Bug 207035

Summary: [GTK] ASSERTION FAILED: accessible->priv->object != fallbackObject()
Product: WebKit Reporter: Sergio Villar Senin <svillar>
Component: AccessibilityAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: cgarcia, jdiggs, jonathan, mario, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Backtrace
none
First call to detach
none
2nd call to detach none

Description Sergio Villar Senin 2020-01-31 02:57:29 PST 
Created attachment 389336 [details]
Backtrace

Preconditions:
WebKitGTK Debug build

Steps to reproduce:
1. Run Minibrowser

It'll crash 100% of the times

I'm attaching the whole backtrace, this is an excerpt
#0  WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:305
#1  0x00007ff7313d63c0 in CRASH_WITH_INFO(...) () at DerivedSources/ForwardingHeaders/wtf/Assertions.h:660
#2  0x00007ff73334e936 in webkitAccessibleDetach (accessible=0x562198549ea0) at ../../Source/WebCore/accessibility/atk/WebKitAccessible.cpp:1308
#3  0x00007ff733348bbe in WebCore::AccessibilityObject::detachPlatformWrapper (this=0x7ff71b48cac8, detachmentType=WebCore::AccessibilityDetachmentType::ElementDestroyed) at ../../Source/WebCore/accessibility/atk/AccessibilityObjectAtk.cpp:47
#4  0x00007ff7332ca19b in WebCore::AXCoreObject::detachWrapper (this=0x7ff71b48cac8, detachmentType=WebCore::AccessibilityDetachmentType::ElementDestroyed) at ../../Source/WebCore/accessibility/AccessibilityObjectInterface.h:1158
#5  0x00007ff7332ca12e in WebCore::AXCoreObject::detach (this=0x7ff71b48cac8, detachmentType=WebCore::AccessibilityDetachmentType::ElementDestroyed) at ../../Source/WebCore/accessibility/AccessibilityObjectInterface.h:1150
#6  0x00007ff7332ba85b in WebCore::AXObjectCache::remove (this=0x7ff71b448000, axID=1) at ../../Source/WebCore/accessibility/AXObjectCache.cpp:853
#7  0x00007ff7332bab56 in WebCore::AXObjectCache::remove (this=0x7ff71b448000, view=0x7ff71ab5c010) at ../../Source/WebCore/accessibility/AXObjectCache.cpp:895
#8  0x00007ff7340e3058 in WebCore::FrameView::removeFromAXObjectCache (this=0x7ff71ab5c010) at ../../Source/WebCore/page/FrameView.cpp:280
#9  0x00007ff7340e32ac in WebCore::FrameView::prepareForDetach (this=0x7ff71ab5c010) at ../../Source/WebCore/page/FrameView.cpp:329

I don't know much about WK's a11y but in general, dispose() methods can be called multiple times as opposed to destroy().
Comment 1 Radar WebKit Bug Importer 2020-01-31 02:57:37 PST 
<rdar://problem/59057790>
Comment 2 Sergio Villar Senin 2020-01-31 03:30:57 PST 
Created attachment 389338 [details]
First call to detach
Comment 3 Sergio Villar Senin 2020-01-31 03:31:12 PST 
Created attachment 389339 [details]
2nd call to detach
Comment 4 Sergio Villar Senin 2020-01-31 03:31:44 PST 
I've just attached a couple of backtraces of the 2 calls to detach(). The first one sets the fallback object and the second asserts because of this.
Comment 5 Jonathan Kingston 2020-02-01 10:34:20 PST 
I just saw this after filing Bug 207093, however I attached a patch there.
Comment 6 Carlos Garcia Campos 2020-02-03 01:44:25 PST 

*** This bug has been marked as a duplicate of bug 207093 ***