Title: [181637] releases/WebKitGTK/webkit-2.8
- Revision
- 181637
- Author
- carlo...@webkit.org
- Date
- 2015-03-17 04:47:53 -0700 (Tue, 17 Mar 2015)
Log Message
Merge r181600 - AX: Crash viewing http://www.last.fm/
https://bugs.webkit.org/show_bug.cgi?id=142309
Reviewed by Chris Fleizach.
Source/WebCore:
The crash occurs when a not-yet-rendered object emits a children-changed
signal. If an assistive technology is listening, AT-SPI2 will attempt to
create and cache the state set for the child being added and the creation
of the state set assumes a rendered object.
Test: platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html
* accessibility/atk/AXObjectCacheAtk.cpp:
(WebCore::AXObjectCache::attachWrapper):
LayoutTests:
This test doesn't verify the absence of the crash because the crash seems
to require that an assistive technology is listening for events, and that
AT-SPI2 is caching the tree for that assistive technology -- something we
cannot count on being the case on our bots. (I suspect that the reason non-
assistive technology users of Epiphany were getting hit by this is because
Caribou was listening for events in the background, thus they were AT users
without realizing it. That Caribou issue is in theory now resolved.) What
this test does verify is the absence of children-changed:add accessibility
signals for non-rendered objects, which is the source of the crash given
the aforementioned environment.
* platform/gtk/accessibility/no-notification-for-unrendered-iframe-children-expected.txt: Added.
* platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog (181636 => 181637)
--- releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog 2015-03-17 11:46:54 UTC (rev 181636)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog 2015-03-17 11:47:53 UTC (rev 181637)
@@ -1,3 +1,24 @@
+2015-03-16 Joanmarie Diggs <jdi...@igalia.com>
+
+ AX: Crash viewing http://www.last.fm/
+ https://bugs.webkit.org/show_bug.cgi?id=142309
+
+ Reviewed by Chris Fleizach.
+
+ This test doesn't verify the absence of the crash because the crash seems
+ to require that an assistive technology is listening for events, and that
+ AT-SPI2 is caching the tree for that assistive technology -- something we
+ cannot count on being the case on our bots. (I suspect that the reason non-
+ assistive technology users of Epiphany were getting hit by this is because
+ Caribou was listening for events in the background, thus they were AT users
+ without realizing it. That Caribou issue is in theory now resolved.) What
+ this test does verify is the absence of children-changed:add accessibility
+ signals for non-rendered objects, which is the source of the crash given
+ the aforementioned environment.
+
+ * platform/gtk/accessibility/no-notification-for-unrendered-iframe-children-expected.txt: Added.
+ * platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html: Added.
+
2015-03-16 Max Stepin <maxste...@gmail.com>
Add APNG support
Added: releases/WebKitGTK/webkit-2.8/LayoutTests/platform/gtk/accessibility/no-notification-for-unrendered-iframe-children-expected.txt (0 => 181637)
--- releases/WebKitGTK/webkit-2.8/LayoutTests/platform/gtk/accessibility/no-notification-for-unrendered-iframe-children-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/platform/gtk/accessibility/no-notification-for-unrendered-iframe-children-expected.txt 2015-03-17 11:47:53 UTC (rev 181637)
@@ -0,0 +1,12 @@
+This test ensures that a children-changed notification is not emitted for children of not-yet-rendered nested iframes.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+
+AXChildrenAdded on AXDescription: inner body
+AXChildrenAdded on AXDescription: inner body
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: releases/WebKitGTK/webkit-2.8/LayoutTests/platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html (0 => 181637)
--- releases/WebKitGTK/webkit-2.8/LayoutTests/platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html 2015-03-17 11:47:53 UTC (rev 181637)
@@ -0,0 +1,50 @@
+<html>
+<head>
+<script src=""
+<script src=""
+</head>
+<body aria-label="outer body">
+<p id="description"></p>
+<iframe aria-label="outer iframe" id="iframe"></iframe>
+<div id="console"></div>
+<script>
+window.jsTestIsAsync = true;
+
+description("This test ensures that a children-changed notification is not emitted for children of not-yet-rendered nested iframes.");
+function runTest() {
+
+ if (window.accessibilityController) {
+ var axWebArea = accessibilityController.rootElement.childAtIndex(0);
+
+ // Generate the hierarchy before registering a listener so that we only see new notifications.
+ touchAccessibilityTree(axWebArea);
+
+ accessibilityController.addNotificationListener(function(element, notification) {
+ if (notification == "AXChildrenAdded" && element.role == "AXRole: AXGroup")
+ debug(notification + " on " + element.description);
+ });
+ }
+
+ // Write content in the outer iframe, including an inner iframe. The latter should not emit a notification.
+ var iframe = document.getElementById("iframe");
+ var doc = iframe.contentWindow.document;
+ doc.open();
+ doc.write("<html><body aria-label='inner body'><iframe aria-label='inner iframe' src=''></body></html>");
+ doc.close();
+
+ // Re-generate the hierarchy to trigger the notifications.
+ touchAccessibilityTree(axWebArea);
+
+ window.setTimeout(function() {
+ if (window.accessibilityController) {
+ accessibilityController.removeNotificationListener();
+ }
+
+ finishJSTest();
+ }, 0);
+}
+runTest();
+</script>
+<script src=""
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog (181636 => 181637)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-03-17 11:46:54 UTC (rev 181636)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-03-17 11:47:53 UTC (rev 181637)
@@ -1,3 +1,20 @@
+2015-03-16 Joanmarie Diggs <jdi...@igalia.com>
+
+ AX: Crash viewing http://www.last.fm/
+ https://bugs.webkit.org/show_bug.cgi?id=142309
+
+ Reviewed by Chris Fleizach.
+
+ The crash occurs when a not-yet-rendered object emits a children-changed
+ signal. If an assistive technology is listening, AT-SPI2 will attempt to
+ create and cache the state set for the child being added and the creation
+ of the state set assumes a rendered object.
+
+ Test: platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html
+
+ * accessibility/atk/AXObjectCacheAtk.cpp:
+ (WebCore::AXObjectCache::attachWrapper):
+
2015-03-16 Brady Eidson <beid...@apple.com>
Addressing additional review feedback after http://trac.webkit.org/changeset/181565
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp (181636 => 181637)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp 2015-03-17 11:46:54 UTC (rev 181636)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp 2015-03-17 11:47:53 UTC (rev 181637)
@@ -80,6 +80,14 @@
if (obj->accessibilityIsIgnoredByDefault())
return;
+ // Don't emit the signal if the object being added is not -- or not yet -- rendered,
+ // which can occur in nested iframes. In these instances we don't want to ignore the
+ // child. But if an assistive technology is listening, AT-SPI2 will attempt to create
+ // and cache the state set for the child upon emission of the signal. If the object
+ // has not yet been rendered, this will result in a crash.
+ if (!obj->renderer())
+ return;
+
// Don't emit the signal for objects whose parents won't be exposed directly.
AccessibilityObject* coreParent = obj->parentObjectUnignored();
if (!coreParent || coreParent->accessibilityIsIgnoredByDefault())
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
