53131 – [GTK] Reliable crash with getTextAtOffset()

Bug 53131 - [GTK] Reliable crash with getTextAtOffset()

Summary: [GTK] Reliable crash with getTextAtOffset()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Accessibility (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	Gtk

Depends on:
Blocks:	25531
	Show dependency tree / graph

Reported:	2011-01-25 15:09 PST by Joanmarie Diggs
Modified:	2011-01-26 14:44 PST (History)
CC List:	3 users (show)

See Also:

Attachments
test case (101 bytes, text/html) 2011-01-25 15:09 PST, Joanmarie Diggs	no flags	Details
Patch proposal (2.34 KB, patch) 2011-01-26 12:08 PST, Mario Sanchez Prada	no flags	Details \| Formatted Diff \| Diff
Patch proposal + unit tests (6.95 KB, patch) 2011-01-26 14:31 PST, Mario Sanchez Prada	mrobinson: review+	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Joanmarie Diggs 2011-01-25 15:09:38 PST

Created attachment 80131 [details]
test case

Steps to reproduce:

1. Load the test case in Epiphany.

2. Use Accerciser's object tree to locate and select the object associated with the paragraph from the test case.

3. In Accerciser's iPython console type:

  acc.queryText().getTextAtOffset(0, TEXT_BOUNDARY_LINE_START)

For me, it crashes Epiphany reliably.

This is problematic for Orca users because as a user navigates through document content by line, Orca will use getTextAtOffset() to get that line.

Comment 1 Joanmarie Diggs 2011-01-25 15:10:17 PST

Thread 4 (Thread 0xb3959b70 (LWP 9295)):
#0  0xb7883424 in __kernel_vsyscall ()
#1  0xb5881de6 in poll () from /lib/libc.so.6
#2  0xb5aa299b in g_poll (fds=0x9e252c8, nfds=3, timeout=-1) at /build/buildd/glib2.0-2.27.91/glib/gpoll.c:132
#3  0xb5a9232f in g_main_context_poll (context=0x9e248e8, block=-1247139472, dispatch=1, self=<value optimized out>)
    at /build/buildd/glib2.0-2.27.91/glib/gmain.c:3404
#4  g_main_context_iterate (context=0x9e248e8, block=-1247139472, dispatch=1, self=<value optimized out>)
    at /build/buildd/glib2.0-2.27.91/glib/gmain.c:3086
#5  0xb5a92aab in g_main_loop_run (loop=0x9e248d8) at /build/buildd/glib2.0-2.27.91/glib/gmain.c:3299
#6  0xb5c35344 in gdbus_shared_thread_func (data=0x0) at /build/buildd/glib2.0-2.27.91/gio/gdbusprivate.c:276
#7  0xb5abb66f in g_thread_create_proxy (data=0x9e24978) at /build/buildd/glib2.0-2.27.91/glib/gthread.c:1897
#8  0xb5925e79 in start_thread () from /lib/libpthread.so.0
#9  0xb58904ee in clone () from /lib/libc.so.6

Thread 3 (Thread 0xafea2b70 (LWP 9297)):
#0  0xb7883424 in __kernel_vsyscall ()
#1  0xb592a46c in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
#2  0xb72d6a87 in WTF::TCMalloc_PageHeap::scavengerThread() () from /usr/lib/libwebkit-1.0.so.2
#3  0xb72d6acd in WTF::TCMalloc_PageHeap::runScavengerThread(void*) () from /usr/lib/libwebkit-1.0.so.2
#4  0xb5925e79 in start_thread () from /lib/libpthread.so.0
#5  0xb58904ee in clone () from /lib/libc.so.6

Thread 2 (Thread 0xaf581b70 (LWP 9298)):
#0  0xb7883424 in __kernel_vsyscall ()
#1  0xb592a46c in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
#2  0xb72e9734 in WTF::ThreadCondition::wait(WTF::Mutex&) () from /usr/lib/libwebkit-1.0.so.2
#3  0xb69ab332 in WebCore::IconDatabase::syncThreadMainLoop() () from /usr/lib/libwebkit-1.0.so.2
#4  0xb69acb4f in WebCore::IconDatabase::iconDatabaseSyncThread() () from /usr/lib/libwebkit-1.0.so.2
#5  0xb69acc9d in WebCore::IconDatabase::iconDatabaseSyncThreadStart(void*) () from /usr/lib/libwebkit-1.0.so.2
#6  0xb72e940f in WTF::threadEntryPoint(void*) () from /usr/lib/libwebkit-1.0.so.2
#7  0xb5925e79 in start_thread () from /lib/libpthread.so.0
#8  0xb58904ee in clone () from /lib/libc.so.6

Thread 1 (Thread 0xb3e7a860 (LWP 9294)):
#0  0xb7883424 in __kernel_vsyscall ()
#1  0xb57eac41 in raise () from /lib/libc.so.6
#2  0xb57ee11e in abort () from /lib/libc.so.6
#3  0xb5821bd7 in ?? () from /lib/libc.so.6
#4  0xb582bfe1 in ?? () from /lib/libc.so.6
#5  0xb582d93b in ?? () from /lib/libc.so.6
#6  0xb5830acd in free () from /lib/libc.so.6
#7  0xb5a98e96 in g_free (mem=0x9f2c290) at /build/buildd/glib2.0-2.27.91/glib/gmem.c:263
#8  0xb647eeab in textForRenderer(WebCore::RenderObject*) () from /usr/lib/libwebkit-1.0.so.2
#9  0xb647f1ed in textForObject(WebCore::AccessibilityRenderObject*) () from /usr/lib/libwebkit-1.0.so.2
#10 0xb6480e8f in getPangoLayoutForAtk(_AtkText*) () from /usr/lib/libwebkit-1.0.so.2
#11 0xb6480f74 in webkit_accessible_text_get_text_at_offset(_AtkText*, int, AtkTextBoundary, int*, int*) () from /usr/lib/libwebkit-1.0.so.2
#12 0xb5495d0d in atk_text_get_text_at_offset (text=0xa33b8c8, offset=0, boundary_type=ATK_TEXT_BOUNDARY_LINE_START, start_offset=0xbff45b6c, 
    end_offset=0xbff45b68) at atktext.c:421
#13 0xb3b5a05a in impl_getTextAtOffset (servant=0x9e28ad4, offset=0, type=Accessibility_TEXT_BOUNDARY_LINE_START, startOffset=0xbff45c60, 
    endOffset=0xbff45c40, ev=0xbff45ee0) at text.c:128
#14 0xb3b4e61c in _ORBIT_skel_small_Accessibility_Text_getTextAtOffset (_o_servant=0x9e28ad4, _o_retval=0xbff45d00, _o_args=0xbff45ce0, 
    _o_ctx=0xbff45d7c, _o_ev=0xbff45ee0, _impl_getTextAtOffset=0xb3b5a010 <impl_getTextAtOffset>) at Accessibility-common.c:744
#15 0xb57410c7 in ?? () from /usr/lib/libORBit-2.so.0
#16 0xb5747e25 in ORBit_OAObject_invoke () from /usr/lib/libORBit-2.so.0
#17 0xb57337f9 in ORBit_small_invoke_adaptor () from /usr/lib/libORBit-2.so.0
#18 0xb574319a in ?? () from /usr/lib/libORBit-2.so.0
#19 0xb5743887 in ?? () from /usr/lib/libORBit-2.so.0
#20 0xb5743a1d in ?? () from /usr/lib/libORBit-2.so.0
#21 0xb5747ce1 in ORBit_handle_request () from /usr/lib/libORBit-2.so.0
#22 0xb5730095 in giop_connection_handle_input () from /usr/lib/libORBit-2.so.0
#23 0xb574ec4a in ?? () from /usr/lib/libORBit-2.so.0
#24 0xb5751a96 in ?? () from /usr/lib/libORBit-2.so.0
#25 0xb5a91c28 in g_main_dispatch (context=0x9dcdf30) at /build/buildd/glib2.0-2.27.91/glib/gmain.c:2440
#26 g_main_context_dispatch (context=0x9dcdf30) at /build/buildd/glib2.0-2.27.91/glib/gmain.c:3013
#27 0xb5a923f0 in g_main_context_iterate (context=0x9dcdf30, block=-1247139472, dispatch=1, self=<value optimized out>)
    at /build/buildd/glib2.0-2.27.91/glib/gmain.c:3091
#28 0xb5a92aab in g_main_loop_run (loop=0x9e2b9b8) at /build/buildd/glib2.0-2.27.91/glib/gmain.c:3299
#29 0xb5ffc329 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#30 0x0806ec82 in main ()

Comment 2 Mario Sanchez Prada 2011-01-26 12:08:52 PST

Created attachment 80219 [details]
Patch proposal

Simple patch to fix this. It seems there was an error in how the length in bytes for a UTF8 substring was being calculated.

Comment 3 Martin Robinson 2011-01-26 12:15:13 PST

The change looks good to me. Is there any way to write a test for it?

Comment 4 Mario Sanchez Prada 2011-01-26 13:05:19 PST

(In reply to comment #3)
> The change looks good to me. Is there any way to write a test for it?

I didn't think it was needed as it was a minor change in a helper function, but I could write an unit test if you want, although I think it's perhaps a little overkill for such a small change...

As you wish :-)

Comment 5 Mario Sanchez Prada 2011-01-26 14:31:38 PST

Created attachment 80239 [details]
Patch proposal + unit tests

Attaching new patch including a new unit test.

Comment 6 Martin Robinson 2011-01-26 14:33:38 PST

Comment on attachment 80239 [details]
Patch proposal + unit tests

Thanks for including the test.

Comment 7 Mario Sanchez Prada 2011-01-26 14:44:10 PST

Committed r76721: <http://trac.webkit.org/changeset/76721>