Control: reassign -1 webkitgtk 2.4.10-1 Control: retitle -1 webkitgtk: segmentation fault in WebCore::AXObjectCache::handleAttributeChanged Control: forwarded -1 https://bugs.webkit.org/show_bug.cgi?id=155694
Hi,
thanks for reporting this issue!
I was able to reproduce it:
> #0 WebCore::AXObjectCache::handleAttributeChanged (this=0x37282120000,
> attrName=..., element=0x3de3a27f80) at
> ../Source/WebCore/accessibility/AXObjectCache.cpp:880
> No locals.
> #1 0x0000037294b7c2ba in WebCore::Element::attributeChanged
> (this=0x3de3a27f80, name=..., oldValue=..., newValue=...) at
> ../Source/WebCore/dom/Element.cpp:1137
> cache = <optimized out>
> styleResolver = 0x3728213b000
> testShouldInvalidateStyle = <optimized out>
> shouldInvalidateStyle = <optimized out>
> #2 0x0000037294b7b790 in WebCore::Element::didModifyAttribute
> (this=this@entry=0x3de3a27f80, name=..., oldValue=..., newValue=...) at
> ../Source/WebCore/dom/Element.cpp:2851
> No locals.
> #3 0x0000037294b829dd in WebCore::Element::setAttributeInternal
> (this=this@entry=0x3de3a27f80, index=<optimized out>, name=..., newValue=...,
>
> inSynchronizationOfLazyAttribute=inSynchronizationOfLazyAttribute@entry=WebCore::Element::NotInSynchronizationOfLazyAttribute)
> at ../Source/WebCore/dom/Element.cpp:1075
> oldValue = {m_string = {m_impl = {m_ptr = 0x3720ea03fa0}}}
> attributeName = @0x3720eb03bb0: {m_impl = 0x656469772d626174}
> #4 0x0000037294b7fdb4 in WebCore::Element::setAttribute
> (this=this@entry=0x3de3a27f80, name=..., value=...) at
> ../Source/WebCore/dom/Element.cpp:1034
> index = <optimized out>
> #5 0x000003729540a3d9 in WebCore::setJSElementClassName (exec=<optimized
> out>, thisValue=<optimized out>, encodedValue=3788365550960) at
> DerivedSources/WebCore/JSElement.cpp:1564
> castedThis = <optimized out>
> nativeValue = @0x388d5cc7d90: {m_impl = {m_ptr = 0x3720f0da540}}
> #6 0x0000037292b03984 in JSC::putEntry (exec=0x372384b8448,
> entry=0x372821fcf50, base=0x3724208e6d0, propertyName=..., value=...,
> slot=...) at ../Source/JavaScriptCore/runtime/Lookup.h:302
> No locals.
> #7 0x0000037292b0000a in JSC::JSObject::put (cell=0x3724208e6d0,
> exec=0x372384b8448, propertyName=..., value=..., slot=...) at
> ../Source/JavaScriptCore/runtime/JSObject.cpp:400
> entry = <optimized out>
> attributes = 3613204953
> specificValue = 0x372821b6d80
> offset = <optimized out>
> info = 0x37282120000
> i = <optimized out>
> prototype = <optimized out>
> obj = 0x3724208e6d0
> #8 0x00000372929d4a0c in JSC::JSValue::put (slot=..., value=...,
> propertyName=..., exec=0x372384b8448, this=0x388d5cc7f30) at
> ../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:703
> No locals.
> #9 JSC::LLInt::llint_slow_path_put_by_id (exec=0x372384b8448,
> pc=0x3722544b300) at ../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:590
> codeBlock = 0x3720c2d1900
> ident = <optimized out>
> baseValue = {static numberOfInt52Bits = 52, static int52ShiftAmount =
> 12, u = {asInt64 = 3789269034704, ptr = 0x3724208e6d0, asBits = {payload =
> 1107879632, tag = 882}}}
> slot = {m_type = JSC::PutPropertySlot::Uncachable, m_base = 0x0,
> m_thisValue = {static numberOfInt52Bits = 52, static int52ShiftAmount = 12, u
> = {asInt64 = 3789269034704, ptr = 0x3724208e6d0, asBits = {payload =
> 1107879632,
> tag = 882}}}, m_offset = -1835175675, m_isStrictMode = false,
> m_context = 1 '\001', m_putFunction = 0x0}
> #10 0x00000372929df2f3 in llint_op_put_by_id () from
> /usr/lib/x86_64-linux-gnu/libjavascriptcoregtk-3.0.so.0
> No symbol table info available.
> #11 0x0000000000000000 in ?? ()
> No symbol table info available.
This seems to be a regression from webkit 2.4.10 [1].
I'm therefore reassigning to webkitgtk.
Kind regards,
Reiner
[1]: https://bugs.webkit.org/show_bug.cgi?id=155694
signature.asc
Description: PGP signature
