[Webkit-unassigned] [Bug 107028] New: Crash in AXObjectCache::notificationPostTimerFired()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jan 16 10:00:23 PST 2013 

https://bugs.webkit.org/show_bug.cgi?id=107028

           Summary: Crash in AXObjectCache::notificationPostTimerFired()
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
               URL: http://build.webkit.org/results/Apple%20Lion%20Debug%2
                    0WK1%20(Tests)/r139883%20(5966)/svg/as-image/img-relat
                    ive-height-crash-log.txt
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Accessibility
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: jer.noble at apple.com


Crash in AXObjectCache::notificationPostTimerFired() while accessing past the end of m_notificationsToPost.

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                 0x0000000107cd2a48 WTF::Vector<std::__1::pair<WTF::RefPtr<WebCore::AccessibilityObject>, WebCore::AXObjectCache::AXNotification>, 0ul>::at(unsigned long) + 104 (Vector.h:550)
1   com.apple.WebCore                 0x0000000107cbc6bd WTF::Vector<std::__1::pair<WTF::RefPtr<WebCore::AccessibilityObject>, WebCore::AXObjectCache::AXNotification>, 0ul>::operator[](unsigned long) + 29 (Vector.h:559)
2   com.apple.WebCore                 0x0000000107c91e6a WebCore::AXObjectCache::notificationPostTimerFired(WebCore::Timer<WebCore::AXObjectCache>*) + 138 (AXObjectCache.cpp:603)
3   com.apple.WebCore                 0x0000000107cddb73 WebCore::Timer<WebCore::AXObjectCache>::fired() + 115 (Timer.h:106)
4   com.apple.WebCore                 0x000000010964e206 WebCore::ThreadTimers::sharedTimerFiredInternal() + 294 (ThreadTimers.cpp:119)
5   com.apple.WebCore                 0x000000010964df99 WebCore::ThreadTimers::sharedTimerFired() + 25 (ThreadTimers.cpp:94)
6   com.apple.WebCore                 0x0000000109378cb3 _ZN7WebCoreL10timerFiredEP16__CFRunLoopTimerPv + 67 (SharedTimerMac.mm:167)
7   com.apple.CoreFoundation          0x00007fff88798934 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
8   com.apple.CoreFoundation          0x00007fff88798486 __CFRunLoopDoTimer + 534
9   com.apple.CoreFoundation          0x00007fff88778e11 __CFRunLoopRun + 1617
10  com.apple.CoreFoundation          0x00007fff88778486 CFRunLoopRunSpecific + 230
11  com.apple.Foundation              0x00007fff85b69f7b -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 267
12  DumpRenderTree                    0x000000010636f059 _ZL7runTestRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEE + 5017 (DumpRenderTree.mm:1382)
13  DumpRenderTree                    0x000000010636dc4a _ZL20runTestingServerLoopv + 282 (DumpRenderTree.mm:847)
14  DumpRenderTree                    0x000000010636d517 dumpRenderTree(int, char const**) + 391 (DumpRenderTree.mm:894)
15  DumpRenderTree                    0x000000010636f849 main + 105 (DumpRenderTree.mm:932)
16  DumpRenderTree                    0x0000000106358564 start + 52

This is not only causing an ASSERT in Debug builds, but an actual null dereference crash in Release builds as well.  The crash seems to occur most often in svg tests.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list