RESOLVED DUPLICATE of bug 107261 106431
SIGSEV in WebCore::shouldEmitTabBeforeNode 
https://bugs.webkit.org/show_bug.cgi?id=106431
Summary SIGSEV in WebCore::shouldEmitTabBeforeNode
Sergio Villar Senin
Reported 2013-01-09 02:35:13 PST
I can reliabily reproduce this clicking on a link in the web interface of the Transmission BitTorrent client. I don't have a debug build right now, but I could get this backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff542e5f4 in WebCore::shouldEmitTabBeforeNode(WebCore::Node*) () from ~/lib64/libwebkitgtk-3.0.so.0 (gdb) bt #0 0x00007ffff542e5f4 in WebCore::shouldEmitTabBeforeNode(WebCore::Node*) () from ~/lib64/libwebkitgtk-3.0.so.0 #1 0x00007ffff542f6b9 in WebCore::TextIterator::representNodeOffsetZero() () from ~/lib64/libwebkitgtk-3.0.so.0 #2 0x00007ffff542f816 in WebCore::TextIterator::handleNonTextNode() () from ~/lib64/libwebkitgtk-3.0.so.0 #3 0x00007ffff5432600 in WebCore::TextIterator::advance() () from ~/lib64/libwebkitgtk-3.0.so.0 #4 0x00007ffff54334bf in WebCore::plainText(WebCore::Range const*, WebCore::TextIteratorBehavior, bool) () from ~/lib64/libwebkitgtk-3.0.so.0 #5 0x00007ffff5123585 in WebCore::AccessibilityRenderObject::textUnderElement() const () from ~/lib64/libwebkitgtk-3.0.so.0 #6 0x00007ffff5f87b89 in WebCore::AccessibilityObject::accessibilityPlatformIncludesObject() const () from ~/lib64/libwebkitgtk-3.0.so.0 #7 0x00007ffff5126b60 in WebCore::AccessibilityRenderObject::accessibilityIsIgnoredBase() const () from ~/lib64/libwebkitgtk-3.0.so.0 #8 0x00007ffff5131de9 in WebCore::AccessibilityTableRow::accessibilityIsIgnored() const () from ~/lib64/libwebkitgtk-3.0.so.0 #9 0x00007ffff51321f3 in WebCore::AXObjectCache::childrenChanged(WebCore::AccessibilityObject*) () from ~/lib64/libwebkitgtk-3.0.so.0 #10 0x00007ffff58c49ac in WebCore::RenderObjectChildList::removeChildNode(WebCore::RenderObject*, WebCore::RenderObject*, bool) () from ~/lib64/libwebkitgtk-3.0.so.0 #11 0x00007ffff58ce19f in WebCore::RenderObject::willBeDestroyed() () from ~/lib64/libwebkitgtk-3.0.so.0 #12 0x00007ffff57ef3ad in WebCore::RenderBlock::willBeDestroyed() () from ~/lib64/libwebkitgtk-3.0.so.0 #13 0x00007ffff58cc91d in WebCore::RenderObject::destroy() () from ~/lib64/libwebkitgtk-3.0.so.0 #14 0x00007ffff58c4684 in WebCore::RenderObjectChildList::destroyLeftoverChildren() () from ~/lib64/libwebkitgtk-3.0.so.0 #15 0x00007ffff58ce13a in WebCore::RenderObject::willBeDestroyed() () from ~/lib64/libwebkitgtk-3.0.so.0 #16 0x00007ffff58cc91d in WebCore::RenderObject::destroy() () from ~/lib64/libwebkitgtk-3.0.so.0 #17 0x00007ffff58c4684 in WebCore::RenderObjectChildList::destroyLeftoverChildren() () from ~/lib64/libwebkitgtk-3.0.so.0 #18 0x00007ffff58ce13a in WebCore::RenderObject::willBeDestroyed() () from ~/lib64/libwebkitgtk-3.0.so.0 #19 0x00007ffff58cc91d in WebCore::RenderObject::destroy() () from ~/lib64/libwebkitgtk-3.0.so.0 #20 0x00007ffff58c4684 in WebCore::RenderObjectChildList::destroyLeftoverChildren() () from ~/lib64/libwebkitgtk-3.0.so.0 #21 0x00007ffff57ef2cc in WebCore::RenderBlock::willBeDestroyed() () from ~/lib64/libwebkitgtk-3.0.so.0 #22 0x00007ffff58cc91d in WebCore::RenderObject::destroy() () from ~/lib64/libwebkitgtk-3.0.so.0 #23 0x00007ffff58c4684 in WebCore::RenderObjectChildList::destroyLeftoverChildren() () from ~/lib64/libwebkitgtk-3.0.so.0 #24 0x00007ffff57ef2cc in WebCore::RenderBlock::willBeDestroyed() () from ~/lib64/libwebkitgtk-3.0.so.0 #25 0x00007ffff58cc91d in WebCore::RenderObject::destroy() () from ~/lib64/libwebkitgtk-3.0.so.0 #26 0x00007ffff5365063 in WebCore::Node::detach() () from ~/lib64/libwebkitgtk-3.0.so.0 #27 0x00007ffff52f770e in WebCore::ContainerNode::detach() () from ~/lib64/libwebkitgtk-3.0.so.0 #28 0x00007ffff53407c4 in WebCore::Element::detach() () from ~/lib64/libwebkitgtk-3.0.so.0 #29 0x00007ffff5341b03 in WebCore::Node::reattach() () from ~/lib64/libwebkitgtk-3.0.so.0 #30 0x00007ffff53410e8 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from ~/lib64/libwebkitgtk-3.0.so.0 #31 0x00007ffff5341025 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from ~/lib64/libwebkitgtk-3.0.so.0 #32 0x00007ffff5341025 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from ~/lib64/libwebkitgtk-3.0.so.0 #33 0x00007ffff5341025 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from ~/lib64/libwebkitgtk-3.0.so.0 #34 0x00007ffff531676b in WebCore::Document::recalcStyle(WebCore::Node::StyleChange) () from ~/lib64/libwebkitgtk-3.0.so.0 #35 0x00007ffff5316b6e in WebCore::Document::updateStyleIfNeeded() () from ~/lib64/libwebkitgtk-3.0.so.0 #36 0x00007ffff51e2533 in WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) const () from ~/lib64/libwebkitgtk-3.0.so.0 #37 0x00007ffff51ee53e in WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue(WebCore::CSSPropertyID) const () from ~/lib64/libwebkitgtk-3.0.so.0 #38 0x00007ffff51eeb31 in WebCore::CSSComputedStyleDeclaration::getPropertyValue(WebCore::CSSPropertyID) const () from ~/lib64/libwebkitgtk-3.0.so.0 #39 0x00007ffff51eebfd in WebCore::CSSComputedStyleDeclaration::getPropertyValue(WTF::String const&) () from ~/lib64/libwebkitgtk-3.0.so.0 #40 0x00007ffff5aa4454 in WebCore::jsCSSStyleDeclarationPrototypeFunctionGetPropertyValue(JSC::ExecState*) () from ~/lib64/libwebkitgtk-3.0.so.0
Attachments
Screenshot of transmission web interface (51.36 KB, image/png)
2013-01-19 10:43 PST, Joanmarie Diggs 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Sergio Villar Senin
Comment 1 2013-01-18 11:05:03 PST
Adding some a11y experts to the Cc. BTW I'm able to reliabily reproduce this even with Joanie's patch for bug 106922.
Joanmarie Diggs
Comment 2 2013-01-18 11:08:49 PST
Can you still repro it? http://trac.webkit.org/changeset/140166
Sergio Villar Senin
Comment 3 2013-01-19 05:10:32 PST
(In reply to comment #2) > Can you still repro it? http://trac.webkit.org/changeset/140166 Yes even with that fix
Joanmarie Diggs
Comment 4 2013-01-19 10:43:28 PST
Created attachment 183627 [details] Screenshot of transmission web interface I am using WebKitGtk+ from master/trunk, Epiphany from master, and transmission from trunk. I have clicked on every last thing in the web client for transmission and nothing is crashing. Looking at the screenshot, what exactly should I be clicking on to reproduce this crash? If you don't see what I see, what version of transmission should I build so that I can see what you see? Sorry and thanks!
Joanmarie Diggs
Comment 5 2013-01-19 11:11:25 PST
At the risk of asking "is it plugged in", your trace suggests that AccessibilityObject::accessibilityPlatformIncludesObject() calls AccessibilityRenderObject::textUnderElement(). AccessibilityObject::accessibilityPlatformIncludesObject() **used to** call AccessibilityRenderObject::textUnderElement(). BUT it no longer does. Removing that call was what was done in http://trac.webkit.org/changeset/140166. In fact, the reason it was removed (aside from being resource intensive) is because it was crashing when an element was being destroyed -- which is also the case in the backtrace provided in the opening report. Therefore, if you indeed can still reproduce this bug even with the changeset I asked you about earlier, you should be seeing a different backtrace. Having that new bactrace would be helpful. If you are seeing the very same backtrace, I have to ask are you sure you are using a webkitgtk build which includes that changeset.
Sergio Villar Senin
Comment 6 2013-01-20 03:27:46 PST
Definitely is not the same backtrace, sorry for not checking it carefully, but still I can reproduce it 100% of times (I'm using r140241): 1- open the transmission web interface in the browser 2- click on the button at the right named "inspector" (a panel will show up) 3- click to select an item you're downloading (yes you need to have at least one download) 4- the right pane has 4 buttons at the top. Click on the second starting from the left (the one with a purple round icon). Then... --- Program received signal SIGSEGV, Segmentation fault. 0x00007ffff503b05b in WebCore::AccessibilityTableCell::parentTable() const () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 (gdb) bt #0 0x00007ffff503b05b in WebCore::AccessibilityTableCell::parentTable() const () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #1 0x00007ffff503afad in WebCore::AccessibilityTableCell::isTableCell() const () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #2 0x00007ffff503afed in WebCore::AccessibilityTableCell::roleValue() const () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #3 0x00007ffff5f668e6 in webkitAccessibleDetach () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #4 0x00007ffff503ee8c in WebCore::AXObjectCache::remove(unsigned int) () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #5 0x00007ffff503f0ae in WebCore::AXObjectCache::remove(WebCore::RenderObject*) () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #6 0x00007ffff580581c in WebCore::RenderObject::willBeDestroyed() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #7 0x00007ffff5723bad in WebCore::RenderBlock::willBeDestroyed() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #8 0x00007ffff58041cd in WebCore::RenderObject::destroy() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #9 0x00007ffff57fbbc4 in WebCore::RenderObjectChildList::destroyLeftoverChildren() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #10 0x00007ffff580556a in WebCore::RenderObject::willBeDestroyed() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #11 0x00007ffff58041cd in WebCore::RenderObject::destroy() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #12 0x00007ffff57fbbc4 in WebCore::RenderObjectChildList::destroyLeftoverChildren() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #13 0x00007ffff580556a in WebCore::RenderObject::willBeDestroyed() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #14 0x00007ffff58041cd in WebCore::RenderObject::destroy() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #15 0x00007ffff57fbbc4 in WebCore::RenderObjectChildList::destroyLeftoverChildren() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #16 0x00007ffff5723acc in WebCore::RenderBlock::willBeDestroyed() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #17 0x00007ffff58041cd in WebCore::RenderObject::destroy() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #18 0x00007ffff57fbbc4 in WebCore::RenderObjectChildList::destroyLeftoverChildren() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #19 0x00007ffff5723acc in WebCore::RenderBlock::willBeDestroyed() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #20 0x00007ffff58041cd in WebCore::RenderObject::destroy() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #21 0x00007ffff5281292 in WebCore::Node::detach() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #22 0x00007ffff520fa9e in WebCore::ContainerNode::detach() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #23 0x00007ffff525c394 in WebCore::Element::detach() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #24 0x00007ffff525d663 in WebCore::Node::reattach() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #25 0x00007ffff525ccb8 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #26 0x00007ffff525cbf5 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #27 0x00007ffff525cbf5 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #28 0x00007ffff525cbf5 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #29 0x00007ffff5230c6b in WebCore::Document::recalcStyle(WebCore::Node::StyleChange) () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #30 0x00007ffff523107e in WebCore::Document::updateStyleIfNeeded() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #31 0x00007ffff5231bc2 in WebCore::Document::updateLayout() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #32 0x00007ffff52342e9 in WebCore::Document::updateLayoutIgnorePendingStylesheets() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #33 0x00007ffff52532b1 in WebCore::Element::offsetWidth() () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #34 0x00007ffff5a6e5ed in WebCore::jsElementOffsetWidth(JSC::ExecState*, JSC::JSValue, JSC::PropertyName) () from ~/opt/gnome3/lib64/libwebkitgtk-3.0.so.0 #35 0x00007ffff4630981 in JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const () from ~/opt/gnome3/lib64/libjavascriptcoregtk-3.0.so.0 #36 0x00007ffff46f2c75 in cti_op_get_by_id () from ~/opt/gnome3/lib64/libjavascriptcoregtk-3.0.so.0
Sergio Villar Senin
Comment 7 2013-01-20 03:30:47 PST
(In reply to comment #6) > 3- click to select an item you're downloading (yes you need to have at least one download) Actually you don't need a download, just the right panel visible.
Sergio Villar Senin
Comment 8 2013-01-20 03:33:33 PST
(In reply to comment #7) > (In reply to comment #6) > > > 3- click to select an item you're downloading (yes you need to have at least one download) > > Actually you don't need a download, just the right panel visible. Even easier, just showing the inspector (I think the network pane), triggers the crash.
Sergio Villar Senin
Comment 9 2013-01-20 03:37:47 PST
So I guess that in the end this is a dup *** This bug has been marked as a duplicate of bug 107261 ***
Note You need to log in before you can comment on or make changes to this bug.