216309 – AccessibilityMenuList and MenuListPopup notifications need to be posted asynchronously.

Bug 216309 - AccessibilityMenuList and MenuListPopup notifications need to be posted asynchronously.

Summary: AccessibilityMenuList and MenuListPopup notifications need to be posted async...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Andres Gonzalez

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2020-09-09 07:32 PDT by Andres Gonzalez
Modified:	2020-09-09 10:42 PDT (History)
CC List:	8 users (show)

See Also:

Attachments
Patch (3.68 KB, patch) 2020-09-09 07:50 PDT, Andres Gonzalez	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andres Gonzalez 2020-09-09 07:32:20 PDT

AccessibilityMenuList and MenuListPopup notifications need to be posted asynchronously.

Comment 1 Andres Gonzalez 2020-09-09 07:50:50 PDT

Created attachment 408326 [details]
Patch

Comment 2 Andres Gonzalez 2020-09-09 07:56:27 PDT

Crash trace:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00007fff39896673 WTFCrashWithInfo(int, char const*, char const*, int) + 19
1   com.apple.WebCore             	0x00007fff396f7dc4 WebCore::Document::updateLayout() + 660
2   com.apple.WebCore             	0x00007fff3a79b4a2 WebCore::AccessibilityObject::updateBackingStore() + 226
3   com.apple.WebCore             	0x00007fff3b7ff3db -[WebAccessibilityObjectWrapperBase updateObjectBackingStore] + 59
4   com.apple.WebCore             	0x00007fff3b80c157 -[WebAccessibilityObjectWrapper accessibilityIsIgnored] + 23
5   com.apple.AppKit              	0x00007fff283094d6 __NSAccessibilityEntryPointIsAccessibilityElement_block_invoke + 286
6   com.apple.AppKit              	0x00007fff2830937a NSAccessibilityPerformEntryPointBOOL + 16
7   com.apple.AppKit              	0x00007fff27d723bd NSAccessibilityEntryPointIsAccessibilityElement + 93
8   com.apple.AppKit              	0x00007fff27fd22c2 NSAccessibilityPostNotificationForObservedElementWithUserInfo + 217
9   com.apple.WebCore             	0x00007fff3a7882cd WebCore::AccessibilityMenuList::didUpdateActiveOption(int) + 189
10  com.apple.WebCore             	0x00007fff398453cb WebCore::RenderMenuList::setTextFromOption(int) + 1419
11  com.apple.WebCore             	0x00007fff39762fbf WebCore::HTMLSelectElement::selectOption(int, unsigned int) + 511
12  com.apple.WebCore             	0x00007fff3ad2c49d WebCore::HTMLOptionElement::insertedIntoAncestor(WebCore::Node::InsertionType, WebCore::ContainerNode&) + 157
13  com.apple.WebCore             	0x00007fff3aa84b9a WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WebCore::TreeScopeChange, WTF::Vector<WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) + 58
14  com.apple.WebCore             	0x00007fff3aa84a32 WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&) + 130
15  com.apple.WebCore             	0x00007fff3aa7e70e WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) + 990
16  com.apple.WebCore             	0x00007fff3ab175cd WebCore::Node::appendChild(WebCore::Node&) + 93
17  com.apple.WebCore             	0x00007fff39f1bd72 WebCore::jsNodePrototypeFunctionAppendChild(JSC::JSGlobalObject*, JSC::CallFrame*) + 482
18  ???                           	0x00003e021dc011d8 0 + 68178809983448
19  com.apple.JavaScriptCore      	0x00007fff2edaca4f llint_entry + 104267
20  com.apple.JavaScriptCore      	0x00007fff2edacacf llint_entry + 104395
21  com.apple.JavaScriptCore      	0x00007fff2edaca4f llint_entry + 104267
22  com.apple.JavaScriptCore      	0x00007fff2edacacf llint_entry + 104395
23  ???                           	0x00003e021e1cdccb 0 + 68178816064715
24  com.apple.JavaScriptCore      	0x00007fff2edacacf llint_entry + 104395
25  com.apple.JavaScriptCore      	0x00007fff2edacacf llint_entry + 104395
26  com.apple.JavaScriptCore      	0x00007fff2edacacf llint_entry + 104395
27  com.apple.JavaScriptCore      	0x00007fff2edacacf llint_entry + 104395
28  com.apple.JavaScriptCore      	0x00007fff2edad77e llint_entry + 107642
29  ???                           	0x00003e021dc9dd90 0 + 68178810625424
30  com.apple.JavaScriptCore      	0x00007fff2edaca4f llint_entry + 104267
31  com.apple.JavaScriptCore      	0x00007fff2edacacf llint_entry + 104395
32  com.apple.JavaScriptCore      	0x00007fff2edacacf llint_entry + 104395
33  com.apple.JavaScriptCore      	0x00007fff2ed9310f vmEntryToJavaScript + 216
34  com.apple.JavaScriptCore      	0x00007fff2f3d1696 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 518
35  com.apple.JavaScriptCore      	0x00007fff2f69b465 JSC::boundThisNoArgsFunctionCall(JSC::JSGlobalObject*, JSC::CallFrame*) + 837
36  ???                           	0x00003e021dc01a97 0 + 68178809985687
37  ???                           	0x00003e021dc8e4f5 0 + 68178810561781
38  com.apple.JavaScriptCore      	0x00007fff2ed9310f vmEntryToJavaScript + 216
39  com.apple.JavaScriptCore      	0x00007fff2f3d1696 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 518
40  com.apple.JavaScriptCore      	0x00007fff2f5fb0c4 JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 164
41  com.apple.JavaScriptCore      	0x00007fff2f6e40ef JSC::JSMicrotask::run(JSC::JSGlobalObject*) + 415
42  com.apple.WebCore             	0x00007fff3a83af68 WebCore::JSMicrotaskCallback::call() + 104
43  com.apple.WebCore             	0x00007fff3a83aecc WTF::Detail::CallableWrapper<WebCore::JSDOMWindowBase::queueMicrotaskToEventLoop(JSC::JSGlobalObject&, WTF::Ref<JSC::Microtask, WTF::DumbPtrTraits<JSC::Microtask> >&&)::$_36, void>::call() + 76
44  com.apple.WebCore             	0x00007fff3ab0b3c6 WebCore::MicrotaskQueue::performMicrotaskCheckpoint() + 134
45  com.apple.WebCore             	0x00007fff3a82ef0d WebCore::JSExecState::didLeaveScriptContext(JSC::JSGlobalObject*) + 173
46  com.apple.WebCore             	0x00007fff3a85956f WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 127
47  com.apple.WebCore             	0x00007fff3a859272 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) + 178
48  com.apple.WebCore             	0x00007fff3a8595c8 WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&) + 40
49  com.apple.WebCore             	0x00007fff3ab3b950 WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&) + 528
50  com.apple.WebCore             	0x00007fff3ab064f8 WebCore::LoadableClassicScript::execute(WebCore::ScriptElement&) + 168
51  com.apple.WebCore             	0x00007fff3ab3c07d WebCore::ScriptElement::executePendingScript(WebCore::PendingScript&) + 445
52  com.apple.WebCore             	0x00007fff3ab3e571 WebCore::ScriptRunner::timerFired() + 1249
53  com.apple.WebCore             	0x00007fff3b15c526 WTF::Detail::CallableWrapper<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, void>::call() + 198
54  com.apple.WebCore             	0x00007fff3965b01f WebCore::timerFired(__CFRunLoopTimer*, void*) + 31
...

Comment 3 Andres Gonzalez 2020-09-09 07:57:12 PDT

<rdar://problem/68108824>

Comment 4 chris fleizach 2020-09-09 09:50:57 PDT

Comment on attachment 408326 [details]
Patch

these are the last 3 PostSychrnously methods. Can we remove this argument now since it causes issues?

Comment 5 Andres Gonzalez 2020-09-09 10:21:58 PDT

(In reply to chris fleizach from comment #4)
> Comment on attachment 408326 [details]
> Patch
> 
> these are the last 3 PostSychrnously methods. Can we remove this argument
> now since it causes issues?

Yes! doing that in a separate patch since we typically don't want to mix the cleanup work with the actual fix for this crash. Will submit the cleanup soon.

Comment 6 EWS 2020-09-09 10:42:06 PDT

Committed r266787: <https://trac.webkit.org/changeset/266787>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 408326 [details].