[Webkit-unassigned] [Bug 143188] New: AX: WebKitWebProcess crashes in a11y code for some websites

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Mar 28 17:27:49 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=143188

            Bug ID: 143188
           Summary: AX: WebKitWebProcess crashes in a11y code for some
                    websites
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Gtk
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: rishi.is at lostca.se

I have been seeing this particular crash with some web sites. Here is an example:
1) Go to https://twitter.com/marinaz
2) Find this tweet: "Asked @lwnnet to make its site a safe space for reading news about Linux ..."
3) Ctrl+click the LWN link and you will see the WebKitWebProcess for the new tab crash

Core was generated by `/usr/libexec/webkit2gtk-4.0/WebKitWebProcess 22'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  WebCore::AccessibilityMenuList::isCollapsed (this=0x7f712d9c09a0)
    at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/AccessibilityMenuList.cpp:92
92        return !static_cast<RenderMenuList*>(m_renderer)->popupIsVisible();
(gdb) bt
#0  WebCore::AccessibilityMenuList::isCollapsed (this=0x7f712d9c09a0)
    at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/AccessibilityMenuList.cpp:92
#1  0x00007f719e3fee4d in notifyChildrenSelectionChange (object=0x7f712d9c09a0)
    at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp:180
#2  WebCore::AXObjectCache::postPlatformNotification (
    this=this at entry=0x7f713c116e00, 
    coreObject=coreObject at entry=0x7f712d9c09a0, 
    notification=notification at entry=(anonymous namespace)::AXObjectCache::AXMenuListValueChanged)
    at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp:211
#3  0x00007f719d854b96 in WebCore::AXObjectCache::postNotification (
    this=this at entry=0x7f713c116e00, object=object at entry=0x7f712d9c09a0, 
    document=document at entry=0x7f719f4c6700, 
    notification=notification at entry=(anonymous namespace)::AXObjectCache::AXMenuListValueChanged, 
    postTarget=postTarget at entry=(anonymous namespace)::TargetElement, 
    postType=postType at entry=(anonymous namespace)::PostSynchronously)
    at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/AXObjectCache.cpp:807
#4  0x00007f719d860220 in WebCore::AccessibilityMenuList::didUpdateActiveOption
    (this=0x7f712d9c09a0, optionIndex=1)
    at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/accessibility/AccessibilityMenuList.cpp:130
#5  0x00007f719e11ec5d in WebCore::RenderMenuList::setTextFromOption (
    this=0x7f71074d55a0, optionIndex=1)
    at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/rendering/RenderMenuList.cpp:288
#6  0x00007f719dc2f168 in WebCore::HTMLSelectElement::selectOption (
    this=0x7f710693a000, optionIndex=<optimized out>, flags=0)
    at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/html/HTMLSelectElement.cpp:893

#7  0x00007f719c0e5f9e in JSC::JSObject::put (cell=0x7f7106fa40b0, 
    exec=0x7ffee3cb0130, propertyName=..., value=..., slot=...)
    at /usr/src/debug/webkitgtk-2.6.5/Source/JavaScriptCore/runtime/JSObject.cpp:383
#8  0x00007f719be506a8 in operationPutByValInternal<false, false> (
    encodedValue=7, encodedProperty=<optimized out>, 
    encodedBase=140123425095856, exec=0x7ffee3cb0130)
    at /usr/src/debug/webkitgtk-2.6.5/Source/JavaScriptCore/dfg/DFGOperations.cpp:130
#9  JSC::DFG::operationPutByValNonStrict (exec=0x7ffee3cb0130, 
    encodedBase=140123425095856, encodedProperty=<optimized out>, 
    encodedValue=7)
    at /usr/src/debug/webkitgtk-2.6.5/Source/JavaScriptCore/dfg/DFGOperations.cpp:383
#10 0x00007f713d5f2938 in ?? ()
#11 0x0000000000000000 in ?? ()
(gdb)

I have:
webkitgtk4-2.6.5-1.fc21.x86_64
epiphany-3.14.2-4.fc21.x86_64

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150329/9b0cffcf/attachment-0002.html>

More information about the webkit-unassigned mailing list