[Webkit-unassigned] [Bug 184366] crash when destroying a RenderObject with orca running
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Apr 6 19:01:48 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=184366
Ryosuke Niwa <rniwa at webkit.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rniwa at webkit.org
--- Comment #3 from Ryosuke Niwa <rniwa at webkit.org> ---
Someone from GTK+ report has to fix the bug here that you're trying to update layout in the middle of deleting a render object.
Namely, webkitAccessibleRefStateSet() shouldn't trigger a sync layout while being called inside a AXObjectCache::remove() in RenderObject::willBeDestroyed().
Thread 1 "WebKitWebProces" received signal SIGSEGV, Segmentation fault.
0x00007fc8907eea0c in WTFCrash () at /usr/src/debug/webkit2gtk3-2.20.0-3.1.x86_64/Source/WTF/wtf/Assertions.cpp:271
271 *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0 0x00007fc8907eea0c in WTFCrash () at /usr/src/debug/webkit2gtk3-2.20.0-3.1.x86_64/Source/WTF/wtf/Assertions.cpp:271
#1 0x00007fc8954b17cf in WebCore::Document::updateLayout () at /usr/src/debug/webkit2gtk3-2.20.0-3.1.x86_64/Source/WebCore/dom/Document.cpp:1986
#2 0x00007fc8954b1c52 in WebCore::Document::updateLayoutIgnorePendingStylesheets () at /usr/src/debug/webkit2gtk3-2.20.0-3.1.x86_64/Source/WebCore/dom/Document.cpp:2013
#3 0x00007fc89524dfea in WebCore::AccessibilityObject::updateBackingStore () at /usr/src/debug/webkit2gtk3-2.20.0-3.1.x86_64/Source/WebCore/accessibility/AccessibilityObject.cpp:1772
#4 0x00007fc89527c067 in webkitAccessibleRefStateSet () at /usr/src/debug/webkit2gtk3-2.20.0-3.1.x86_64/Source/WebCore/accessibility/atk/WebKitAccessibleWrapperAtk.cpp:1068
#5 0x00007fc888dbc839 in children_changed_event_listener (signal_hint=0x7fff0bff7560, n_param_values=<optimized out>, param_values=0x7fff0bff75e0, data=<optimized out>) at ../atk-adaptor/event.c:1072
#6 0x00007fc8918ae980 in ?? () from /usr/lib64/libgobject-2.0.so.0
#7 0x00007fc8918b722c in g_signal_emit_valist () from /usr/lib64/libgobject-2.0.so.0
#8 0x00007fc8918b8128 in g_signal_emit_by_name () from /usr/lib64/libgobject-2.0.so.0
#9 0x00007fc895275aaa in WebCore::AXObjectCache::detachWrapper () at /usr/src/debug/webkit2gtk3-2.20.0-3.1.x86_64/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp:59
#10 0x00007fc89522adc4 in WebCore::AXObjectCache::remove () at /usr/src/debug/webkit2gtk3-2.20.0-3.1.x86_64/Source/WebCore/accessibility/AXObjectCache.cpp:719
#11 0x00007fc895c43591 in WebCore::RenderObject::willBeDestroyed () at /usr/src/debug/webkit2gtk3-2.20.0-3.1.x86_64/Source/WebCore/rendering/RenderObject.cpp:1437
#12 0x00007fc895bb8a9c in WebCore::RenderElement::willBeDestroyed () at /usr/src/debug/webkit2gtk3-2.20.0-3.1.x86_64/Source/WebCore/rendering/RenderElement.cpp:936
#13 0x00007fc895c1400f in WebCore::RenderLayerModelObject::willBeDestroyed () at /usr/src/debug/webkit2gtk3-2.20.0-3.1.x86_64/Source/WebCore/rendering/RenderLayerModelObject.cpp:80
#14 0x00007fc895c3a260 in WebCore::RenderObject::destroy () at /usr/src/debug/webkit2gtk3-2.20.0-3.1.x86_64/Source/WebCore/rendering/RenderObject.cpp:1477
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180407/1d94836f/attachment-0002.html>
More information about the webkit-unassigned
mailing list