[Webkit-unassigned] [Bug 82896] Segmentation fault in JS drop-down menus in facebook.com
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Apr 4 08:56:25 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=82896
--- Comment #8 from chris fleizach <cfleizach at apple.com> 2012-04-04 08:56:25 PST ---
(In reply to comment #7)
> (In reply to comment #6)
> > (In reply to comment #5)
> > > I followed those steps listed and even broke on the crashing method. I saw m_renderer = 0 and everything worked ok
> > >
> > > Breakpoint 2, WebCore::AccessibilityRenderObject::isAttachment (this=0x7fcda238c1e0) at AccessibilityRenderObject.cpp:535
> > > 535 RenderBoxModelObject* renderer = renderBoxModelObject();
> > > (gdb) x/ca m_renderer
> > > 0x0: Cannot access memory at address 0x0
> > > (gdb) s
> > > WebCore::AccessibilityRenderObject::renderBoxModelObject (this=0x7fcda238c1e0) at AccessibilityRenderObject.cpp:133
> > > 133 if (!m_renderer || !m_renderer->isBoxModelObject())
> > > (gdb) n
> > > 134 return 0;
> > > (gdb) bt
> > > #0 WebCore::AccessibilityRenderObject::renderBoxModelObject (this=0x7fcda238c1e0) at AccessibilityRenderObject.cpp:134
> >
> > I think this ones up to you figure out.
>
> Thanks Chris for helping me debug this thing. It turns out I did dare to git bisect and, after 11 full builds I finally found the commit where this started failing reliably:
>
> http://trac.webkit.org/changeset/110819
>
> I see you're the author of that commit, so I leave this here in the hope you might perhaps have a clue of why this is happening.
>
> Now I need to run.
>
> Again, thanks!
I think it indicates that a render object was destroyed but the ax object was not updated at the same time. That should not happen, since in RenderObject::willBeDestroyed(), AXObjectCache::remove is called.
A way i can see this happening is if AXObjectCache::remove was not called for this child, or if it was it failed for some reason.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list