137658 – Crash in AccessibilityMenuListOption::elementRect()

Bug 137658 - Crash in AccessibilityMenuListOption::elementRect()

Summary: Crash in AccessibilityMenuListOption::elementRect()

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Accessibility (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2014-10-13 10:41 PDT by Carlos Garcia Campos
Modified:	2014-11-13 22:06 PST (History)
CC List:	6 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos Garcia Campos 2014-10-13 10:41:53 PDT

Program received signal SIGSEGV, Segmentation fault.
0x00007f7789a157ac in WebCore::AccessibilityMenuListOption::elementRect() const [clone .localalias.4] () from libwebkit2gtk-4.0.so.37
(gdb) bt
#0  0x00007f7789a157ac in WebCore::AccessibilityMenuListOption::elementRect() const [clone .localalias.4] () from libwebkit2gtk-4.0.so.37
#1  0x00007f7789a1e71d in WebCore::AccessibilityObject::orientation() const () from libwebkit2gtk-4.0.so.37
#2  0x00007f778a6d5296 in webkitAccessibleRefStateSet(_AtkObject*) () from libwebkit2gtk-4.0.so.37
#3  0x00007f777eb09a6e in spi_atk_state_to_dbus_array (object=<optimized out>, array=0x7fffaf341830) at accessible-stateset.c:182
#4  0x00007f777eb10663 in impl_GetState (bus=<optimized out>, message=0x1c8dee0, user_data=<optimized out>) at accessible-adaptor.c:443
#5  0x00007f777eb0f88a in handle_other (pathstr=0x1c8dfb8 "/org/a11y/atspi/accessible/71", member=<optimized out>, iface=0x1c8dff0 "org.a11y.atspi.Accessible", path=0x1ba90b0, 
    message=0x1c8dee0, bus=0x1c14200) at droute.c:553
#6  handle_message (bus=0x1c14200, message=0x1c8dee0, user_data=0x1ba90b0) at droute.c:600
#7  0x00007f777888f5bf in ?? () from /lib/x86_64-linux-gnu/libdbus-1.so.3
#8  0x00007f7778881194 in dbus_connection_dispatch () from /lib/x86_64-linux-gnu/libdbus-1.so.3
#9  0x00007f7778ac8eb5 in message_queue_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at atspi-gmain.c:89
#10 0x00007f7784fd88ad in g_main_dispatch (context=0x1babb90) at gmain.c:3111
#11 g_main_context_dispatch (context=context@entry=0x1babb90) at gmain.c:3710
#12 0x00007f7784fd8b58 in g_main_context_iterate (context=0x1babb90, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3781
#13 0x00007f7784fd8e72 in g_main_loop_run (loop=0x1e7cea0) at gmain.c:3975
#14 0x00007f778992f0a1 in WebProcessMainUnix () from libwebkit2gtk-4.0.so.37
#15 0x00007f7787dd0b45 in __libc_start_main (main=0x400700 <main>, argc=2, argv=0x7fffaf341d38, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffaf341d28) at libc-start.c:287
#16 0x0000000000400733 in _start ()

It happens when clicking on [duplicate] link in GNOME bugzilla (you need to be logged in), I'll try to make a test case. It seems the problem is that grandparent of the AccessibilityMenuListOption is NULL there, because the parent we are getting there is not the right one, but an old one and the parent of the old one cleared its children already.

Comment 1 Radar WebKit Bug Importer 2014-10-13 10:42:21 PDT

<rdar://problem/18635189>

Comment 2 Joanmarie Diggs 2014-10-19 14:22:08 PDT

I began looking into this and found other problems. The fix for one of those problems (see bug 137866) by side effect fixes this crash. For users who are not using assistive technologies.

Once I figure out how to come up with a clever test case for one of the other problems, this crash will be fixed when using assistive technologies.

HOWEVER, the underlying problem causing the crash reported here will persist and still needs to be fixed. (Not yet sure it's a webkit bug however. At least for me, the bug reported here is only reproducible if I use current versions of the build dependencies; using the older versions of the dependencies specified by our jhbuild moduleset results in my seeing no crash.)

Comment 3 Joanmarie Diggs 2014-10-19 15:21:22 PDT

(In reply to comment #2)

> Once I figure out how to come up with a clever test case for one of the
> other problems, this crash will be fixed when using assistive technologies.

I've not yet come up with that clever test case, but I went ahead and filed bug 137867 and attached the currently-test-free patch.

Comment 4 Joanmarie Diggs 2014-11-13 22:06:10 PST

Another of the problems is that you can have the right parent and grandparent, but one of those ancestors gets deliberately removed from the document and then atk_object_ref_state_set() gets called for the selected option. So for that issue, I've just opened bug 138727 and attached a patch for that.

So in summary:
* Bug 137866 fixes the emission of bogus accessible events on non-focused options, even when we have the correct parent and grandparent. That fix is committed and should make the crash reported here extremely unlikely for most users.

* Bug 137867 fixes the role returned for detached accessible objects, so ATs won't innocently poke at moribund accessible objects. That fix is committed and should make the crash reported here extremely unlikely for users of assistive technologies.

* Bug 138727 sanity checks for validly null parent and grandparent objects. It's a tiny patch so hopefully it will be reviewed and committed soon. And that should guarantee that the crash here cannot occur.

What remains is figuring out why we're not getting the right parent in the case described in the opening report. I'll do that next. (Keeping this bug here open as it's become the metabug.)