I have been seeing this particular crash with some web sites. Here is an example: 1) Go to https://twitter.com/marinaz 2) Find this tweet: "Asked @lwnnet to make its site a safe space for reading news about Linux ..." 3) Ctrl+click the LWN link and you will see the WebKitWebProcess for the new tab crash Core was generated by `/usr/libexec/webkit2gtk-4.0/WebKitWebProcess 22'. Program terminated with signal SIGSEGV, Segmentation fault. #0 WebCore::AccessibilityMenuList::isCollapsed (this=0x7f712d9c09a0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/AccessibilityMenuList.cpp:92 92 return !static_cast<RenderMenuList*>(m_renderer)->popupIsVisible(); (gdb) bt #0 WebCore::AccessibilityMenuList::isCollapsed (this=0x7f712d9c09a0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/AccessibilityMenuList.cpp:92 #1 0x00007f719e3fee4d in notifyChildrenSelectionChange (object=0x7f712d9c09a0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp:180 #2 WebCore::AXObjectCache::postPlatformNotification ( this=this@entry=0x7f713c116e00, coreObject=coreObject@entry=0x7f712d9c09a0, notification=notification@entry=(anonymous namespace)::AXObjectCache::AXMenuListValueChanged) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp:211 #3 0x00007f719d854b96 in WebCore::AXObjectCache::postNotification ( this=this@entry=0x7f713c116e00, object=object@entry=0x7f712d9c09a0, document=document@entry=0x7f719f4c6700, notification=notification@entry=(anonymous namespace)::AXObjectCache::AXMenuListValueChanged, postTarget=postTarget@entry=(anonymous namespace)::TargetElement, postType=postType@entry=(anonymous namespace)::PostSynchronously) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/AXObjectCache.cpp:807 #4 0x00007f719d860220 in WebCore::AccessibilityMenuList::didUpdateActiveOption (this=0x7f712d9c09a0, optionIndex=1) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/AccessibilityMenuList.cpp:130 #5 0x00007f719e11ec5d in WebCore::RenderMenuList::setTextFromOption ( this=0x7f71074d55a0, optionIndex=1) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/rendering/RenderMenuList.cpp:288 #6 0x00007f719dc2f168 in WebCore::HTMLSelectElement::selectOption ( this=0x7f710693a000, optionIndex=<optimized out>, flags=0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/html/HTMLSelectElement.cpp:893 #7 0x00007f719c0e5f9e in JSC::JSObject::put (cell=0x7f7106fa40b0, exec=0x7ffee3cb0130, propertyName=..., value=..., slot=...) at /usr/src/debug/webkitgtk-2.6.5/Source/JavaScriptCore/runtime/JSObject.cpp:383 #8 0x00007f719be506a8 in operationPutByValInternal<false, false> ( encodedValue=7, encodedProperty=<optimized out>, encodedBase=140123425095856, exec=0x7ffee3cb0130) at /usr/src/debug/webkitgtk-2.6.5/Source/JavaScriptCore/dfg/DFGOperations.cpp:130 #9 JSC::DFG::operationPutByValNonStrict (exec=0x7ffee3cb0130, encodedBase=140123425095856, encodedProperty=<optimized out>, encodedValue=7) at /usr/src/debug/webkitgtk-2.6.5/Source/JavaScriptCore/dfg/DFGOperations.cpp:383 #10 0x00007f713d5f2938 in ?? () #11 0x0000000000000000 in ?? () (gdb) I have: webkitgtk4-2.6.5-1.fc21.x86_64 epiphany-3.14.2-4.fc21.x86_64
I also had gtk+, atk, glib-networking, gvfs and glib built from their respection GNOME 3.16 branches. Reverting those back to their GNOME 3.14 versions seem to have stopped the crashes.
It is something which was detected by fuzzer in Chrome / Blink and fixed in this commit: Link - https://src.chromium.org/viewvc/blink?view=revision&revision=194543 https://github.com/WebKit/WebKit/blob/d5220e254917f82a86e5d6235224f82a03d25acb/Source/WebCore/accessibility/AccessibilityMenuList.cpp#L45 Adding if(!renderer) return false; https://github.com/WebKit/WebKit/blob/d5220e254917f82a86e5d6235224f82a03d25acb/Source/WebCore/accessibility/AccessibilityMenuList.cpp#L89 Adding if (!renderer) return true; It fixed crashes in - AccessibilityMenuList::isCollapsed
<rdar://problem/102419394>
(In reply to Ahmad Saleem from comment #2) > It is something which was detected by fuzzer in Chrome / Blink and fixed in > this commit: > > Link - https://src.chromium.org/viewvc/blink?view=revision&revision=194543 > > https://github.com/WebKit/WebKit/blob/ > d5220e254917f82a86e5d6235224f82a03d25acb/Source/WebCore/accessibility/ > AccessibilityMenuList.cpp#L45 > > Adding > > if(!renderer) > return false; > > https://github.com/WebKit/WebKit/blob/ > d5220e254917f82a86e5d6235224f82a03d25acb/Source/WebCore/accessibility/ > AccessibilityMenuList.cpp#L89 > > Adding > > if (!renderer) > return true; > > It fixed crashes in - AccessibilityMenuList::isCollapsed Both of your suggested changes sound good to me. Would you be interested in submitting a patch for them? Also, were you able to reproduce this crash? Your comment implies so, but want to confirm.
(In reply to Tyler Wilcock from comment #4) > (In reply to Ahmad Saleem from comment #2) > > It is something which was detected by fuzzer in Chrome / Blink and fixed in > > this commit: > > > > Link - https://src.chromium.org/viewvc/blink?view=revision&revision=194543 > > > > https://github.com/WebKit/WebKit/blob/ > > d5220e254917f82a86e5d6235224f82a03d25acb/Source/WebCore/accessibility/ > > AccessibilityMenuList.cpp#L45 > > > > Adding > > > > if(!renderer) > > return false; > > > > https://github.com/WebKit/WebKit/blob/ > > d5220e254917f82a86e5d6235224f82a03d25acb/Source/WebCore/accessibility/ > > AccessibilityMenuList.cpp#L89 > > > > Adding > > > > if (!renderer) > > return true; > > > > It fixed crashes in - AccessibilityMenuList::isCollapsed > Both of your suggested changes sound good to me. Would you be interested in > submitting a patch for them? > > Also, were you able to reproduce this crash? Your comment implies so, but > want to confirm. Nah! I didn't checked or tried to reproduce, I was just looking through some bugs and came across fix for it. I just thought to post, I am happy to do PR.
Committed 256814@main (c441a937ca2a): <https://commits.webkit.org/256814@main> Reviewed commits have been landed. Closing PR #6569 and removing active labels.