Crashes started occurring after r124997 in two tests. The crashes occur flakily, I'd guess only if the accessibility tests have been run before these two tests. The tests are: - fast/css/first-letter-text-fragment-crash.html - editing/inserting/insert-character-in-first-letter-crash.html The crash log: Crash log for DumpRenderTree (pid 11325): [New LWP 11325] [New LWP 11362] [New LWP 11361] [New LWP 11793] [New LWP 11364] [New LWP 11363] [New LWP 11792] [New LWP 11673] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/Programs/DumpR'. Program terminated with signal 11, Segmentation fault. #0 0x00007f3074384a4c in WebCore::emitTextChanged (object=0xf259500, textChange=WebCore::AXObjectCache::AXTextInserted, offset=0, text="Z") at ../../Source/WebCore/accessibility/gtk/AXObjectCacheAtk.cpp:163 163 AtkObject* wrapper = object->parentObjectUnignored()->wrapper(); ... Thread 1 (Thread 0x7f3067979900 (LWP 11325)): #0 0x00007f3074384a4c in WebCore::emitTextChanged (object=0xf259500, textChange=WebCore::AXObjectCache::AXTextInserted, offset=0, text="Z") at ../../Source/WebCore/accessibility/gtk/AXObjectCacheAtk.cpp:163 #1 0x00007f3074384d7d in WebCore::AXObjectCache::nodeTextChangePlatformNotification (this=0xf24a000, object=0xf259500, textChange=WebCore::AXObjectCache::AXTextInserted, offset=0, text="Z") at ../../Source/WebCore/accessibility/gtk/AXObjectCacheAtk.cpp:196 #2 0x00007f307301f4d7 in WebCore::AXObjectCache::nodeTextChangeNotification (this=0xf24a000, renderer=0xf082408, textChange=WebCore::AXObjectCache::AXTextInserted, offset=0, text="Z") at ../../Source/WebCore/accessibility/AXObjectCache.cpp:619 #3 0x00007f3073434e8b in WebCore::InsertIntoTextNodeCommand::doApply (this=0xf259730) at ../../Source/WebCore/editing/InsertIntoTextNodeCommand.cpp:63 #4 0x00007f30733e4188 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0xf084970, prpCommand=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:256 #5 0x00007f30733e5dcf in WebCore::CompositeEditCommand::replaceTextInNode (this=0xf084970, node=..., offset=0, count=1, replacementText="Z") at ../../Source/WebCore/editing/CompositeEditCommand.cpp:498 #6 0x00007f30733e5f3b in WebCore::CompositeEditCommand::replaceSelectedTextInNode (this=0xf084970, text="Z") at ../../Source/WebCore/editing/CompositeEditCommand.cpp:509 #7 0x00007f307343c410 in WebCore::InsertTextCommand::performTrivialReplace (this=0xf084970, text="Z", selectInsertedText=false) at ../../Source/WebCore/editing/InsertTextCommand.cpp:89 #8 0x00007f307343c658 in WebCore::InsertTextCommand::doApply (this=0xf084970) at ../../Source/WebCore/editing/InsertTextCommand.cpp:117 #9 0x00007f30733e42e4 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0xf07ddf0, command=..., selection=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:271 #10 0x00007f307346def8 in WebCore::TypingCommand::insertTextRunWithoutNewlines (this=0xf07ddf0, text="Z", selectInsertedText=false) at ../../Source/WebCore/editing/TypingCommand.cpp:367 #11 0x00007f307346fe69 in WebCore::TypingCommandLineOperation::operator() (this=0x7fffad32d5e0, lineOffset=0, lineLength=1, isLastLine=true) at ../../Source/WebCore/editing/TypingCommand.cpp:63 #12 0x00007f3073470140 in WebCore::forEachLineInString<WebCore::TypingCommandLineOperation> (string="Z", operation=...) at ../../Source/WebCore/editing/TextInsertionBaseCommand.h:61 #13 0x00007f307346de4c in WebCore::TypingCommand::insertText (this=0xf07ddf0, text="Z", selectInsertedText=false) at ../../Source/WebCore/editing/TypingCommand.cpp:359 #14 0x00007f307346da1b in WebCore::TypingCommand::doApply (this=0xf07ddf0) at ../../Source/WebCore/editing/TypingCommand.cpp:282 #15 0x00007f30733e3f3f in WebCore::CompositeEditCommand::apply (this=0xf07ddf0) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:204 #16 0x00007f30733e3c2a in WebCore::applyCommand (command=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:161 #17 0x00007f307346099d in WebCore::TextInsertionBaseCommand::applyTextInsertionCommand (frame=0x2468890, command=..., selectionForInsertion=..., endingSelection=...) at ../../Source/WebCore/editing/TextInsertionBaseCommand.cpp:49 #18 0x00007f307346d24a in WebCore::TypingCommand::insertText (document=0xf220ce0, text="Z", selectionForInsertion=..., options=0, compositionType=WebCore::TypingCommand::TextCompositionNone) at ../../Source/WebCore/editing/TypingCommand.cpp:198 #19 0x00007f307346cf04 in WebCore::TypingCommand::insertText (document=0xf220ce0, text="Z", options=0, composition=WebCore::TypingCommand::TextCompositionNone) at ../../Source/WebCore/editing/TypingCommand.cpp:166 #20 0x00007f3073409b0e in WebCore::executeInsertText (frame=0x2468890, value="Z") at ../../Source/WebCore/editing/EditorCommand.cpp:563 #21 0x00007f307340cace in WebCore::Editor::Command::execute (this=0x7fffad32d8d0, parameter="Z", triggeringEvent=0x0) at ../../Source/WebCore/editing/EditorCommand.cpp:1689 #22 0x00007f30732eb28a in WebCore::Document::execCommand (this=0xf220ce0, commandName="insertText", userInterface=false, value="Z") at ../../Source/WebCore/dom/Document.cpp:4570 #23 0x00007f3073f24bba in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7f302435e0a0) at DerivedSources/WebCore/JSDocument.cpp:2617 #24 0x00007f3027753265 in ?? () #25 0x00007fffad32da90 in ?? () #26 0x00007f3077cff137 in llint_op_call () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0 #27 0x00007fffad32da20 in ?? () #28 0x00007fffad32da50 in ?? () #29 0x00007f302432bf40 in ?? () #30 0x00007f3077bffb79 in JSC::Register::Register (this=0x0) at ../../Source/JavaScriptCore/interpreter/Register.h:105 #31 0x00007f3077cac19e in JSC::JITCode::execute (this=0x7f3024277288, registerFile=0x248cba8, callFrame=0x7f302435e040, globalData=0x2b063a0) at ../../Source/JavaScriptCore/jit/JITCode.h:133 #32 0x00007f3077ca8ab8 in JSC::Interpreter::executeCall (this=0x248cb90, callFrame=0x7f30242fdf88, function=0x7f302432bf40, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1322 #33 0x00007f3077d75dbd in JSC::call (exec=0x7f30242fdf88, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:39 #34 0x00007f307304bdf7 in WebCore::JSMainThreadExecState::call (exec=0x7f30242fdf88, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/WebCore/bindings/js/JSMainThreadExecState.h:56 #35 0x00007f307307b3c5 in WebCore::JSEventListener::handleEvent (this=0xf249ad0, scriptExecutionContext=0xf220e08, event=0xf24a1a0) at ../../Source/WebCore/bindings/js/JSEventListener.cpp:133 #36 0x00007f3073355dae in WebCore::EventTarget::fireEventListeners (this=0xf230fd0, event=0xf24a1a0, d=0xf231108, entry=WTF::Vector of length 1, capacity 1 = {...}) at ../../Source/WebCore/dom/EventTarget.cpp:231 #37 0x00007f3073355c0c in WebCore::EventTarget::fireEventListeners (this=0xf230fd0, event=0xf24a1a0) at ../../Source/WebCore/dom/EventTarget.cpp:198 #38 0x00007f30737bc238 in WebCore::DOMWindow::dispatchEvent (this=0xf230fd0, prpEvent=..., prpTarget=...) at ../../Source/WebCore/page/DOMWindow.cpp:1665 #39 0x00007f30737bbfac in WebCore::DOMWindow::dispatchLoadEvent (this=0xf230fd0) at ../../Source/WebCore/page/DOMWindow.cpp:1639 #40 0x00007f30732e97f7 in WebCore::Document::dispatchWindowLoadEvent (this=0xf220ce0) at ../../Source/WebCore/dom/Document.cpp:4083 #41 0x00007f30732e3b6f in WebCore::Document::implicitClose (this=0xf220ce0) at ../../Source/WebCore/dom/Document.cpp:2523 #42 0x00007f307371a5b9 in WebCore::FrameLoader::checkCallImplicitClose (this=0x2468928) at ../../Source/WebCore/loader/FrameLoader.cpp:763 #43 0x00007f307371a367 in WebCore::FrameLoader::checkCompleted (this=0x2468928) at ../../Source/WebCore/loader/FrameLoader.cpp:709 #44 0x00007f307371a0bb in WebCore::FrameLoader::finishedParsing (this=0x2468928) at ../../Source/WebCore/loader/FrameLoader.cpp:642 #45 0x00007f30732ec6f6 in WebCore::Document::finishedParsing (this=0xf220ce0) at ../../Source/WebCore/dom/Document.cpp:4862 #46 0x00007f3073595f55 in WebCore::HTMLTreeBuilder::finished (this=0xf239fe0) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2792 #47 0x00007f307356ad2a in WebCore::HTMLDocumentParser::end (this=0xf238c40) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:372 #48 0x00007f307356ae31 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0xf238c40) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:381 #49 0x00007f3073569f4e in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0xf238c40) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:149 #50 0x00007f307356ae76 in WebCore::HTMLDocumentParser::attemptToEnd (this=0xf238c40) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:393 #51 0x00007f307356af2f in WebCore::HTMLDocumentParser::finish (this=0xf238c40) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:420 #52 0x00007f3073712bb1 in WebCore::DocumentWriter::end (this=0xf1367c0) at ../../Source/WebCore/loader/DocumentWriter.cpp:241 #53 0x00007f3073705745 in WebCore::DocumentLoader::finishedLoading (this=0xf136700) at ../../Source/WebCore/loader/DocumentLoader.cpp:300 #54 0x00007f3073757328 in WebCore::MainResourceLoader::didFinishLoading (this=0xf15d660, finishTime=0) at ../../Source/WebCore/loader/MainResourceLoader.cpp:520 #55 0x00007f3073762de5 in WebCore::ResourceLoader::didFinishLoading (this=0xf15d660, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:436 #56 0x00007f3073921c59 in WebCore::readCallback (source=0x3610800, asyncResult=0xeab5cb0, data=0xf14a140) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:865 #57 0x00007f3070fd7ad3 in async_ready_callback_wrapper () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0 #58 0x00007f3070ff2bc8 in g_simple_async_result_complete () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0 #59 0x00007f3070ff2d90 in complete_in_idle_cb_for_thread () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0 #60 0x00007f3070e223e9 in g_idle_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #61 0x00007f3070e1fc91 in g_main_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #62 0x00007f3070e20956 in g_main_context_dispatch () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #63 0x00007f3070e20b39 in g_main_context_iterate () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #64 0x00007f3070e20f69 in g_main_loop_run () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #65 0x00007f307170f7de in gtk_main () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Dependencies/Root/lib64/libgtk-3.so.0 #66 0x0000000000479dd5 in runTest (inputLine=...) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:752 #67 0x00000000004794a9 in runTestingServerLoop () at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:539 #68 0x000000000047c434 in main (argc=2, argv=0x7fffad32f188) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:1442