RESOLVED FIXED Bug 34463
[Gtk] webkitgtk crashed when Orca open 
https://bugs.webkit.org/show_bug.cgi?id=34463
Summary [Gtk] webkitgtk crashed when Orca open
Simon
Reported 2010-02-01 20:46:06 PST
Program received signal SIGSEGV, Segmentation fault. 0x015de00b in textForObject(WebCore::AccessibilityRenderObject*) () from /home/musi/webkitproject/trunk52853/WebKitBuild/Release/.libs/libwebkit-1.0.so.2 (gdb) bt #0 0x015de00b in textForObject(WebCore::AccessibilityRenderObject*) () from /home/musi/webkitproject/trunk52853/WebKitBuild/Release/.libs/libwebkit-1.0.so.2 #1 0x015e08c9 in webkit_accessible_text_get_text(_AtkText*, int, int) () from /home/musi/webkitproject/trunk52853/WebKitBuild/Release/.libs/libwebkit-1.0.so.2 #2 0x00b9031e in atk_text_get_text () from /usr/lib/libatk-1.0.so.0 #3 0x01e0659c in ?? () from /usr/lib/libspi.so.0 #4 0x01dfa90a in _ORBIT_skel_small_Accessibility_Text_getText () from /usr/lib/libspi.so.0 #5 0x04040537 in ?? () from /usr/lib/libORBit-2.so.0 #6 0x04046b45 in ORBit_OAObject_invoke () from /usr/lib/libORBit-2.so.0 #7 0x04032e63 in ORBit_small_invoke_adaptor () from /usr/lib/libORBit-2.so.0 #8 0x04044649 in ?? () from /usr/lib/libORBit-2.so.0 #9 0x04044d22 in ?? () from /usr/lib/libORBit-2.so.0 #10 0x04044ed9 in ?? () from /usr/lib/libORBit-2.so.0 #11 0x04046f92 in ORBit_handle_request () from /usr/lib/libORBit-2.so.0 #12 0x0402f155 in giop_connection_handle_input () from /usr/lib/libORBit-2.so.0 #13 0x0404e743 in ?? () from /usr/lib/libORBit-2.so.0 #14 0x04051016 in ?? () from /usr/lib/libORBit-2.so.0 #15 0x0061be88 in g_main_context_dispatch () from /lib/libglib-2.0.so.0 #16 0x0061f730 in ?? () from /lib/libglib-2.0.so.0 #17 0x0061f863 in g_main_context_iteration () from /lib/libglib-2.0.so.0 ---Type <return> to continue, or q <return> to quit--- #18 0x0404c2b7 in link_main_iteration () from /usr/lib/libORBit-2.so.0 #19 0x0402e71e in giop_recv_buffer_get () from /usr/lib/libORBit-2.so.0 #20 0x04033856 in ORBit_small_invoke_stub () from /usr/lib/libORBit-2.so.0 #21 0x04033a89 in ORBit_small_invoke_stub_n () from /usr/lib/libORBit-2.so.0 #22 0x040407ba in ORBit_c_stub_invoke () from /usr/lib/libORBit-2.so.0 #23 0x01de9a54 in Accessibility_EventListener_notifyEvent () from /usr/lib/libspi.so.0 #24 0x05be33bc in ?? () from /usr/lib/gtk-2.0/modules/libatk-bridge.so #25 0x05be469e in ?? () from /usr/lib/gtk-2.0/modules/libatk-bridge.so #26 0x005bc267 in ?? () from /usr/lib/libgobject-2.0.so.0 #27 0x005bdb2d in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0 #28 0x005bdfb6 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0 #29 0x00b8a53d in ?? () from /usr/lib/libatk-1.0.so.0 #30 0x005b4118 in g_cclosure_marshal_VOID__PARAM () from /usr/lib/libgobject-2.0.so.0 #31 0x005a56f9 in ?? () from /usr/lib/libgobject-2.0.so.0 #32 0x005a7072 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 #33 0x005bc0b0 in ?? () from /usr/lib/libgobject-2.0.so.0 #34 0x005bdb2d in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0 #35 0x005bdfb6 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0 #36 0x005ab3e1 in ?? () from /usr/lib/libgobject-2.0.so.0 #37 0x005a7daf in ?? () from /usr/lib/libgobject-2.0.so.0 #38 0x005acec3 in g_object_notify () from /usr/lib/libgobject-2.0.so.0 ---Type <return> to continue, or q <return> to quit--- #39 0x047fff72 in ?? () from /usr/lib/gtk-2.0/modules/libgail.so #40 0x006b8f78 in ?? () from /usr/lib/libgdk-x11-2.0.so.0 #41 0x0061a101 in ?? () from /lib/libglib-2.0.so.0 #42 0x0061be88 in g_main_context_dispatch () from /lib/libglib-2.0.so.0 #43 0x0061f730 in ?? () from /lib/libglib-2.0.so.0 #44 0x0061fb9f in g_main_loop_run () from /lib/libglib-2.0.so.0 #45 0x00247419 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 #46 0x08049e8d in main () (gdb)
Attachments
Additional sanity checking (2.38 KB, patch)
2010-02-01 23:50 PST, Joanmarie Diggs 		no flags
DetailsFormatted DiffDiff
Patch: Make textForObject check if a render object is text before running toRenderText (1.77 KB, patch)
2010-02-03 12:11 PST, José Millán Soto 		xan.lopez: review+
commit-queue: commit-queue-
DetailsFormatted DiffDiff
Patch: Make textForObject check if a render object is text before running toRenderText (1.74 KB, patch)
2010-02-04 09:57 PST, José Millán Soto 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Joanmarie Diggs
Comment 1 2010-02-01 21:04:36 PST
Can you provide exact steps to reproduce? Also, can you reproduce this with the latest trunk?
Joanmarie Diggs
Comment 2 2010-02-01 21:54:13 PST
Okay, I might have found at least a similar crasher: 1. Launch Orca and GtkLauncher 2. Tab amongst the links on Google. Everything's fine until I get to 'Advertising Programs', at which point GtkLauncher segfaults with a similar trace. I'll investigate. Thanks for the report!
Joanmarie Diggs
Comment 3 2010-02-01 23:50:51 PST
Created attachment 47909 [details] Additional sanity checking I don't yet know what situation specifically triggered Simon's crash, because I need more detail. In the crash I stumbled upon, we were getting some seriously bogus values for renderText->textLength(). However, under those same conditions, renderText->caretMaxOffset() was 0. Checking that value before calling convertUniCharToUTF8 with the bogus length solves my crasher. Xan, thoughts?
Simon
Comment 4 2010-02-02 00:37:48 PST
This crash happened on latest trunk r54128 on Ubuntu 9.10. like you already figured it out, the step to reproduce this crash: 1. Launch Orca and GtkLauncher 2. Tab amongst the links on Google or just browse around .
Simon
Comment 5 2010-02-02 01:33:55 PST
tested with the patch,while tab amongst goole home page, still crashed: from /home/musi/webkitproject/trunk52853/WebKitBuild/Release/.libs/libwebkit-1.0.so.2 (gdb) bt #0 0x013a5740 in webkit_accessible_text_get_caret_offset(_AtkText*) () from /home/musi/webkitproject/trunk52853/WebKitBuild/Release/.libs/libwebkit-1.0.so.2 #1 0x00279f19 in atk_text_get_caret_offset () from /usr/lib/libatk-1.0.so.0 #2 0x01c03226 in ?? () from /usr/lib/libspi.so.0 #3 0x01bf78d6 in _ORBIT_skel_small_Accessibility_Text__get_caretOffset () from /usr/lib/libspi.so.0 #4 0x03923537 in ?? () from /usr/lib/libORBit-2.so.0 #5 0x03929b45 in ORBit_OAObject_invoke () from /usr/lib/libORBit-2.so.0 #6 0x03915e63 in ORBit_small_invoke_adaptor () from /usr/lib/libORBit-2.so.0 #7 0x03927649 in ?? () from /usr/lib/libORBit-2.so.0 #8 0x03927d22 in ?? () from /usr/lib/libORBit-2.so.0 #9 0x03927ed9 in ?? () from /usr/lib/libORBit-2.so.0 #10 0x03929f92 in ORBit_handle_request () from /usr/lib/libORBit-2.so.0 #11 0x03912155 in giop_connection_handle_input () from /usr/lib/libORBit-2.so.0 #12 0x03931743 in ?? () from /usr/lib/libORBit-2.so.0 #13 0x03934016 in ?? () from /usr/lib/libORBit-2.so.0 #14 0x00ab7e88 in g_main_context_dispatch () from /lib/libglib-2.0.so.0 #15 0x00abb730 in ?? () from /lib/libglib-2.0.so.0 #16 0x00abbb9f in g_main_loop_run () from /lib/libglib-2.0.so.0 #17 0x003d4419 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 #18 0x08049e8d in main ()
Xan Lopez
Comment 6 2010-02-02 13:22:28 PST
Comment on attachment 47909 [details] Additional sanity checking After a chat on IRC both Joanie and me agree that we are not sure this patch is what we really want, so I'm moving it out of the queue until we investigate this a bit more.
José Millán Soto
Comment 7 2010-02-03 12:11:48 PST
Created attachment 48058 [details] Patch: Make textForObject check if a render object is text before running toRenderText I think that the problem is that toRenderText is being executed without checking if the object is a RenderText; and toRenderText will return an RenderText* even if the object is not a RenderText (It checks if it's a RenderText using ASSERT, but the returned value does not depend on whether the object is a RenderText or not). This patch checks if the object is a RenderText before executing toRenderText.
Xan Lopez
Comment 8 2010-02-03 12:28:20 PST
Comment on attachment 48058 [details] Patch: Make textForObject check if a render object is text before running toRenderText Looks great to me, good catch.
WebKit Commit Bot
Comment 9 2010-02-03 12:46:08 PST
Comment on attachment 48058 [details] Patch: Make textForObject check if a render object is text before running toRenderText Rejecting patch 48058 from commit-queue. Failed to run "['git', 'svn', 'dcommit']" exit_code: 1 Last 500 characters of output: vn.webkit.org/repository/webkit/trunk ... M WebCore/ChangeLog M WebCore/accessibility/gtk/AccessibilityObjectWrapperAtk.cpp A repository hook failed: MERGE request failed on '/repository/webkit/trunk': Commit blocked by pre-commit hook (exit code 1) with output: svnlook: Can't write to stream: Broken pipe The following ChangeLog files contain OOPS: trunk/WebCore/ChangeLog Please don't ever say "OOPS" in a ChangeLog file. at /usr/local/git/libexec/git-core/git-svn line 558 Full output: http://webkit-commit-queue.appspot.com/results/232635
Simon
Comment 10 2010-02-04 01:56:48 PST
(In reply to comment #5) > tested with the patch,while tab amongst goole home page, still crashed: > > from > /home/musi/webkitproject/trunk52853/WebKitBuild/Release/.libs/libwebkit-1.0.so.2 > (gdb) bt > #0 0x013a5740 in webkit_accessible_text_get_caret_offset(_AtkText*) () > from > /home/musi/webkitproject/trunk52853/WebKitBuild/Release/.libs/libwebkit-1.0.so.2 > #1 0x00279f19 in atk_text_get_caret_offset () from /usr/lib/libatk-1.0.so.0 > #2 0x01c03226 in ?? () from /usr/lib/libspi.so.0 > #3 0x01bf78d6 in _ORBIT_skel_small_Accessibility_Text__get_caretOffset () > from /usr/lib/libspi.so.0 > #4 0x03923537 in ?? () from /usr/lib/libORBit-2.so.0 > #5 0x03929b45 in ORBit_OAObject_invoke () from /usr/lib/libORBit-2.so.0 > #6 0x03915e63 in ORBit_small_invoke_adaptor () from /usr/lib/libORBit-2.so.0 > #7 0x03927649 in ?? () from /usr/lib/libORBit-2.so.0 > #8 0x03927d22 in ?? () from /usr/lib/libORBit-2.so.0 > #9 0x03927ed9 in ?? () from /usr/lib/libORBit-2.so.0 > #10 0x03929f92 in ORBit_handle_request () from /usr/lib/libORBit-2.so.0 > #11 0x03912155 in giop_connection_handle_input () from /usr/lib/libORBit-2.so.0 > #12 0x03931743 in ?? () from /usr/lib/libORBit-2.so.0 > #13 0x03934016 in ?? () from /usr/lib/libORBit-2.so.0 > #14 0x00ab7e88 in g_main_context_dispatch () from /lib/libglib-2.0.so.0 > #15 0x00abb730 in ?? () from /lib/libglib-2.0.so.0 > #16 0x00abbb9f in g_main_loop_run () from /lib/libglib-2.0.so.0 > #17 0x003d4419 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 > #18 0x08049e8d in main () seem still crashed like this for second patch
José Millán Soto
Comment 11 2010-02-04 09:57:59 PST
Created attachment 48153 [details] Patch: Make textForObject check if a render object is text before running toRenderText New version of the patch which do not have the "No new tests" line. (In reply to comment #9) > (From update of attachment 48058 [details]) > Rejecting patch 48058 from commit-queue. > The following ChangeLog files contain OOPS: > Please don't ever say "OOPS" in a ChangeLog file. I thought that the "No new tests" line would be automatically removed when reviewed. Sorry for the mistake :( (In reply to comment #10) > (In reply to comment #5) > > tested with the patch,while tab amongst goole home page, still crashed: > > > > from > > /home/musi/webkitproject/trunk52853/WebKitBuild/Release/.libs/libwebkit-1.0.so.2 > > (gdb) bt > > #0 0x013a5740 in webkit_accessible_text_get_caret_offset(_AtkText*) () > > from > > /home/musi/webkitproject/trunk52853/WebKitBuild/Release/.libs/libwebkit-1.0.so.2 > > #1 0x00279f19 in atk_text_get_caret_offset () from /usr/lib/libatk-1.0.so.0 > seem still crashed like this for second patch Could not reproduce this crash. However, if it crashed in that webkit_accessible_text_get_caret_offset i think it may be a different bug.
Xan Lopez
Comment 12 2010-02-04 10:12:45 PST
Comment on attachment 48153 [details] Patch: Make textForObject check if a render object is text before running toRenderText Round two!
WebKit Commit Bot
Comment 13 2010-02-04 10:35:43 PST
Comment on attachment 48153 [details] Patch: Make textForObject check if a render object is text before running toRenderText Clearing flags on attachment: 48153 Committed r54355: <http://trac.webkit.org/changeset/54355>
WebKit Commit Bot
Comment 14 2010-02-04 10:35:50 PST
All reviewed patches have been landed. Closing bug.
Simon
Comment 15 2010-02-09 23:53:00 PST
press down tab for a while, i can still reproduce this crash with below same stack. thoughts? (In reply to comment #10) > (In reply to comment #5) > > tested with the patch,while tab amongst goole home page, still crashed: > > > > from > > /home/musi/webkitproject/trunk52853/WebKitBuild/Release/.libs/libwebkit-1.0.so.2 > > (gdb) bt > > #0 0x013a5740 in webkit_accessible_text_get_caret_offset(_AtkText*) () > > from > > /home/musi/webkitproject/trunk52853/WebKitBuild/Release/.libs/libwebkit-1.0.so.2 > > #1 0x00279f19 in atk_text_get_caret_offset () from /usr/lib/libatk-1.0.so.0 > > #2 0x01c03226 in ?? () from /usr/lib/libspi.so.0 > > #3 0x01bf78d6 in _ORBIT_skel_small_Accessibility_Text__get_caretOffset () > > from /usr/lib/libspi.so.0 > > #4 0x03923537 in ?? () from /usr/lib/libORBit-2.so.0 > > #5 0x03929b45 in ORBit_OAObject_invoke () from /usr/lib/libORBit-2.so.0 > > #6 0x03915e63 in ORBit_small_invoke_adaptor () from /usr/lib/libORBit-2.so.0 > > #7 0x03927649 in ?? () from /usr/lib/libORBit-2.so.0 > > #8 0x03927d22 in ?? () from /usr/lib/libORBit-2.so.0 > > #9 0x03927ed9 in ?? () from /usr/lib/libORBit-2.so.0 > > #10 0x03929f92 in ORBit_handle_request () from /usr/lib/libORBit-2.so.0 > > #11 0x03912155 in giop_connection_handle_input () from /usr/lib/libORBit-2.so.0 > > #12 0x03931743 in ?? () from /usr/lib/libORBit-2.so.0 > > #13 0x03934016 in ?? () from /usr/lib/libORBit-2.so.0 > > #14 0x00ab7e88 in g_main_context_dispatch () from /lib/libglib-2.0.so.0 > > #15 0x00abb730 in ?? () from /lib/libglib-2.0.so.0 > > #16 0x00abbb9f in g_main_loop_run () from /lib/libglib-2.0.so.0 > > #17 0x003d4419 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 > > #18 0x08049e8d in main () > > seem still crashed like this for second patch
Joanmarie Diggs
Comment 16 2010-02-10 00:01:01 PST
(In reply to comment #15) > press down tab for a while, i can still reproduce this crash with below same > stack. > thoughts? 1. Is this with the very latest nightly build? (I ask because there were some crasher issues that got fixed after the revision - 52853 - suggested in your report. Changes are taking place in this area quite frequently.) 2. What version of Orca are you using? 3. What EXACTLY are you tabbing to (i.e. what has focus) to cause this to occur?
Simon
Comment 17 2010-02-10 00:18:55 PST
(In reply to comment #16) > (In reply to comment #15) > > press down tab for a while, i can still reproduce this crash with below same > > stack. > > thoughts? > > 1. Is this with the very latest nightly build? (I ask because there were some > crasher issues that got fixed after the revision - 52853 - suggested in your > report. Changes are taking place in this area quite frequently.) > I'm on trunk r54475. musi@musi-desktop:~/webkitproject/trunk54128/WebKitBuild/Release/Programs$ ldd GtkLauncher linux-gate.so.1 => (0x0053f000) libwebkit-1.0.so.2 => /home/musi/webkitproject/trunk54128/WebKitBuild/Release/.libs/libwebkit-1.0.so.2 (0x00d7a000) Program received signal SIGSEGV, Segmentation fault. 0x0160b2f0 in webkit_accessible_text_get_caret_offset(_AtkText*) () from /home/musi/webkitproject/trunk54128/WebKitBuild/Release/.libs/libwebkit-1.0.so.2 (gdb) where #0 0x0160b2f0 in webkit_accessible_text_get_caret_offset(_AtkText*) () from /home/musi/webkitproject/trunk54128/WebKitBuild/Release/.libs/libwebkit-1.0.so.2 #1 0x00d30f19 in atk_text_get_caret_offset () from /usr/lib/libatk-1.0.so.0 #2 0x07e84226 in ?? () from /usr/lib/libspi.so.0 #3 0x07e788d6 in _ORBIT_skel_small_Accessibility_Text__get_caretOffset () from /usr/lib/libspi.so.0 #4 0x075bd537 in ?? () from /usr/lib/libORBit-2.so.0 #5 0x075c3b45 in ORBit_OAObject_invoke () from /usr/lib/libORBit-2.so.0 #6 0x075afe63 in ORBit_small_invoke_adaptor () from /usr/lib/libORBit-2.so.0 > 2. What version of Orca are you using? > Orca 2.28.1 > 3. What EXACTLY are you tabbing to (i.e. what has focus) to cause this to > occur? On google homepage, press down tab constantly for a while
José Millán Soto
Comment 18 2010-02-19 12:09:28 PST
Opening bug for the new crash, as the original one has been fixed. New crash is bug #35169
Note You need to log in before you can comment on or make changes to this bug.