[Webkit-unassigned] [Bug 100688] New: REGRESSION (r132699): Crashes in WebCore::TextIterator::handleTextNodeFirstLetter

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Oct 29 10:27:02 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=100688

           Summary: REGRESSION (r132699): Crashes in
                    WebCore::TextIterator::handleTextNodeFirstLetter
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Keywords: Gtk, LayoutTestFailure
          Severity: Normal
          Priority: P2
         Component: WebKit Gtk
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: zandobersek at gmail.com
                CC: cfleizach at apple.com, jdiggs at igalia.com,
                    mario at webkit.org, dmazzoni at google.com


The following tests started (occasionally) crashing on the GTK builders after r132699:

fast/css-generated-content/first-letter-table-cell-format-block-crash.html
fast/text/text-fragment-first-letter-update-crash.html
fast/text/custom-font-data-crash2.html
fast/css/first-letter-text-fragment-crash.html
editing/selection/first-letter-selection-crash.html
editing/text-iterator/backward-textiterator-first-letter-crash.html

http://trac.webkit.org/changeset/132699
http://test-results.appspot.com/dashboards/flakiness_dashboard.html#group=%40ToT%20-%20webkit.org&tests=fast%2Fcss-generated-content%2Ffirst-letter-table-cell-format-block-crash.html%20fast%2Ftext%2Ftext-fragment-first-letter-update-crash.html%20fast%2Ftext%2Fcustom-font-data-crash2.html%20fast%2Fcss%2Ffirst-letter-text-fragment-crash.html%20editing%2Fselection%2Ffirst-letter-selection-crash.html%20editing%2Ftext-iterator%2Fbackward-textiterator-first-letter-crash.html

The tests only crash if the accessibility tests are run before them, probably because of the accessibility object cache being populated.
Here's the crash log for fast/text/custom-font-data-crash2.html crash that occurred on the 64-bit Release builder:
Crash log for DumpRenderTree (pid 5474):

...
[New LWP 6022]
[Thread debugging using libthread_db enabled]
Core was generated by `/home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/Programs/D'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007fb3bf1f57a3 in WebCore::TextIterator::handleTextNodeFirstLetter(WebCore::RenderTextFragment*) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0

...

Thread 1 (Thread 0x7fb3c0a03900 (LWP 5474)):
#0  0x00007fb3bf1f57a3 in WebCore::TextIterator::handleTextNodeFirstLetter(WebCore::RenderTextFragment*) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#1  0x00007fb3bf1f842f in WebCore::TextIterator::handleTextNode() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#2  0x00007fb3bf1f8aea in WebCore::TextIterator::advance() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#3  0x00007fb3bf1f991d in WebCore::plainTextToMallocAllocatedBuffer(WebCore::Range const*, unsigned int&, bool, WebCore::TextIteratorBehavior) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#4  0x00007fb3bf1f9cca in WebCore::plainText(WebCore::Range const*, WebCore::TextIteratorBehavior) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#5  0x00007fb3beeefca3 in WebCore::AccessibilityRenderObject::textUnderElement() const () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#6  0x00007fb3bff0f659 in WebCore::AccessibilityObject::accessibilityPlatformIncludesObject() const () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#7  0x00007fb3beef3f70 in WebCore::AccessibilityRenderObject::accessibilityIsIgnoredBase() const () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#8  0x00007fb3beef8c96 in WebCore::AccessibilityRenderObject::accessibilityIsIgnored() const () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#9  0x00007fb3beefe2c3 in WebCore::AXObjectCache::childrenChanged(WebCore::AccessibilityObject*) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#10 0x00007fb3bf743c64 in WebCore::RenderObject::willBeDestroyed() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#11 0x00007fb3bf78c2a1 in WebCore::RenderText::willBeDestroyed() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#12 0x00007fb3bf74278d in WebCore::RenderObject::destroy() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#13 0x00007fb3bf7380d4 in WebCore::RenderObjectChildList::destroyLeftoverChildren() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#14 0x00007fb3bf670cec in WebCore::RenderBlock::willBeDestroyed() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#15 0x00007fb3bf74278d in WebCore::RenderObject::destroy() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#16 0x00007fb3bf12eacf in WebCore::Node::detach() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#17 0x00007fb3bf0c767e in WebCore::ContainerNode::detach() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#18 0x00007fb3bf10fda4 in WebCore::Element::detach() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#19 0x00007fb3bf0cb800 in WebCore::ContainerNode::removeChildren() () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#20 0x00007fb3bf1d34dc in WebCore::replaceChildrenWithFragment(WebCore::ContainerNode*, WTF::PassRefPtr<WebCore::DocumentFragment>, int&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#21 0x00007fb3bf27564a in WebCore::HTMLElement::setInnerHTML(WTF::String const&, int&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#22 0x00007fb3bfb43794 in WebCore::setJSHTMLElementInnerHTML(JSC::ExecState*, JSC::JSObject*, JSC::JSValue) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#23 0x00007fb3bfb42f0c in WebCore::JSHTMLElement::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#24 0x00007fb3bfb2a381 in WebCore::JSHTMLBodyElement::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libwebkitgtk-3.0.so.0
#25 0x00007fb3c079e413 in llint_slow_path_put_by_id () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libjavascriptcoregtk-3.0.so.0
#26 0x00007fb3c07a946a in llint_op_put_by_id () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/.libs/libjavascriptcoregtk-3.0.so.0
#27 0x00007fb300000000 in ?? ()
#28 0x0000000000000000 in ?? ()

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list