[Webkit-unassigned] [Bug 234739] New: AX: web process crash with isolated tree mode enabled

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 29 06:58:54 PST 2021 

https://bugs.webkit.org/show_bug.cgi?id=234739

            Bug ID: 234739
           Summary: AX: web process crash with isolated tree mode enabled
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Accessibility
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: cgarcia at igalia.com
                CC: andresg_22 at apple.com,
                    webkit-bug-importer at group.apple.com

#0  0x00007f6a18cad3fc in WebCore::AccessibilityObjectAtspi::attach(WebCore::AXCoreObject*) () from libwebkit2gtk-4.1.so.0
#1  0x00007f6a18ceb0ff in WebCore::AXIsolatedTree::createSubtree(WebCore::AXCoreObject&, WTF::ObjectIdentifier<WebCore::AXIDType>, bool) ()
   from libwebkit2gtk-4.1.so.0
#2  0x00007f6a18ceb449 in WebCore::AXIsolatedTree::generateSubtree(WebCore::AXCoreObject&, WebCore::AXCoreObject*, bool) [clone .part.0] ()
   from libwebkit2gtk-4.1.so.0
#3  0x00007f6a18cebf2c in WebCore::AXIsolatedTree::updateChildren(WebCore::AXCoreObject&) () from libwebkit2gtk-4.1.so.0
#4  0x00007f6a18c468bf in WebCore::AXObjectCache::updateIsolatedTree(WTF::Vector<std::pair<WTF::RefPtr<WebCore::AXCoreObject, WTF::RawPtrTraits<WebCore::AXCoreObject>, WTF::DefaultRefDerefTraits<WebCore::AXCoreObject> >, WebCore::AXObjectCache::AXNotification>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) () from libwebkit2gtk-4.1.so.0
#5  0x00007f6a18c46afb in WebCore::AXObjectCache::notificationPostTimerFired() () from libwebkit2gtk-4.1.so.0
#6  0x00007f6a198b597f in WebCore::ThreadTimers::sharedTimerFiredInternal() [clone .part.0] () from libwebkit2gtk-4.1.so.0
#7  0x00007f6a1674bd15 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::_FUN(void*) () from libjavascriptcoregtk-4.1.so.0
#8  0x00007f6a1674c2af in WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) () from libjavascriptcoregtk-4.1.so.0
#9  0x00007f6a16b2e5c4 in g_main_dispatch (context=0x55bbde8f2260) at ../glib/gmain.c:3381
#10 g_main_context_dispatch (context=0x55bbde8f2260) at ../glib/gmain.c:4099
#11 0x00007f6a16b2e928 in g_main_context_iterate (context=0x55bbde8f2260, block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>) at ../glib/gmain.c:4175
#12 0x00007f6a16b2ec03 in g_main_loop_run (loop=0x55bbdea74600) at ../glib/gmain.c:4373
#13 0x00007f6a1674c3d0 in WTF::RunLoop::run() () from libjavascriptcoregtk-4.1.so.0
#14 0x00007f6a1816f5ff in int WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) () from libwebkit2gtk-4.1.so.0
#15 0x00007f6a16f877ed in __libc_start_main (main=0x55bbdcef46a0 <main>, argc=3, argv=0x7ffc8a5b7ae8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7ffc8a5b7ad8) at ../csu/libc-start.c:332
#16 0x000055bbdcef46da in _start ()

The wrapper we try to attach has already been deleted. This is what happens:

1.- children changed notification
2.- AXIsolatedTree::updateChildren() calls generateSubtree() to add a new child.
3.- generateSubtree() calls createSubtree() that creates the AXIsolatedObject
4.- AXIsolatedObject::initializeAttributeData() calls AccessibilityObject::computedLabel() to initialize the computed label property
5.- AccessibilityObject::computedLabel() calls updateBackingStore that triggers a layout
6.- The layout ends up removing the new node from the cache, causing the wrapper to be detached and destroyed.
7.- AXIsolatedObject::create() finishes and now axObject.wrapper() is nullptr when attachPlatformWrapper is called.

I think we can just get rid of computedLabel for isolated objects, since that is only used by the inspector that uses the AccessibilityObject directly.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211229/70a77cb8/attachment.htm>

More information about the webkit-unassigned mailing list