[webkit-changes] [124096] branches/safari-536.26-branch

Mon, 30 Jul 2012 15:02:40 -0700

Title: [124096] branches/safari-536.26-branch

Diff

Modified: branches/safari-536.26-branch/LayoutTests/ChangeLog (124095 => 124096)


--- branches/safari-536.26-branch/LayoutTests/ChangeLog	2012-07-30 21:53:03 UTC (rev 124095)
+++ branches/safari-536.26-branch/LayoutTests/ChangeLog	2012-07-30 22:02:45 UTC (rev 124096)
@@ -1,5 +1,19 @@
 2012-07-30  Lucas Forschler  <lforsch...@apple.com>
 
+    Merge 118213
+
+    2012-05-23  Chris Fleizach  <cfleiz...@apple.com>
+
+            Regression(r112694): Crash in WebCore::AXObjectCache::postNotification
+            https://bugs.webkit.org/show_bug.cgi?id=86029
+
+            Reviewed by Abhishek Arya.
+
+            * accessibility/content-changed-notification-causes-crash-expected.txt: Added.
+            * accessibility/content-changed-notification-causes-crash.html: Added.
+
+2012-07-30  Lucas Forschler  <lforsch...@apple.com>
+
     Merge 117801
 
     2012-05-21  Brady Eidson  <beid...@apple.com>

Copied: branches/safari-536.26-branch/LayoutTests/accessibility/content-changed-notification-causes-crash-expected.txt (from rev 118213, trunk/LayoutTests/accessibility/content-changed-notification-causes-crash-expected.txt) (0 => 124096)


--- branches/safari-536.26-branch/LayoutTests/accessibility/content-changed-notification-causes-crash-expected.txt	                        (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/accessibility/content-changed-notification-causes-crash-expected.txt	2012-07-30 22:02:45 UTC (rev 124096)
@@ -0,0 +1,11 @@
+>>
+Ensures that this snippet does not lead to a crash. Bug 86029.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS. WebKit did not crash.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Copied: branches/safari-536.26-branch/LayoutTests/accessibility/content-changed-notification-causes-crash.html (from rev 118213, trunk/LayoutTests/accessibility/content-changed-notification-causes-crash.html) (0 => 124096)


--- branches/safari-536.26-branch/LayoutTests/accessibility/content-changed-notification-causes-crash.html	                        (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/accessibility/content-changed-notification-causes-crash.html	2012-07-30 22:02:45 UTC (rev 124096)
@@ -0,0 +1,38 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"> 
+<html>
+<head>
+<script src=""
+</head>
+<body>
+
+<div id="group" tabindex="0">
+
+<ul role=textbox style='-webkit-transition: -webkit-transform linear 1117401740208157342s; content: counters(c, ".", disc); '>><keygen autofocus="">><body style='outline-style: ridge; font: normal normal 29266em/9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999 Ahem, serif; '>
+ 
+</div>
+
+<p id="description"></p>
+<div id="console"></div>
+ 
+<script>
+    description("Ensures that this snippet does not lead to a crash. Bug 86029.");
+
+    function walkAccessibilityTree(accessibilityObject) {
+        var count = accessibilityObject.childrenCount;
+        for (var i = 0; i < count; ++i)
+            accessibilityObject.childAtIndex(i);
+    }
+
+    if (window.accessibilityController) {
+
+        document.getElementById("group").focus();
+        var focusedElement = accessibilityController.focusedElement;
+        walkAccessibilityTree(focusedElement);
+
+        document.getElementById('console').innerHTML += "PASS. WebKit did not crash.<br>";
+    }
+</script>
+
+<script src=""
+</body>
+</html>

Modified: branches/safari-536.26-branch/Source/WebCore/ChangeLog (124095 => 124096)


--- branches/safari-536.26-branch/Source/WebCore/ChangeLog	2012-07-30 21:53:03 UTC (rev 124095)
+++ branches/safari-536.26-branch/Source/WebCore/ChangeLog	2012-07-30 22:02:45 UTC (rev 124096)
@@ -1,5 +1,24 @@
 2012-07-30  Lucas Forschler  <lforsch...@apple.com>
 
+    Merge 118213
+
+    2012-05-23  Chris Fleizach  <cfleiz...@apple.com>
+
+            Regression(r112694): Crash in WebCore::AXObjectCache::postNotification 
+            https://bugs.webkit.org/show_bug.cgi?id=86029
+
+            Reviewed by Abhishek Arya.
+
+            Test: accessibility/content-changed-notification-causes-crash.html
+
+            * accessibility/AccessibilityObject.h:
+            (WebCore::AccessibilityObject::isDetached):
+            (AccessibilityObject):
+            * accessibility/AccessibilityRenderObject.cpp:
+            (WebCore::AccessibilityRenderObject::contentChanged):
+
+2012-07-30  Lucas Forschler  <lforsch...@apple.com>
+
     Merge 117792
 
     2012-05-21  Stephen Chenney  <schen...@chromium.org>

Modified: branches/safari-536.26-branch/Source/WebCore/accessibility/AccessibilityObject.h (124095 => 124096)


--- branches/safari-536.26-branch/Source/WebCore/accessibility/AccessibilityObject.h	2012-07-30 21:53:03 UTC (rev 124095)
+++ branches/safari-536.26-branch/Source/WebCore/accessibility/AccessibilityObject.h	2012-07-30 22:02:45 UTC (rev 124096)
@@ -313,7 +313,8 @@
 public:
     virtual ~AccessibilityObject();
     virtual void detach();
-        
+    virtual bool isDetached() const { return true; }
+
     typedef Vector<RefPtr<AccessibilityObject> > AccessibilityChildrenVector;
     
     virtual bool isAccessibilityRenderObject() const { return false; }
@@ -707,7 +708,6 @@
     virtual ScrollableArea* getScrollableAreaIfScrollable() const { return 0; }
     virtual void scrollTo(const IntPoint&) const { }
 
-    virtual bool isDetached() const { return true; }
     static bool isAccessibilityObjectSearchMatch(AccessibilityObject*, AccessibilitySearchCriteria*);
     static bool isAccessibilityTextSearchMatch(AccessibilityObject*, AccessibilitySearchCriteria*);
     static bool objectMatchesSearchCriteriaWithResultLimit(AccessibilityObject*, AccessibilitySearchCriteria*, AccessibilityChildrenVector&);

Modified: branches/safari-536.26-branch/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (124095 => 124096)


--- branches/safari-536.26-branch/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2012-07-30 21:53:03 UTC (rev 124095)
+++ branches/safari-536.26-branch/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2012-07-30 22:02:45 UTC (rev 124096)
@@ -3428,8 +3428,14 @@
         if (parent->supportsARIALiveRegion())
             cache->postNotification(renderParent, AXObjectCache::AXLiveRegionChanged, true);
 
-        if (parent->isARIATextControl() && !parent->isNativeTextControl() && !parent->node()->isContentEditable())
+        if (parent->isARIATextControl() && !parent->isNativeTextControl() && !parent->node()->isContentEditable()) {
+            // isContentEditable() might trigger a layout update and invalidate the parent.
+            ASSERT(!parent->renderer() || parent->renderer() == renderParent);
+            if (parent->isDetached())
+                break;
+            
             cache->postNotification(renderParent, AXObjectCache::AXValueChanged, true);
+        }
     }
 }
     

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to