Skip to site navigation (Press enter)

[webkit-changes] [192022] trunk

mario Wed, 04 Nov 2015 06:47:23 -0800

Title: [192022] trunk

Revision: 192022
Author: ma...@webkit.org
Date: 2015-11-04 06:46:19 -0800 (Wed, 04 Nov 2015)

Log Message

[AX] WebProcess from WebKitGtk+ 2.10.0 compiled in Debug mode hits ASSERT on textUnderElement
https://bugs.webkit.org/show_bug.cgi?id=150670


Source/WebCore:

Patch by Mario Sanchez Prada <ma...@webkit.org> on 2015-11-04
Reviewed by Chris Fleizach.

Move the ASSERTs stating that the render tree is stable before using the
TextIterator to their right place, in AccessibilityRenderObject, so that
we don't crash in debug builds in cases when this condition is irrelevant.

Test: accessibility/gtk/list-item-with-pseudo-element-crash.html

* accessibility/AccessibilityNodeObject.cpp:
(WebCore::AccessibilityNodeObject::textUnderElement): Removed ASSERTs.
* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::textUnderElement): Added ASSERTs, but
only before calling plainText and using the right document for the node.

LayoutTests:

Patch by Joanmarie Diggs <jdi...@igalia.com> on 2015-11-04
Reviewed by Chris Fleizach.

* accessibility/list-item-with-pseudo-element-crash-expected.txt: Added.
* accessibility/list-item-with-pseudo-element-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/accessibility/AccessibilityNodeObject.cpp
trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp

Added Paths

trunk/LayoutTests/accessibility/list-item-with-pseudo-element-crash-expected.txt
trunk/LayoutTests/accessibility/list-item-with-pseudo-element-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (192021 => 192022)


--- trunk/LayoutTests/ChangeLog	2015-11-04 11:15:51 UTC (rev 192021)
+++ trunk/LayoutTests/ChangeLog	2015-11-04 14:46:19 UTC (rev 192022)
@@ -1,3 +1,13 @@
+2015-11-04  Joanmarie Diggs  <jdi...@igalia.com>
+
+        [AX] WebProcess from WebKitGtk+ 2.10.0 compiled in Debug mode hits ASSERT on textUnderElement
+        https://bugs.webkit.org/show_bug.cgi?id=150670
+
+        Reviewed by Chris Fleizach.
+
+        * accessibility/list-item-with-pseudo-element-crash-expected.txt: Added.
+        * accessibility/list-item-with-pseudo-element-crash.html: Added.
+
 2015-11-04  Xabier Rodriguez Calvar  <calva...@igalia.com>
 
         [Streams API] Shield streams against user replacing the Promise constructor

Added: trunk/LayoutTests/accessibility/list-item-with-pseudo-element-crash-expected.txt (0 => 192022)


--- trunk/LayoutTests/accessibility/list-item-with-pseudo-element-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/accessibility/list-item-with-pseudo-element-crash-expected.txt	2015-11-04 14:46:19 UTC (rev 192022)
@@ -0,0 +1,11 @@
+Foo
+BAR
+This verifies that list items with pseudo elements and styles do not trigger an assertion.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/accessibility/list-item-with-pseudo-element-crash.html (0 => 192022)


--- trunk/LayoutTests/accessibility/list-item-with-pseudo-element-crash.html	                        (rev 0)
+++ trunk/LayoutTests/accessibility/list-item-with-pseudo-element-crash.html	2015-11-04 14:46:19 UTC (rev 192022)
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+<style>
+.item:before {content:""; }
+</style>
+</head>
+<body>
+<ul id="list" style="display:none;">
+<li id="item1" class="item" style="float:left;">Foo</li>
+<li id="item2" class="item" style="text-transform:uppercase;">Bar</li>
+</ul>
+<p id="description"></p>
+<div id="console"></div>
+<script>
+description("This verifies that list items with pseudo elements and styles do not trigger an assertion.");
+
+if (window.testRunner && window.accessibilityController) {
+    var list = document.getElementById("list");
+    list.style.display = "";
+}
+</script>
+<script src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (192021 => 192022)


--- trunk/Source/WebCore/ChangeLog	2015-11-04 11:15:51 UTC (rev 192021)
+++ trunk/Source/WebCore/ChangeLog	2015-11-04 14:46:19 UTC (rev 192022)
@@ -1,3 +1,22 @@
+2015-11-04  Mario Sanchez Prada  <ma...@webkit.org>
+
+        [AX] WebProcess from WebKitGtk+ 2.10.0 compiled in Debug mode hits ASSERT on textUnderElement
+        https://bugs.webkit.org/show_bug.cgi?id=150670
+
+        Reviewed by Chris Fleizach.
+
+        Move the ASSERTs stating that the render tree is stable before using the
+        TextIterator to their right place, in AccessibilityRenderObject, so that
+        we don't crash in debug builds in cases when this condition is irrelevant.
+
+        Test: accessibility/gtk/list-item-with-pseudo-element-crash.html
+
+        * accessibility/AccessibilityNodeObject.cpp:
+        (WebCore::AccessibilityNodeObject::textUnderElement): Removed ASSERTs.
+        * accessibility/AccessibilityRenderObject.cpp:
+        (WebCore::AccessibilityRenderObject::textUnderElement): Added ASSERTs, but
+        only before calling plainText and using the right document for the node.
+
 2015-11-04  Xabier Rodriguez Calvar  <calva...@igalia.com>
 
         [Streams API] Shield streams against user replacing the Promise constructor

Modified: trunk/Source/WebCore/accessibility/AccessibilityNodeObject.cpp (192021 => 192022)


--- trunk/Source/WebCore/accessibility/AccessibilityNodeObject.cpp	2015-11-04 11:15:51 UTC (rev 192021)
+++ trunk/Source/WebCore/accessibility/AccessibilityNodeObject.cpp	2015-11-04 14:46:19 UTC (rev 192022)
@@ -1687,12 +1687,6 @@
     if (is<Text>(node))
         return downcast<Text>(*node).wholeText();
 
-    // The render tree should be stable before going ahead. Otherwise, further uses of the
-    // TextIterator will force a layout update, potentially altering the accessibility tree
-    // and leading to crashes in the loop that computes the result text from the children.
-    ASSERT(!document()->renderView()->layoutState());
-    ASSERT(!document()->childNeedsStyleRecalc());
-
     StringBuilder builder;
     for (AccessibilityObject* child = firstChild(); child; child = child->nextSibling()) {
         if (mode.ignoredChildNode && child->node() == mode.ignoredChildNode)

Modified: trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (192021 => 192022)


--- trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2015-11-04 11:15:51 UTC (rev 192021)
+++ trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2015-11-04 14:46:19 UTC (rev 192022)
@@ -686,6 +686,13 @@
                 // catch stale WebCoreAXObject (see <rdar://problem/3960196>)
                 if (frame->document() != nodeDocument)
                     return String();
+
+                // The render tree should be stable before going ahead. Otherwise, further uses of the
+                // TextIterator will force a layout update, potentially altering the accessibility tree
+                // and leading to crashes in the loop that computes the result text from the children.
+                ASSERT(!nodeDocument->renderView()->layoutState());
+                ASSERT(!nodeDocument->childNeedsStyleRecalc());
+
                 return plainText(textRange.get(), textIteratorBehaviorForTextRange());
             }
         }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes