Diff
Modified: branches/safari-536.26-branch/LayoutTests/ChangeLog (124095 => 124096)
--- branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-07-30 21:53:03 UTC (rev 124095)
+++ branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-07-30 22:02:45 UTC (rev 124096)
@@ -1,5 +1,19 @@
2012-07-30 Lucas Forschler <lforsch...@apple.com>
+ Merge 118213
+
+ 2012-05-23 Chris Fleizach <cfleiz...@apple.com>
+
+ Regression(r112694): Crash in WebCore::AXObjectCache::postNotification
+ https://bugs.webkit.org/show_bug.cgi?id=86029
+
+ Reviewed by Abhishek Arya.
+
+ * accessibility/content-changed-notification-causes-crash-expected.txt: Added.
+ * accessibility/content-changed-notification-causes-crash.html: Added.
+
+2012-07-30 Lucas Forschler <lforsch...@apple.com>
+
Merge 117801
2012-05-21 Brady Eidson <beid...@apple.com>
Copied: branches/safari-536.26-branch/LayoutTests/accessibility/content-changed-notification-causes-crash-expected.txt (from rev 118213, trunk/LayoutTests/accessibility/content-changed-notification-causes-crash-expected.txt) (0 => 124096)
--- branches/safari-536.26-branch/LayoutTests/accessibility/content-changed-notification-causes-crash-expected.txt (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/accessibility/content-changed-notification-causes-crash-expected.txt 2012-07-30 22:02:45 UTC (rev 124096)
@@ -0,0 +1,11 @@
+>>
+Ensures that this snippet does not lead to a crash. Bug 86029.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS. WebKit did not crash.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: branches/safari-536.26-branch/LayoutTests/accessibility/content-changed-notification-causes-crash.html (from rev 118213, trunk/LayoutTests/accessibility/content-changed-notification-causes-crash.html) (0 => 124096)
--- branches/safari-536.26-branch/LayoutTests/accessibility/content-changed-notification-causes-crash.html (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/accessibility/content-changed-notification-causes-crash.html 2012-07-30 22:02:45 UTC (rev 124096)
@@ -0,0 +1,38 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+
+<div id="group" tabindex="0">
+
+<ul role=textbox style='-webkit-transition: -webkit-transform linear 1117401740208157342s; content: counters(c, ".", disc); '>><keygen autofocus="">><body style='outline-style: ridge; font: normal normal 29266em/9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999 Ahem, serif; '>
+
+</div>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+ description("Ensures that this snippet does not lead to a crash. Bug 86029.");
+
+ function walkAccessibilityTree(accessibilityObject) {
+ var count = accessibilityObject.childrenCount;
+ for (var i = 0; i < count; ++i)
+ accessibilityObject.childAtIndex(i);
+ }
+
+ if (window.accessibilityController) {
+
+ document.getElementById("group").focus();
+ var focusedElement = accessibilityController.focusedElement;
+ walkAccessibilityTree(focusedElement);
+
+ document.getElementById('console').innerHTML += "PASS. WebKit did not crash.<br>";
+ }
+</script>
+
+<script src=""
+</body>
+</html>
Modified: branches/safari-536.26-branch/Source/WebCore/ChangeLog (124095 => 124096)
--- branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-07-30 21:53:03 UTC (rev 124095)
+++ branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-07-30 22:02:45 UTC (rev 124096)
@@ -1,5 +1,24 @@
2012-07-30 Lucas Forschler <lforsch...@apple.com>
+ Merge 118213
+
+ 2012-05-23 Chris Fleizach <cfleiz...@apple.com>
+
+ Regression(r112694): Crash in WebCore::AXObjectCache::postNotification
+ https://bugs.webkit.org/show_bug.cgi?id=86029
+
+ Reviewed by Abhishek Arya.
+
+ Test: accessibility/content-changed-notification-causes-crash.html
+
+ * accessibility/AccessibilityObject.h:
+ (WebCore::AccessibilityObject::isDetached):
+ (AccessibilityObject):
+ * accessibility/AccessibilityRenderObject.cpp:
+ (WebCore::AccessibilityRenderObject::contentChanged):
+
+2012-07-30 Lucas Forschler <lforsch...@apple.com>
+
Merge 117792
2012-05-21 Stephen Chenney <schen...@chromium.org>
Modified: branches/safari-536.26-branch/Source/WebCore/accessibility/AccessibilityObject.h (124095 => 124096)
--- branches/safari-536.26-branch/Source/WebCore/accessibility/AccessibilityObject.h 2012-07-30 21:53:03 UTC (rev 124095)
+++ branches/safari-536.26-branch/Source/WebCore/accessibility/AccessibilityObject.h 2012-07-30 22:02:45 UTC (rev 124096)
@@ -313,7 +313,8 @@
public:
virtual ~AccessibilityObject();
virtual void detach();
-
+ virtual bool isDetached() const { return true; }
+
typedef Vector<RefPtr<AccessibilityObject> > AccessibilityChildrenVector;
virtual bool isAccessibilityRenderObject() const { return false; }
@@ -707,7 +708,6 @@
virtual ScrollableArea* getScrollableAreaIfScrollable() const { return 0; }
virtual void scrollTo(const IntPoint&) const { }
- virtual bool isDetached() const { return true; }
static bool isAccessibilityObjectSearchMatch(AccessibilityObject*, AccessibilitySearchCriteria*);
static bool isAccessibilityTextSearchMatch(AccessibilityObject*, AccessibilitySearchCriteria*);
static bool objectMatchesSearchCriteriaWithResultLimit(AccessibilityObject*, AccessibilitySearchCriteria*, AccessibilityChildrenVector&);
Modified: branches/safari-536.26-branch/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (124095 => 124096)
--- branches/safari-536.26-branch/Source/WebCore/accessibility/AccessibilityRenderObject.cpp 2012-07-30 21:53:03 UTC (rev 124095)
+++ branches/safari-536.26-branch/Source/WebCore/accessibility/AccessibilityRenderObject.cpp 2012-07-30 22:02:45 UTC (rev 124096)
@@ -3428,8 +3428,14 @@
if (parent->supportsARIALiveRegion())
cache->postNotification(renderParent, AXObjectCache::AXLiveRegionChanged, true);
- if (parent->isARIATextControl() && !parent->isNativeTextControl() && !parent->node()->isContentEditable())
+ if (parent->isARIATextControl() && !parent->isNativeTextControl() && !parent->node()->isContentEditable()) {
+ // isContentEditable() might trigger a layout update and invalidate the parent.
+ ASSERT(!parent->renderer() || parent->renderer() == renderParent);
+ if (parent->isDetached())
+ break;
+
cache->postNotification(renderParent, AXObjectCache::AXValueChanged, true);
+ }
}
}