[Webkit-unassigned] [Bug 207093] New: Crash in WebKitAccessible

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Feb 1 09:26:39 PST 2020


https://bugs.webkit.org/show_bug.cgi?id=207093

            Bug ID: 207093
           Summary: Crash in WebKitAccessible
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Accessibility
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jonathan at jooped.co.uk
                CC: andresg_22 at apple.com,
                    webkit-bug-importer at group.apple.com

This appears to be caused by Bug 206828 which added `webkitAccessibleDetach(WEBKIT_ACCESSIBLE(wrapper))` to an already cleared wrapper.

When loading URLs in MiniBrowser in a debug build I get the following stacktrace:

#0  WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:305
#1  0x00007fffed64760b in CRASH_WITH_INFO(...) () at DerivedSources/ForwardingHeaders/wtf/Assertions.h:660
#2  0x00007fffef941d51 in webkitAccessibleDetach (accessible=0x5555556c8870) at ../../Source/WebCore/accessibility/atk/WebKitAccessible.cpp:1308
#3  0x00007fffef93befe in WebCore::AccessibilityObject::detachPlatformWrapper (this=0x7fffd6f90ac8, detachmentType=WebCore::AccessibilityDetachmentType::ElementDestroyed)
    at ../../Source/WebCore/accessibility/atk/AccessibilityObjectAtk.cpp:47
#4  0x00007fffef8b1607 in WebCore::AXCoreObject::detachWrapper (this=0x7fffd6f90ac8, detachmentType=WebCore::AccessibilityDetachmentType::ElementDestroyed)
    at ../../Source/WebCore/accessibility/AccessibilityObjectInterface.h:1158
#5  0x00007fffef8b1596 in WebCore::AXCoreObject::detach (this=0x7fffd6f90ac8, detachmentType=WebCore::AccessibilityDetachmentType::ElementDestroyed)
    at ../../Source/WebCore/accessibility/AccessibilityObjectInterface.h:1150
#6  0x00007fffef8a0326 in WebCore::AXObjectCache::remove (this=0x7fffd6f47000, axID=1) at ../../Source/WebCore/accessibility/AXObjectCache.cpp:853
#7  0x00007fffef8a0662 in WebCore::AXObjectCache::remove (this=0x7fffd6f47000, view=0x7fffd700c010) at ../../Source/WebCore/accessibility/AXObjectCache.cpp:895
#8  0x00007ffff082a02a in WebCore::FrameView::removeFromAXObjectCache (this=0x7fffd700c010) at ../../Source/WebCore/page/FrameView.cpp:280
#9  0x00007ffff082a2d4 in WebCore::FrameView::prepareForDetach (this=0x7fffd700c010) at ../../Source/WebCore/page/FrameView.cpp:329
#10 0x00007ffff0823860 in WebCore::Frame::setView (this=0x7fffd6fca348, view=...) at ../../Source/WebCore/page/Frame.cpp:228
#11 0x00007ffff08261a9 in WebCore::Frame::createView (this=0x7fffd6fca348, viewportSize=..., backgroundColor=..., fixedLayoutSize=..., fixedVisibleContentRect=..., useFixedLayout=false, 
    horizontalScrollbarMode=WebCore::ScrollbarAuto, horizontalLock=false, verticalScrollbarMode=WebCore::ScrollbarAuto, verticalLock=false) at ../../Source/WebCore/page/Frame.cpp:806
#12 0x00007fffee6d08a4 in WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage (this=0x7fffd6ff3340) at ../../Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:1510
#13 0x00007ffff068bda0 in WebCore::FrameLoader::transitionToCommitted (this=0x7fffd6f80000, cachedPage=0x0) at ../../Source/WebCore/loader/FrameLoader.cpp:2222
#14 0x00007ffff068b062 in WebCore::FrameLoader::commitProvisionalLoad (this=0x7fffd6f80000) at ../../Source/WebCore/loader/FrameLoader.cpp:2041
#15 0x00007ffff06432f5 in WebCore::DocumentLoader::commitIfReady (this=0x7fffd6f4f000) at ../../Source/WebCore/loader/DocumentLoader.cpp:367
#16 0x00007ffff0646a31 in WebCore::DocumentLoader::commitLoad (this=0x7fffd6f4f000, 


`AccessibilityObject::detachPlatformWrapper` gets called after `AXObjectCache::detachWrapper` with the new patch, it looks as if the if statement should return early perhaps.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200201/719eeb35/attachment-0001.htm>


More information about the webkit-unassigned mailing list