187391 – Flaky crash under WebCore::AXObjectCache::stopCachingComputedObjectAttributes()

Bug 187391 - Flaky crash under WebCore::AXObjectCache::stopCachingComputedObjectAttributes()

Summary: Flaky crash under WebCore::AXObjectCache::stopCachingComputedObjectAttributes()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Tools / Tests (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2018-07-06 09:30 PDT by Dawei Fenton (:realdawei)
Modified:	2019-04-24 17:49 PDT (History)
CC List:	17 users (show)

See Also:

Attachments
Patch (9.43 KB, patch) 2019-04-24 14:56 PDT, Andres Gonzalez	no flags	Details \| Formatted Diff \| Diff
Patch (9.43 KB, patch) 2019-04-24 15:06 PDT, Andres Gonzalez	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dawei Fenton (:realdawei) 2018-07-06 09:30:48 PDT

accessibility/Mac/attachment-element-replacement-character.html is a flaky crash on High Sierra Debug WK2 (Tests)

probable cause:
unknown..the crash log itself does blame a different but related test (accessibility/Mac/async-increment-decrement-action.html).  Investigating.

Sample Crash log
https://build.webkit.org/results/Apple%20High%20Sierra%20Debug%20WK2%20(Tests)/r233577%20(3998)/accessibility/mac/attachment-element-replacement-character-crash-log.txt

Process:               com.apple.WebKit.WebContent.Development [53843]
Path:                  /Volumes/VOLUME/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development
Identifier:            com.apple.WebKit.WebContent
Version:               606+ (606.1.24+)
Code Type:             X86-64 (Native)
Parent Process:        ??? [1]
User ID:               501

Date/Time:             2018-07-06 05:38:45.888 -0700
OS Version:            Mac OS X 10.13.4 (17E199)
Report Version:        12
Anonymous UUID:        A96E1A44-9057-EED1-633D-EE144C76419C


Time Awake Since Boot: 7900000 seconds

System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x00000000000000e0
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [0]

VM Regions Near 0xe0:
--> 
    __TEXT                 00000001017d3000-00000001017d5000 [    8K] r-x/rwx SM=COW  /Volumes/VOLUME/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development

Application Specific Information:
CRASHING TEST: accessibility/mac/async-increment-decrement-action.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001c97c08ba WebCore::AXObjectCache::stopCachingComputedObjectAttributes() + 74 (AXObjectCache.cpp:1575)
1   com.apple.WebCore             	0x00000001c97c09db WebCore::AXObjectCache::postNotification(WebCore::Node*, WebCore::AXObjectCache::AXNotification, WebCore::PostTarget, WebCore::PostType) + 59 (AXObjectCache.cpp:971)
2   com.apple.WebCore             	0x00000001c980e1f0 WebCore::AccessibilityNodeObject::changeValueByStep(bool) + 272 (AccessibilityNodeObject.cpp:1099)
3   com.apple.WebCore             	0x00000001c980e09a WebCore::AccessibilityNodeObject::alterSliderValue(bool) + 122 (AccessibilityNodeObject.cpp:1068)
4   com.apple.WebCore             	0x00000001c980e288 WebCore::AccessibilityNodeObject::increment() + 136 (AccessibilityNodeObject.cpp:1078)
5   com.apple.WebCore             	0x00000001cb5d6732 -[WebAccessibilityObjectWrapper _accessibilityPerformIncrementAction] + 178 (WebAccessibilityObjectWrapperMac.mm:3518)
6   com.apple.WebCore             	0x00000001cb5d6616 __68-[WebAccessibilityObjectWrapper accessibilityPerformIncrementAction]_block_invoke + 38 (WebAccessibilityObjectWrapperMac.mm:3506)
7   libdispatch.dylib             	0x00007fff6cb5a64a _dispatch_call_block_and_release + 12
8   libdispatch.dylib             	0x00007fff6cb52e08 _dispatch_client_callout + 8
9   libdispatch.dylib             	0x00007fff6cb5e3e5 _dispatch_main_queue_callback_4CF + 1148
10  com.apple.CoreFoundation      	0x00007fff44825ea9 __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 9
11  com.apple.CoreFoundation      	0x00007fff447e86ba __CFRunLoopRun + 2586
12  com.apple.CoreFoundation      	0x00007fff447e7a07 CFRunLoopRunSpecific + 487
13  com.apple.HIToolbox           	0x00007fff43ac5d96 RunCurrentEventLoopInMode + 286
14  com.apple.HIToolbox           	0x00007fff43ac5b06 ReceiveNextEventCommon + 613
15  com.apple.HIToolbox           	0x00007fff43ac5884 _BlockUntilNextEventMatchingListInModeWithFilter + 64
16  com.apple.AppKit              	0x00007fff41d78a73 _DPSNextEvent + 2085
17  com.apple.AppKit              	0x00007fff4250ee34 -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 3044
18  com.apple.AppKit              	0x00007fff41d6d885 -[NSApplication run] + 764
19  com.apple.AppKit              	0x00007fff41d3ca72 NSApplicationMain + 804
20  libxpc.dylib                  	0x00007fff6cee6f57 _xpc_objc_main + 580
21  libxpc.dylib                  	0x00007fff6cee5baa xpc_main + 417
22  com.apple.WebKit.WebContent   	0x00000001017d40ab main + 1195
23  libdyld.dylib                 	0x00007fff6cb8c015 start + 1

Comment 1 Ryan Haddad 2018-07-06 09:43:20 PDT

<rdar://problem/40681396>

Comment 2 Shawn Roberts 2019-04-01 13:44:39 PDT

Test recently started showing up on bots as a crash in Mac Release as well.

Probable cause:

Local testing found that running accessibility/mac/attachment-element-replacement-character.html by itself produces no failures.

However, testing accessibility/Mac/async-increment-decrement-action.html by itself will cause a crash roughly 5 times out of 500 iterations.

Also when I run accessibility/Mac/async-increment-decrement-action.html followed by accessibility/mac/attachment-element-replacement-character.html , the async-increment test will crash, and blame the attach-element test. 

Local crashes match crash logs seen here, as well as on the bots.

I tested with newest revisions, it also crashes with https://trac.webkit.org/changeset/230782/webkit when the accessibility/Mac/async-increment-decrement-action.html test was created

Also crashes with https://trac.webkit.org/changeset/230855/webkit when the test was modified.

Reproduced with :

run-webkit-tests accessibility/Mac/async-increment-decrement-action.html accessibility/Mac/attachment-element-replacement-character.html --iterations 15 --debug

- causes on average 4 in 15 crashes
rwt --root t230781 accessibility/Mac/async-increment-decrement-action.html accessibility/Mac/attachment-element-replacement-character.html --iterations 5

- causes on average 2 in 5 crashes

run-webkit-tests accessibility/mac/async-increment-decrement-action.html --iterations  500 -f

- causes on average 7 in 500 crashes 

Skipping test locally will cause crashes to stop.

Comment 3 Shawn Roberts 2019-04-01 13:48:15 PDT

Skipping test in https://trac.webkit.org/changeset/243710/webkit while waiting for a fix.

Comment 4 Shawn Roberts 2019-04-08 14:30:50 PDT

Had a type in original expectation change.

Redid in https://trac.webkit.org/changeset/244045/webkit

Comment 5 Andres Gonzalez 2019-04-24 14:56:35 PDT

Created attachment 368181 [details]
Patch

Comment 6 chris fleizach 2019-04-24 14:58:41 PDT

Comment on attachment 368181 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=368181&action=review

> Source/WebCore/ChangeLog:7
> +        CHeck for null return value of AccessibilityObject::axObjectCache.

CHeck -> Check

Comment 7 Andres Gonzalez 2019-04-24 15:06:58 PDT

Created attachment 368185 [details]
Patch

Comment 8 Andres Gonzalez 2019-04-24 15:11:49 PDT

(In reply to chris fleizach from comment #6)
> Comment on attachment 368181 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=368181&action=review
> 
> > Source/WebCore/ChangeLog:7
> > +        CHeck for null return value of AccessibilityObject::axObjectCache.
> 
> CHeck -> Check

Fixed, and fixed grammar.

Comment 9 WebKit Commit Bot 2019-04-24 17:49:14 PDT

Comment on attachment 368185 [details]
Patch

Clearing flags on attachment: 368185

Committed r244631: <https://trac.webkit.org/changeset/244631>

Comment 10 WebKit Commit Bot 2019-04-24 17:49:16 PDT

All reviewed patches have been landed.  Closing bug.