Diff
Modified: branches/safari-604.1.38.1-branch/LayoutTests/ChangeLog (220587 => 220588)
--- branches/safari-604.1.38.1-branch/LayoutTests/ChangeLog 2017-08-11 15:16:56 UTC (rev 220587)
+++ branches/safari-604.1.38.1-branch/LayoutTests/ChangeLog 2017-08-11 15:17:01 UTC (rev 220588)
@@ -1,5 +1,21 @@
2017-08-11 Jason Marcell <jmarc...@apple.com>
+ Cherry-pick r220551. rdar://problem/33594320
+
+ 2017-08-10 Nan Wang <n_w...@apple.com>
+
+ AX: crash at WebCore::AccessibilityObject::supportsARIALiveRegion() const + 24
+ https://bugs.webkit.org/show_bug.cgi?id=175340
+ <rdar://problem/33782159>
+
+ Reviewed by Chris Fleizach.
+
+ * accessibility/add-children-pseudo-element-expected.txt: Added.
+ * accessibility/add-children-pseudo-element.html: Added.
+ * accessibility/resources/svg-circle.svg: Added.
+
+2017-08-11 Jason Marcell <jmarc...@apple.com>
+
Cherry-pick r220463. rdar://problem/33594320
2017-08-09 Nan Wang <n_w...@apple.com>
Modified: branches/safari-604.1.38.1-branch/LayoutTests/accessibility/resources/svg-circle.svg (220587 => 220588)
--- branches/safari-604.1.38.1-branch/LayoutTests/accessibility/resources/svg-circle.svg 2017-08-11 15:16:56 UTC (rev 220587)
+++ branches/safari-604.1.38.1-branch/LayoutTests/accessibility/resources/svg-circle.svg 2017-08-11 15:17:01 UTC (rev 220588)
@@ -1,6 +1,13 @@
+<<<<<<< HEAD
<svg xmlns="http://www.w3.org/2000/svg">
<g>
<text style="float:right"></text>
+=======
+<svg viewBox="0 0 95 50"
+ xmlns="http://www.w3.org/2000/svg">
+ <g stroke="green" fill="white" stroke-width="5">
+ <circle cx="25" cy="25" r="15"/>
+>>>>>>> 44546a209fa... AX: crash at WebCore::AccessibilityObject::supportsARIALiveRegion() const + 24
<text>circle</text>
</g>
</svg>
\ No newline at end of file
Modified: branches/safari-604.1.38.1-branch/Source/WebCore/ChangeLog (220587 => 220588)
--- branches/safari-604.1.38.1-branch/Source/WebCore/ChangeLog 2017-08-11 15:16:56 UTC (rev 220587)
+++ branches/safari-604.1.38.1-branch/Source/WebCore/ChangeLog 2017-08-11 15:17:01 UTC (rev 220588)
@@ -1,5 +1,34 @@
2017-08-11 Jason Marcell <jmarc...@apple.com>
+ Cherry-pick r220551. rdar://problem/33594320
+
+ 2017-08-10 Nan Wang <n_w...@apple.com>
+
+ AX: crash at WebCore::AccessibilityObject::supportsARIALiveRegion() const + 24
+ https://bugs.webkit.org/show_bug.cgi?id=175340
+ <rdar://problem/33782159>
+
+ Reviewed by Chris Fleizach.
+
+ The issue here is that we manualy set the parent object of the AccessibilitySVGRoot object
+ and there are chances that the parent doesn't detach it properly during the parent's destroying
+ process. Accessing the stale parent object will lead to a crash.
+ Fixed this by making the parent object a weak pointer so we don't access an invalid memory.
+
+ Test: accessibility/add-children-pseudo-element.html
+
+ * accessibility/AccessibilityRenderObject.cpp:
+ (WebCore::AccessibilityRenderObject::AccessibilityRenderObject):
+ * accessibility/AccessibilityRenderObject.h:
+ (WebCore::AccessibilityRenderObject::createWeakPtr):
+ * accessibility/AccessibilitySVGRoot.cpp:
+ (WebCore::AccessibilitySVGRoot::AccessibilitySVGRoot):
+ (WebCore::AccessibilitySVGRoot::setParent):
+ (WebCore::AccessibilitySVGRoot::parentObject const):
+ * accessibility/AccessibilitySVGRoot.h:
+
+2017-08-11 Jason Marcell <jmarc...@apple.com>
+
Cherry-pick r220463. rdar://problem/33594320
2017-08-09 Nan Wang <n_w...@apple.com>
Modified: branches/safari-604.1.38.1-branch/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (220587 => 220588)
--- branches/safari-604.1.38.1-branch/Source/WebCore/accessibility/AccessibilityRenderObject.cpp 2017-08-11 15:16:56 UTC (rev 220587)
+++ branches/safari-604.1.38.1-branch/Source/WebCore/accessibility/AccessibilityRenderObject.cpp 2017-08-11 15:17:01 UTC (rev 220588)
@@ -109,6 +109,7 @@
AccessibilityRenderObject::AccessibilityRenderObject(RenderObject* renderer)
: AccessibilityNodeObject(renderer->node())
, m_renderer(renderer)
+ , m_weakPtrFactory(this)
{
#ifndef NDEBUG
m_renderer->setHasAXObject(true);
Modified: branches/safari-604.1.38.1-branch/Source/WebCore/accessibility/AccessibilityRenderObject.h (220587 => 220588)
--- branches/safari-604.1.38.1-branch/Source/WebCore/accessibility/AccessibilityRenderObject.h 2017-08-11 15:16:56 UTC (rev 220587)
+++ branches/safari-604.1.38.1-branch/Source/WebCore/accessibility/AccessibilityRenderObject.h 2017-08-11 15:17:01 UTC (rev 220588)
@@ -31,6 +31,7 @@
#include "AccessibilityNodeObject.h"
#include "LayoutRect.h"
#include <wtf/Forward.h>
+#include <wtf/WeakPtr.h>
namespace WebCore {
@@ -198,6 +199,8 @@
AccessibilityRole roleValueForMSAA() const override;
String passwordFieldValue() const override;
+
+ WeakPtr<AccessibilityRenderObject> createWeakPtr() { return m_weakPtrFactory.createWeakPtr(); }
protected:
explicit AccessibilityRenderObject(RenderObject*);
@@ -217,6 +220,7 @@
RenderObject* m_renderer;
private:
+ WeakPtrFactory<AccessibilityRenderObject> m_weakPtrFactory;
bool isAccessibilityRenderObject() const final { return true; }
void ariaListboxSelectedChildren(AccessibilityChildrenVector&);
void ariaListboxVisibleChildren(AccessibilityChildrenVector&);
Modified: branches/safari-604.1.38.1-branch/Source/WebCore/accessibility/AccessibilitySVGRoot.cpp (220587 => 220588)
--- branches/safari-604.1.38.1-branch/Source/WebCore/accessibility/AccessibilitySVGRoot.cpp 2017-08-11 15:16:56 UTC (rev 220587)
+++ branches/safari-604.1.38.1-branch/Source/WebCore/accessibility/AccessibilitySVGRoot.cpp 2017-08-11 15:17:01 UTC (rev 220588)
@@ -35,7 +35,6 @@
AccessibilitySVGRoot::AccessibilitySVGRoot(RenderObject* renderer)
: AccessibilitySVGElement(renderer)
- , m_parent(nullptr)
{
}
@@ -47,6 +46,14 @@
{
return adoptRef(*new AccessibilitySVGRoot(renderer));
}
+
+void AccessibilitySVGRoot::setParent(AccessibilityRenderObject *parent)
+{
+ if (parent)
+ m_parent = parent->createWeakPtr();
+ else
+ m_parent = nullptr;
+}
AccessibilityObject* AccessibilitySVGRoot::parentObject() const
{
@@ -53,7 +60,7 @@
// If a parent was set because this is a remote SVG resource, use that
// but otherwise, we should rely on the standard render tree for the parent.
if (m_parent)
- return m_parent;
+ return m_parent.get();
return AccessibilitySVGElement::parentObject();
}
Modified: branches/safari-604.1.38.1-branch/Source/WebCore/accessibility/AccessibilitySVGRoot.h (220587 => 220588)
--- branches/safari-604.1.38.1-branch/Source/WebCore/accessibility/AccessibilitySVGRoot.h 2017-08-11 15:16:56 UTC (rev 220587)
+++ branches/safari-604.1.38.1-branch/Source/WebCore/accessibility/AccessibilitySVGRoot.h 2017-08-11 15:17:01 UTC (rev 220588)
@@ -29,6 +29,7 @@
#pragma once
#include "AccessibilitySVGElement.h"
+#include <wtf/WeakPtr.h>
namespace WebCore {
@@ -37,7 +38,7 @@
static Ref<AccessibilitySVGRoot> create(RenderObject*);
virtual ~AccessibilitySVGRoot();
- void setParent(AccessibilityObject* parent) { m_parent = parent; }
+ void setParent(AccessibilityRenderObject*);
private:
explicit AccessibilitySVGRoot(RenderObject*);
@@ -45,7 +46,7 @@
AccessibilityObject* parentObject() const override;
bool isAccessibilitySVGRoot() const override { return true; }
- AccessibilityObject* m_parent;
+ WeakPtr<AccessibilityRenderObject> m_parent;
AccessibilityRole roleValue() const override { return GroupRole; }
};
