a636f WebCore::ThreadTimers::sharedTimerFiredInternal() + 159 (ThreadTimers.cpp:119) 13 com.apple.WebCore 0x00000001097310a3 WebCore::timerFired(__CFRunLoopTimer*, void*) + 51 (SharedTimerMac.mm:167) 14 com.apple.CoreFoundation 0x00007fff8d48cda4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 15 com.apple.CoreFoundation 0x00007fff8d48c8bd __CFRunLoopDoTimer + 557 16 com.apple.CoreFoundation 0x00007fff8d472099 __CFRunLoopRun + 1513 17 com.apple.CoreFoundation 0x00007fff8d4716b2 CFRunLoopRunSpecific + 290 18 com.apple.HIToolbox 0x00007fff8c56e0a4 RunCurrentEventLoopInMode + 209 19 com.apple.HIToolbox 0x00007fff8c56de42 ReceiveNextEventCommon + 356 20 com.apple.HIToolbox 0x00007fff8c56dcd3 BlockUntilNextEventMatchingListInMode + 62 21 com.apple.AppKit 0x00007fff85d25613 _DPSNextEvent + 685 22 com.apple.AppKit 0x00007fff85d24ed2 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 23 com.apple.AppKit 0x00007fff85d1c283 -[NSApplication run] + 517 24 com.apple.WebCore 0x00000001096df543 WebCore::RunLoop::run() + 67 (RunLoopMac.mm:36)
chris fleizach
Comment 5 2013-01-04 00:01:09 PST
Created attachment 181275 [details] patch
Ryosuke Niwa
Comment 6 2013-01-04 00:08:38 PST
Comment on attachment 181275 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=181275&action=review Do you know why this happens? It seems worth explaining why we need a null check in the change log. > Tools/ChangeLog:6 > + Check that the element being compared to is not nil. Nit: Please move this below "Reviewed by" line.
chris fleizach
Comment 7 2013-01-04 00:39:06 PST
http://trac.webkit.org/changeset/138781
Note You need to log in before you can comment on or make changes to this bug.