Title: [205865] trunk/Source/WebCore
- Revision
- 205865
- Author
- n_w...@apple.com
- Date
- 2016-09-13 11:20:28 -0700 (Tue, 13 Sep 2016)
Log Message
AX: Crash at AccessibilityRenderObject::computeAccessibilityIsIgnored const + 552
https://bugs.webkit.org/show_bug.cgi?id=161276
Reviewed by Chris Fleizach.
Sometimes when calling _javascript_ removeChild or setAttribute on a node, it seems like
the renderer is deallocated during the process of computeAccessibilityIsIgnored. It's
causing a crash when we are accessing the renderer after that. Since RenderObject is not ref
counted and we cannot hold onto it for the duration of the function, fixed it by adding
more nil checks.
Despite my best efforts, I couldn't make a layout test that destroys the renderer within
the computeAccessibilityIsIgnored function.
* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (205864 => 205865)
--- trunk/Source/WebCore/ChangeLog 2016-09-13 17:53:25 UTC (rev 205864)
+++ trunk/Source/WebCore/ChangeLog 2016-09-13 18:20:28 UTC (rev 205865)
@@ -1,3 +1,22 @@
+2016-09-13 Nan Wang <n_w...@apple.com>
+
+ AX: Crash at AccessibilityRenderObject::computeAccessibilityIsIgnored const + 552
+ https://bugs.webkit.org/show_bug.cgi?id=161276
+
+ Reviewed by Chris Fleizach.
+
+ Sometimes when calling _javascript_ removeChild or setAttribute on a node, it seems like
+ the renderer is deallocated during the process of computeAccessibilityIsIgnored. It's
+ causing a crash when we are accessing the renderer after that. Since RenderObject is not ref
+ counted and we cannot hold onto it for the duration of the function, fixed it by adding
+ more nil checks.
+
+ Despite my best efforts, I couldn't make a layout test that destroys the renderer within
+ the computeAccessibilityIsIgnored function.
+
+ * accessibility/AccessibilityRenderObject.cpp:
+ (WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored):
+
2016-09-12 Jer Noble <jer.no...@apple.com>
Media-source backed elements block load event; cause web-platform-test flakiness
Modified: trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (205864 => 205865)
--- trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp 2016-09-13 17:53:25 UTC (rev 205864)
+++ trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp 2016-09-13 18:20:28 UTC (rev 205865)
@@ -1189,6 +1189,10 @@
AccessibilityObject* controlObject = correspondingControlForLabelElement();
if (controlObject && !controlObject->exposesTitleUIElement() && controlObject->isCheckboxOrRadio())
return true;
+
+ // https://webkit.org/b/161276 Getting the controlObject might cause the m_renderer to be nullptr.
+ if (!m_renderer)
+ return true;
if (m_renderer->isBR())
return true;
@@ -1208,6 +1212,10 @@
return true;
}
+ // Walking up the parent chain might reset the m_renderer.
+ if (!m_renderer)
+ return true;
+
// The alt attribute may be set on a text fragment through CSS, which should be honored.
if (is<RenderTextFragment>(renderText)) {
AccessibilityObjectInclusion altTextInclusion = objectInclusionFromAltText(downcast<RenderTextFragment>(renderText).altText());
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
