Bug 150944 - Layout Test accessibility/win/linked-elements.html is crashing on win debug
Summary: Layout Test accessibility/win/linked-elements.html is crashing on win debug
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Accessibility (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Windows 7
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2015-11-05 14:09 PST by Ryan Haddad
Modified: 2017-05-13 11:48 PDT (History)
12 users (show)

See Also:


Attachments
Patch proposal (6.66 KB, patch)
2015-11-06 03:56 PST, Mario Sanchez Prada
cfleizach: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ryan Haddad 2015-11-05 14:09:23 PST
Layout Test accessibility/win/linked-elements.html is crashing on win debug

Run:
<https://build.webkit.org/builders/Apple%20Win%207%20Debug%20(Tests)/builds/68173>
Results:
<https://build.webkit.org/results/Apple%20Win%207%20Debug%20(Tests)/r192022%20(68173)/results.html>

STACK_TEXT:  
003ac7ac 5670d2f1 003ac8c4 003ac850 cccccccc WTF!WTFCrash+0x21
003ac838 567110bf 003ac88c 00000000 cccccc00 WebKit!WebCore::AccessibilityRenderObject::textUnderElement+0x4b1
003ac864 5635b41b 003ac88c 003ac884 0332c2c0 WebKit!WebCore::AccessibilityRenderObject::nameForMSAA+0x6f
003ac878 56359d48 003ac88c 003ac8ec 0332c2c0 WebKit!AccessibleBase::name+0x2b
003ac8a8 73ef56f8 0332c2c0 00000003 00000000 WebKit!AccessibleBase::get_accName+0x98
003ac8d0 73ef52ce 04c09180 00000003 00000000 OLEACC!AccWrap_Base::get_accName+0x22
003ac908 6e839401 04c09180 00000003 00000000 OLEACC!AccWrap_Annotate::get_accName+0x59
003ac960 6e80cb4b 003ac994 cccccccc cccccccc DumpRenderTreeLib!AccessibilityUIElement::title+0xb1
003ac97c 6578c53d 003acca8 052356a0 04ee3b48 DumpRenderTreeLib!getTitleCallback+0x2b
003ac9ec 6577ab3f 003aca4c 003acca8 605400d8 JavaScriptCore!JSC::JSCallbackObject<JSC::JSDestructibleObject>::getStaticValue+0xdd
003acabc 657ade33 052356a0 003acca8 605400d8 JavaScriptCore!JSC::JSCallbackObject<JSC::JSDestructibleObject>::getOwnPropertySlot+0x2ff
003acadc 657ae8cd 003acca8 004a22d8 05221dd0 JavaScriptCore!JSC::JSObject::fastGetOwnPropertySlot+0x63
003acb38 65bafa6e 003acca8 605400d8 003acbdc JavaScriptCore!JSC::JSObject::getPropertySlot+0x7d
003acb54 65baf167 003acca8 605400d8 003acbdc JavaScriptCore!JSC::JSValue::getPropertySlot+0x9e
003acb84 662424b4 003acbcc 003acca8 605400d8 JavaScriptCore!JSC::JSValue::get+0x37
003acc38 662a8e57 003acca8 051ac928 004d3f90 JavaScriptCore!llint_slow_path_get_by_id+0xd4
003acca8 662a6cbd 051f4cc0 fffffffa 0523ebe0 JavaScriptCore!llint_entry+0x2003
003acd04 65dfe7da 00ff3020 004a22d8 003acde8 JavaScriptCore!vmEntryToJavaScript+0x10d
003acd58 65dbb791 003acd74 004a22d8 003acde8 JavaScriptCore!JSC::JITCode::execute+0xca
003acf5c 65dbd3a4 003ad8a8 0455efa0 003ad968 JavaScriptCore!JSC::Interpreter::execute+0x8b1
003ad894 66247709 003ad8a8 003ad968 032bba20 JavaScriptCore!JSC::eval+0x3b4
003ad8e8 662ab877 003ad9c8 04c1ccf8 cccccccc JavaScriptCore!llint_slow_path_call_eval+0x119
003ad9c8 662ab397 051f5ec0 65e1771b 0523f7a0 JavaScriptCore!llint_entry+0x4a23
003ada28 662a6cbd 051f60c0 fffffffa 0523ecc0 JavaScriptCore!llint_entry+0x4543
003ada78 65dfe7da 00fe3000 004a22d8 003adb90 JavaScriptCore!vmEntryToJavaScript+0x10d
003adacc 65dba1b0 003adaf4 004a22d8 003adb90 JavaScriptCore!JSC::JITCode::execute+0xca
003ae620 65ffd54c 003ae654 0455f0c0 0326c0f0 JavaScriptCore!JSC::Interpreter::execute+0xef0
003ae680 570fbe64 003ae6e4 0326c0f0 003ae7e0 JavaScriptCore!JSC::evaluate+0x1ac
003ae6b4 5703a981 003ae6e4 0326c0f0 003ae7e0 WebKit!WebCore::JSMainThreadExecState::evaluate+0x44
003ae744 5703a878 003ae780 003ae7dc 00499dc8 WebKit!WebCore::ScriptController::evaluateInWorld+0xf1
003ae760 567db070 003ae780 003ae7dc 00000000 WebKit!WebCore::ScriptController::evaluate+0x28
003ae7b8 567dadd6 003ae7dc 003ae988 003ae888 WebKit!WebCore::ScriptElement::executeScript+0x160
003ae878 57fdcaba 003ae9cc 00000000 003aea5c WebKit!WebCore::ScriptElement::prepareScript+0x506
003ae988 57fdbcb0 04fc7fd0 003ae9cc 003ae9e4 WebKit!WebCore::HTMLScriptRunner::runScript+0x15a
003ae9a4 5743a2a5 04fc7fd0 003ae9cc 003ae9e4 WebKit!WebCore::HTMLScriptRunner::execute+0x90
003ae9dc 57439b2b 003aea68 051b59e8 003aea5c WebKit!WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder+0xe5
003ae9ec 57439d14 00000000 003aea34 003aeb30 WebKit!WebCore::HTMLDocumentParser::canTakeNextToken+0x7b
003aea5c 5743a0f5 00000000 003aeb3c 051b59e8 WebKit!WebCore::HTMLDocumentParser::pumpTokenizer+0x134
003aea70 57439056 00000000 003aebd8 003aeb3c WebKit!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible+0x95
003aeb30 567d5080 003aeb44 003aeb6c 00000000 WebKit!WebCore::HTMLDocumentParser::append+0x186
003aeb58 57451f18 05199f78 03889350 00000911 WebKit!WebCore::DecodedDataDocumentParser::appendBytes+0x90
003aeb78 57199e26 03889350 00000911 003aec18 WebKit!WebCore::DocumentWriter::addData+0xb8
003aebd8 564ce585 03889350 00000911 003aec5c WebKit!WebCore::DocumentLoader::commitData+0x226
003aec18 5719a6ef 05199f08 03889350 00000911 WebKit!WebFrameLoaderClient::committedLoad+0x35
003aec5c 5719bcb2 03889350 00000911 003aec88 WebKit!WebCore::DocumentLoader::commitLoad+0xbf
003aec74 57ee7f4b 04f01c80 03889350 00000911 WebKit!WebCore::DocumentLoader::dataReceived+0x1b2
003aecc0 57ee7727 03889350 00000911 003aed00 WebKit!WebCore::CachedRawResource::notifyClientsDataWasReceived+0x6b
003aecf4 57637752 04e9bec0 003aed8c 003aed90 WebKit!WebCore::CachedRawResource::addDataBuffer+0xb7
003aed34 57636ceb 00000000 00000000 00000000 WebKit!WebCore::SubresourceLoader::didReceiveDataOrBuffer+0x1c2
003aed5c 5738c928 00000000 00000911 00000000 WebKit!WebCore::SubresourceLoader::didReceiveBuffer+0x3b
003aed7c 573e0030 04be3ad0 00000000 00000911 WebKit!WebCore::ResourceLoader::didReceiveBuffer+0x38
003aeda8 573df44b 03889338 00000911 0387e140 WebKit!WebCore::SynchronousResourceHandleCFURLConnectionDelegate::didReceiveData+0xd0
003aedbc 6f66e9c4 038037c0 03889338 00000911 WebKit!WebCore::ResourceHandleCFURLConnectionDelegate::didReceiveDataCallback+0x1b
WARNING: Stack unwind information not available. Following frames may be wrong.
003aedf8 6f6703e5 00000911 03889338 0387e148 CFNetwork!CFCachedURLResponseCreateWithDataArray+0x175972
003aee94 6f52011e 0387842c 03878420 00000000 CFNetwork!CFCachedURLResponseCreateWithDataArray+0x177393
003aeebc 6f2f7aa8 00000000 03803680 0387e148 CFNetwork!CFCachedURLResponseCreateWithDataArray+0x270cc
003aeecc 6f2f7aa8 00000000 03803680 00000000 pthreadVC2!pthread_setcanceltype+0x67ab
003aeedc 6f2f303e 003aee24 0387e148 00000000 pthreadVC2!pthread_setcanceltype+0x67ab
00000000 00000000 00000000 00000000 00000000 pthreadVC2!pthread_setcanceltype+0x1d41
Comment 1 Radar WebKit Bug Importer 2015-11-05 14:10:29 PST
<rdar://problem/23419352>
Comment 2 Ryan Haddad 2015-11-05 14:14:00 PST
TestExpectations updated in <https://trac.webkit.org/r192075>
Comment 3 chris fleizach 2015-11-05 22:16:05 PST
Mario this looks like fallout from a recent GTK change. are you able to take a look?
Comment 4 Mario Sanchez Prada 2015-11-06 01:38:10 PST
(In reply to comment #3)
> Mario this looks like fallout from a recent GTK change. are you able to take
> a look?

I'll take a look to it today, yes
Comment 5 Mario Sanchez Prada 2015-11-06 03:56:23 PST
Created attachment 264933 [details]
Patch proposal

I was trying all sort of things to try to reproduce a similar crash in the GTK+ port but I couldn't so I proposing an speculative fix instead.

As I understand it, the problem is that now I moved those ASSERTs from AccessibilityNodeObject down to AccessibilityRenderObject, we are hitting those checks way more often for objects with an associated renderer since AccessibilityNodeObject::textUnderElement is not executed that often in this case.

So, the checks will probably need to be more precise to avoid being too paranoid, as for instance we don't need to worry about having an stable subtree when we are either going through a RenderText object or not in 'IncludeAllChildren' mode.

Looking at the backtrace, I can see that WebCore::AccessibilityRenderObject::nameForMSAA() calls textUnderElement() with the default mode, so I understand the attached patch should get rid of the crash in Win Debug bots.

Hope this helps
Comment 6 Mario Sanchez Prada 2015-11-06 08:26:51 PST
Committed r192103: <http://trac.webkit.org/changeset/192103>
Comment 7 zalan 2017-05-13 11:48:46 PDT
I am rolling this out with https://trac.webkit.org/changeset/216825/webkit.
Should accessibility/win/linked-elements.html hit this assertion, we need to address it properly.