120667 – REGRESSION(r154697): Crashes in 5 accessibility tests on the GTK port

Bug 120667 - REGRESSION(r154697): Crashes in 5 accessibility tests on the GTK port

Summary: REGRESSION(r154697): Crashes in 5 accessibility tests on the GTK port

Status:	RESOLVED DUPLICATE of bug 120416

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	Gtk, LayoutTestFailure, Regression

Depends on:
Blocks:

Reported:	2013-09-04 01:38 PDT by Zan Dobersek
Modified:	2013-09-04 02:42 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Zan Dobersek 2013-09-04 01:38:22 PDT

The following 5 tests started crashing with r154697:
accessibility/multiselect-list-reports-active-option.html
accessibility/notification-listeners.html
accessibility/menu-list-sends-change-notification.html
accessibility/aria-invalid.html
accessibility/aria-checkbox-sends-notification.html

http://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=accessibility%2Fmultiselect-list-reports-active-option.html%2Caccessibility%2Fnotification-listeners.html%2Caccessibility%2Fmenu-list-sends-change-notification.html%2Caccessibility%2Faria-invalid.html%2Caccessibility%2Faria-checkbox-sends-notification.html

Appears to be a problem with reference counting.
The crash log with the backtrace of the crashing thread:

Crash log for DumpRenderTree (pid 17420):
...
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/home/slave/webkitgtk/gtk-linux-64-debug-wk1/build/WebKitBuild/Debug/Programs/D'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f80b708dec9 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:342
342	    *(int *)(uintptr_t)0xbbadbeef = 0;

...

Thread 1 (Thread 0x7f80a6ac1900 (LWP 17420)):
#0  0x00007f80b708dec9 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:342
#1  0x00000000004a14b1 in WTF::RefCountedBase::ref (this=0x26968b0) at ../../Source/WTF/wtf/RefCounted.h:59
#2  0x00000000004ad6e1 in WTF::refIfNotNull<AccessibilityNotificationHandler> (ptr=0x26968b0) at ../../Source/WTF/wtf/PassRefPtr.h:46
#3  0x00000000004ad4e7 in WTF::RefPtr<AccessibilityNotificationHandler>::RefPtr (this=0x7fffcaff4450, ptr=0x26968b0) at ../../Source/WTF/wtf/RefPtr.h:43
#4  0x00000000004ad1a0 in WTF::RefPtr<AccessibilityNotificationHandler>::operator= (this=0x25e1688, optr=0x26968b0) at ../../Source/WTF/wtf/RefPtr.h:126
#5  0x00000000004ac370 in AccessibilityUIElement::addNotificationListener (this=0x25e1680, functionCallback=0x7f805eb7db70) at ../../Tools/DumpRenderTree/atk/AccessibilityUIElementAtk.cpp:1038
#6  0x0000000000499742 in addNotificationListenerCallback (context=0x7f805f3ff0b8, function=0x7f805eb3fb90, thisObject=0x7f805eb3fc50, argumentCount=1, arguments=0x7fffcaff4520, exception=0x7fffcaff45b8) at ../../Tools/DumpRenderTree/AccessibilityUIElement.cpp:1010
#7  0x00007f80b6c28921 in JSC::APICallbackFunction::call<JSC::JSCallbackFunction> (exec=0x7f805f3ff0b8) at ../../Source/JavaScriptCore/API/APICallbackFunction.h:59
#8  0x00007f80b6ee3fd2 in JSC::LLInt::handleHostCall (execCallee=0x7f805f3ff0b8, pc=0x2609240, callee=..., kind=JSC::CodeForCall) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:949
#9  0x00007f80b6ee7454 in JSC::LLInt::setUpCall (execCallee=0x7f805f3ff0b8, pc=0x2609240, kind=JSC::CodeForCall, calleeAsValue=..., callLinkInfo=0x1f2ede0) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:993
#10 0x00007f80b6ee78f6 in JSC::LLInt::genericCall (exec=0x7f805f3ff058, pc=0x2609240, kind=JSC::CodeForCall) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1054
#11 0x00007f80b6ee43b2 in JSC::LLInt::llint_slow_path_call (exec=0x7f805f3ff058, pc=0x2609240) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1060
#12 0x00007f80b72bd35d in llint_op_call () from /home/slave/webkitgtk/gtk-linux-64-debug-wk1/build/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0
#13 0x00007fffcaff4900 in ?? ()
#14 0x00007f80b6e998e9 in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at ../../Source/JavaScriptCore/interpreter/JSStackInlines.h:212
#15 0x00007f80b6eab60e in JSC::JITCode::execute (this=0x25eba90, stack=0x259ffe8, callFrame=0x7f805f3ff058, vm=0x2590590) at ../../Source/JavaScriptCore/jit/JITCode.cpp:46
#16 0x00007f80b6e95c7d in JSC::Interpreter::executeCall (this=0x259ffd0, callFrame=0x7f806401f9e0, function=0x7f805eb7dc30, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:924
#17 0x00007f80b6f6f2b8 in JSC::call (exec=0x7f806401f9e0, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:39
#18 0x00007f80b2a1518b in WebCore::JSMainThreadExecState::call (exec=0x7f806401f9e0, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/WebCore/bindings/js/JSMainThreadExecState.h:53
#19 0x00007f80b2a7e003 in WebCore::ScheduledAction::executeFunctionInContext (this=0x1e22ac0, globalObject=0x7f806401f970, thisValue=..., context=0x2631140) at ../../Source/WebCore/bindings/js/ScheduledAction.cpp:111
#20 0x00007f80b2a7e1e3 in WebCore::ScheduledAction::execute (this=0x1e22ac0, document=0x2631090) at ../../Source/WebCore/bindings/js/ScheduledAction.cpp:132
#21 0x00007f80b2a7dde9 in WebCore::ScheduledAction::execute (this=0x1e22ac0, context=0x2631140) at ../../Source/WebCore/bindings/js/ScheduledAction.cpp:80
#22 0x00007f80b31fca3e in WebCore::DOMTimer::fired (this=0x25c6240) at ../../Source/WebCore/page/DOMTimer.cpp:141
#23 0x00007f80b297fb03 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x1f2c550) at ../../Source/WebCore/platform/ThreadTimers.cpp:129
#24 0x00007f80b297f9f3 in WebCore::ThreadTimers::sharedTimerFired () at ../../Source/WebCore/platform/ThreadTimers.cpp:105
#25 0x00007f80b299c397 in WebCore::timeout_cb () at ../../Source/WebCore/platform/gtk/SharedTimerGtk.cpp:49
#26 0x00007f80b15f0ce7 in g_timeout_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug-wk1/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#27 0x00007f80b15eefb1 in g_main_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug-wk1/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#28 0x00007f80b15efd08 in g_main_context_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug-wk1/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#29 0x00007f80b15efefa in g_main_context_iterate () from /home/slave/webkitgtk/gtk-linux-64-debug-wk1/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#30 0x00007f80b15f0323 in g_main_loop_run () from /home/slave/webkitgtk/gtk-linux-64-debug-wk1/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#31 0x00007f80b1f19fcf in gtk_main () from /home/slave/webkitgtk/gtk-linux-64-debug-wk1/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0
#32 0x00000000004b0b01 in runTest (inputLine=...) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:792
#33 0x00000000004b01d0 in runTestingServerLoop () at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:575
#34 0x00000000004b351b in main (argc=2, argv=0x7fffcaff59b8) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:1531

Comment 1 Simon Pena 2013-09-04 01:44:16 PDT

I think this is bug #120416 (although the title here is a bit easier to follow). Maybe we can close this one as a duplicate and rename the other one?

Comment 2 Mario Sanchez Prada 2013-09-04 02:42:24 PDT

(In reply to comment #1)
> I think this is bug #120416 (although the title here is a bit easier to follow). Maybe we can close this one as a duplicate and rename the other one?

It's definitely the same bug, so I agree with the duplication thing.

About changing the name of the other one, I personally thing it's actually more descriptive as it is now, since it mentions what the problem is and the fact that in only crashes on debug.

*** This bug has been marked as a duplicate of bug 120416 ***