Title: [148493] branches/safari-536.30-branch
- Revision
- 148493
- Author
- [email protected]
- Date
- 2013-04-15 22:31:18 -0700 (Mon, 15 Apr 2013)
Log Message
Merged r139444.
Source/WebCore:
2013-01-11 Stephen Chenney <[email protected]>
Objects can be re-added to the AXObjectCache during removal
https://bugs.webkit.org/show_bug.cgi?id=104171
The problem occurs when a label's corresponding element is a sibling
that precedes it in the render tree, and the corresponding element is
removed. The corresponding element's AX render object is removed, but
then recreated when accessibilityIsIgnored() invokes correspondingControl()
on the label. The corresponding renderer then has an AX render object
that survives beyond the deleted renderer, leading to invalid memory
accesses.
The solution is to rearrange the calls to delete the renderer's AX
render object only when we are sure it will no longer be required.
Reviewed by Simon Fraser.
Test: accessibility/corresponding-control-deleted-crash.html
* rendering/RenderObject.cpp:
(WebCore::RenderObject::willBeDestroyed): Move the call to remove the
renderer from the AXCache to after the renderer is removed from the
render tree. This means that the AXObject still exists during renderer
removal, as we require.
LayoutTests:
Checked in a failing expected result for corresponding-control-deleted-crash.html,
since the test requires author shadow DOM to be enabled.
2013-01-11 Stephen Chenney <[email protected]>
Objects can be re-added to the AXObjectCache during removal
https://bugs.webkit.org/show_bug.cgi?id=104171
Reviewed by Simon Fraser.
New test which asserts with !m_hasAXObject in RenderObject::~RenderObject without the patch. Requires Shadow DOM enabled.
* accessibility/corresponding-control-deleted-crash-expected.txt: Added.
* accessibility/corresponding-control-deleted-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: branches/safari-536.30-branch/LayoutTests/ChangeLog (148492 => 148493)
--- branches/safari-536.30-branch/LayoutTests/ChangeLog 2013-04-16 05:09:17 UTC (rev 148492)
+++ branches/safari-536.30-branch/LayoutTests/ChangeLog 2013-04-16 05:31:18 UTC (rev 148493)
@@ -1,5 +1,24 @@
2013-04-15 Andy Estes <[email protected]>
+ Merged r139444.
+
+ Checked in a failing expected result for corresponding-control-deleted-crash.html,
+ since the test requires author shadow DOM to be enabled.
+
+ 2013-01-11 Stephen Chenney <[email protected]>
+
+ Objects can be re-added to the AXObjectCache during removal
+ https://bugs.webkit.org/show_bug.cgi?id=104171
+
+ Reviewed by Simon Fraser.
+
+ New test which asserts with !m_hasAXObject in RenderObject::~RenderObject without the patch. Requires Shadow DOM enabled.
+
+ * accessibility/corresponding-control-deleted-crash-expected.txt: Added.
+ * accessibility/corresponding-control-deleted-crash.html: Added.
+
+2013-04-15 Andy Estes <[email protected]>
+
Merged r131670.
2012-10-17 Tom Sepez <[email protected]>
Added: branches/safari-536.30-branch/LayoutTests/accessibility/corresponding-control-deleted-crash-expected.txt (0 => 148493)
--- branches/safari-536.30-branch/LayoutTests/accessibility/corresponding-control-deleted-crash-expected.txt (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/accessibility/corresponding-control-deleted-crash-expected.txt 2013-04-16 05:31:18 UTC (rev 148493)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: line 26: TypeError: 'undefined' is not a function (evaluating 'label.webkitCreateShadowRoot()')
+Make sure that a debug assert is not triggered when a call to RenderBlock::deleteLineBoxTree calls AccessibilityRenderObject::accessibilityIsIgnored which may require the AXObject for a node that is being deleted.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+FAIL successfullyParsed should be true (of type boolean). Was undefined (of type undefined).
+
+TEST COMPLETE
+
Added: branches/safari-536.30-branch/LayoutTests/accessibility/corresponding-control-deleted-crash.html (0 => 148493)
--- branches/safari-536.30-branch/LayoutTests/accessibility/corresponding-control-deleted-crash.html (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/accessibility/corresponding-control-deleted-crash.html 2013-04-16 05:31:18 UTC (rev 148493)
@@ -0,0 +1,42 @@
+
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+ description("Make sure that a debug assert is not triggered when a call to RenderBlock::deleteLineBoxTree calls AccessibilityRenderObject::accessibilityIsIgnored which may require the AXObject for a node that is being deleted.");
+
+ var label = document.createElement('label');
+ label.style.position = 'fixed';
+ document.body.appendChild(label);
+
+ var progress = document.createElement('progress');
+ progress.style.display = 'block';
+ label.appendChild(progress);
+
+ var kbd = document.createElement('kbd');
+ label.appendChild(kbd);
+
+ var labelShadow = label.webkitCreateShadowRoot();
+
+ var select = document.createElement('select');
+ select.setAttribute('multiple', 'multiple');
+ labelShadow.appendChild(select);
+
+ var shadow = document.createElement('shadow');
+ labelShadow.appendChild(shadow);
+
+ select.focus();
+
+ document.body.removeChild(label);
+
+</script>
+<script src=""
+</body>
+</html>
Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (148492 => 148493)
--- branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-04-16 05:09:17 UTC (rev 148492)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-04-16 05:31:18 UTC (rev 148493)
@@ -1,5 +1,34 @@
2013-04-15 Andy Estes <[email protected]>
+ Merged r139444.
+
+ 2013-01-11 Stephen Chenney <[email protected]>
+ Objects can be re-added to the AXObjectCache during removal
+ https://bugs.webkit.org/show_bug.cgi?id=104171
+
+ The problem occurs when a label's corresponding element is a sibling
+ that precedes it in the render tree, and the corresponding element is
+ removed. The corresponding element's AX render object is removed, but
+ then recreated when accessibilityIsIgnored() invokes correspondingControl()
+ on the label. The corresponding renderer then has an AX render object
+ that survives beyond the deleted renderer, leading to invalid memory
+ accesses.
+
+ The solution is to rearrange the calls to delete the renderer's AX
+ render object only when we are sure it will no longer be required.
+
+ Reviewed by Simon Fraser.
+
+ Test: accessibility/corresponding-control-deleted-crash.html
+
+ * rendering/RenderObject.cpp:
+ (WebCore::RenderObject::willBeDestroyed): Move the call to remove the
+ renderer from the AXCache to after the renderer is removed from the
+ render tree. This means that the AXObject still exists during renderer
+ removal, as we require.
+
+2013-04-15 Andy Estes <[email protected]>
+
Merged r131670.
2012-10-17 Tom Sepez <[email protected]>
Modified: branches/safari-536.30-branch/Source/WebCore/rendering/RenderObject.cpp (148492 => 148493)
--- branches/safari-536.30-branch/Source/WebCore/rendering/RenderObject.cpp 2013-04-16 05:09:17 UTC (rev 148492)
+++ branches/safari-536.30-branch/Source/WebCore/rendering/RenderObject.cpp 2013-04-16 05:31:18 UTC (rev 148493)
@@ -2381,14 +2381,20 @@
if (frame() && frame()->eventHandler()->autoscrollRenderer() == this)
frame()->eventHandler()->stopAutoscrollTimer(true);
- if (AXObjectCache::accessibilityEnabled()) {
- document()->axObjectCache()->childrenChanged(this->parent());
- document()->axObjectCache()->remove(this);
- }
animation()->cancelAnimations(this);
+ // For accessibility management, notify the parent of the imminent change to its child set.
+ // We do it now, before remove(), while the parent pointer is still available.
+ if (AXObjectCache::accessibilityEnabled())
+ document()->axObjectCache()->childrenChanged(this->parent());
+
remove();
+ // The remove() call above may invoke axObjectCache()->childrenChanged() on the parent, which may require the AX render
+ // object for this renderer. So we remove the AX render object now, after the renderer is removed.
+ if (AXObjectCache::accessibilityEnabled())
+ document()->axObjectCache()->remove(this);
+
#ifndef NDEBUG
if (!documentBeingDestroyed() && view() && view()->hasRenderNamedFlowThreads()) {
// After remove, the object and the associated information should not be in any flow thread.
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
