<rdar://problem/15709541>

Created attachment 219770 [details] patch

Comment on attachment 219770 [details] patch rs=me

Comment on attachment 219770 [details] patch Attachment 219770 [details] did not pass efl-ews (efl): Output: http://webkit-queues.appspot.com/results/44378325

Comment on attachment 219770 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=219770&action=review > Source/WebCore/accessibility/AccessibilityRenderObject.cpp:1192 > + // FIXME: Somehow the renderer is becoming null. I'd say: // FIXME (bug number): Some regression tests flakily crash without this check. It is not clear whether the renderer may legitimately be null here.

Comment on attachment 219770 [details] patch Attachment 219770 [details] did not pass efl-wk2-ews (efl-wk2): Output: http://webkit-queues.appspot.com/results/49338291

This is a bit risky to put in without having someone familiar with accessibility review it. I'm not sure what kind of negative effects it will have at all. Was another bug opened to have someone look at this again? Rather than ramming the other patch down WebKit and putting in temporary hacks, it might be better to work through the problems in tandem before committing

(In reply to comment #8) > This is a bit risky to put in without having someone familiar with accessibility review it. I'm not sure what kind of negative effects it will have at all. > > Was another bug opened to have someone look at this again? > > Rather than ramming the other patch down WebKit and putting in temporary hacks, it might be better to work through the problems in tandem before committing We are trying to understand the crash. The changes are temporary.

This is fallout from http://trac.webkit.org/changeset/160908

Looks like there are some dead objects here http://build.webkit.org/results/Apple%20Mavericks%20Debug%20WK1%20(Tests)/r160922%20(1266)/fast/body-propagation/background-image/003-xhtml-crash-log.txt

reopening

This looks like the root cause: http://build.webkit.org/results/Apple%20Mavericks%20Debug%20WK1%20(Tests)/r160955%20(1283)/fast/events/nested-event-remove-node-crash-crash-log.txt 12 com.apple.WebCore 0x00000001079381c8 WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 520 (StyleResolveTree.cpp:880) 13 com.apple.WebCore 0x0000000107c4ace6 WebCore::Document::recalcStyle(WebCore::Style::Change) + 438 (Document.cpp:1760) 14 com.apple.WebCore 0x0000000107c474df WebCore::Document::updateStyleIfNeeded() + 431 (Document.cpp:1809) 15 com.apple.WebCore 0x00000001080d16df WebCore::HTMLElement::supportsFocus() const + 111 (HTMLElement.cpp:667) 16 com.apple.WebCore 0x00000001077169c6 WebCore::AccessibilityNodeObject::canSetFocusAttribute() const + 214 (AccessibilityNodeObject.cpp:1985) 17 com.apple.WebCore 0x0000000107723839 WebCore::AccessibilityRenderObject::inheritsPresentationalRole() const + 41 (AccessibilityRenderObject.cpp:2625) 18 com.apple.WebCore 0x0000000107722d95 WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const + 325 (AccessibilityRenderObject.cpp:1183) 19 com.apple.WebCore 0x000000010771e84f WebCore::AccessibilityObject::accessibilityIsIgnored() const + 191 (AccessibilityObject.cpp:2133) 20 com.apple.WebCore 0x00000001077080cd WebCore::AccessibilityObject::notifyIfIgnoredValueChanged() + 29 (AccessibilityObject.cpp:2033) 21 com.apple.WebCore 0x0000000107708dc8 WebCore::AXObjectCache::recomputeIsIgnored(WebCore::RenderObject*) + 56 (AXObjectCache.cpp:864) 22 com.apple.WebCore 0x0000000108be0359 WebCore::RenderBlock::deleteLines() + 73 (RenderBlock.cpp:932) 23 com.apple.WebCore 0x0000000109462ea2 WebCore::RenderBlockFlow::deleteLines() + 450 (RenderBlockFlow.cpp:1827) 24 com.apple.WebCore 0x0000000108be10cd WebCore::RenderBlock::removeChild(WebCore::RenderObject&) + 1709 (RenderBlock.cpp:1191) 25 com.apple.WebCore 0x0000000108d91e06 WebCore::RenderObject::removeFromParent() + 70 (RenderObject.cpp:187) 26 com.apple.WebCore 0x0000000108d9c2f3 WebCore::RenderObject::willBeDestroyed() + 163 (RenderObject.cpp:1865) 27 com.apple.WebCore 0x0000000108e77647 WebCore::RenderText::willBeDestroyed() + 167 (RenderText.cpp:284) 28 com.apple.WebCore 0x0000000108d9c8bd WebCore::RenderObject::destroy() + 29 (RenderObject.cpp:1985) 29 com.apple.WebCore 0x0000000108d9c892 WebCore::RenderObject::destroyAndCleanupAnonymousWrappers() + 274 (RenderObject.cpp:1975) 30 com.apple.WebCore 0x0000000107937012 WebCore::Style::detachTextRenderer(WebCore::Text&) + 50 (StyleResolveTree.cpp:414) 31 com.apple.WebCore 0x0000000107938661 WebCore::Style::detachChildren(WebCore::ContainerNode&, WebCore::Style::DetachType) + 81 We are entering style resolve from the middle of render tree destruction.

(In reply to comment #13) > This looks like the root cause: > > http://build.webkit.org/results/Apple%20Mavericks%20Debug%20WK1%20(Tests)/r160955%20(1283)/fast/events/nested-event-remove-node-crash-crash-log.txt > > 12 com.apple.WebCore 0x00000001079381c8 WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 520 (StyleResolveTree.cpp:880) > 13 com.apple.WebCore 0x0000000107c4ace6 WebCore::Document::recalcStyle(WebCore::Style::Change) + 438 (Document.cpp:1760) > 14 com.apple.WebCore 0x0000000107c474df WebCore::Document::updateStyleIfNeeded() + 431 (Document.cpp:1809) > 15 com.apple.WebCore 0x00000001080d16df WebCore::HTMLElement::supportsFocus() const + 111 (HTMLElement.cpp:667) > 16 com.apple.WebCore 0x00000001077169c6 WebCore::AccessibilityNodeObject::canSetFocusAttribute() const + 214 (AccessibilityNodeObject.cpp:1985) > 17 com.apple.WebCore 0x0000000107723839 WebCore::AccessibilityRenderObject::inheritsPresentationalRole() const + 41 (AccessibilityRenderObject.cpp:2625) > 18 com.apple.WebCore 0x0000000107722d95 WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const + 325 (AccessibilityRenderObject.cpp:1183) > 19 com.apple.WebCore 0x000000010771e84f WebCore::AccessibilityObject::accessibilityIsIgnored() const + 191 (AccessibilityObject.cpp:2133) > 20 com.apple.WebCore 0x00000001077080cd WebCore::AccessibilityObject::notifyIfIgnoredValueChanged() + 29 (AccessibilityObject.cpp:2033) > 21 com.apple.WebCore 0x0000000107708dc8 WebCore::AXObjectCache::recomputeIsIgnored(WebCore::RenderObject*) + 56 (AXObjectCache.cpp:864) > 22 com.apple.WebCore 0x0000000108be0359 WebCore::RenderBlock::deleteLines() + 73 (RenderBlock.cpp:932) > 23 com.apple.WebCore 0x0000000109462ea2 WebCore::RenderBlockFlow::deleteLines() + 450 (RenderBlockFlow.cpp:1827) > 24 com.apple.WebCore 0x0000000108be10cd WebCore::RenderBlock::removeChild(WebCore::RenderObject&) + 1709 (RenderBlock.cpp:1191) > 25 com.apple.WebCore 0x0000000108d91e06 WebCore::RenderObject::removeFromParent() + 70 (RenderObject.cpp:187) > 26 com.apple.WebCore 0x0000000108d9c2f3 WebCore::RenderObject::willBeDestroyed() + 163 (RenderObject.cpp:1865) > 27 com.apple.WebCore 0x0000000108e77647 WebCore::RenderText::willBeDestroyed() + 167 (RenderText.cpp:284) > 28 com.apple.WebCore 0x0000000108d9c8bd WebCore::RenderObject::destroy() + 29 (RenderObject.cpp:1985) > 29 com.apple.WebCore 0x0000000108d9c892 WebCore::RenderObject::destroyAndCleanupAnonymousWrappers() + 274 (RenderObject.cpp:1975) > 30 com.apple.WebCore 0x0000000107937012 WebCore::Style::detachTextRenderer(WebCore::Text&) + 50 (StyleResolveTree.cpp:414) > 31 com.apple.WebCore 0x0000000107938661 WebCore::Style::detachChildren(WebCore::ContainerNode&, WebCore::Style::DetachType) + 81 > > We are entering style resolve from the middle of render tree destruction. Two thoughts: Does WebCore::HTMLElement::supportsFocus() really need to update the style calculations? It's possible this work WebCore::AXObjectCache::recomputeIsIgnored can be pended on a timer to run during the next runloop iteration

Looks like https://trac.webkit.org/r160966 fixed this.

Rolled out the hack fix in https://trac.webkit.org/r160968