[webkit-changes] [87984] branches/safari-534-branch/Source/WebCore

[lforschler]

Title: [87984] branches/safari-534-branch/Source/WebCore

Revision

87984

Author

lforsch...@apple.com

Date

2011-06-02 18:46:55 -0700 (Thu, 02 Jun 2011)

Log Message

Merge r87856.

Modified Paths

branches/safari-534-branch/Source/WebCore/ChangeLog
branches/safari-534-branch/Source/WebCore/accessibility/AccessibilityObject.cpp
branches/safari-534-branch/Source/WebCore/accessibility/AccessibilityObject.h
branches/safari-534-branch/Source/WebCore/accessibility/AccessibilityRenderObject.cpp
branches/safari-534-branch/Source/WebCore/accessibility/AccessibilityRenderObject.h

Diff

Modified: branches/safari-534-branch/Source/WebCore/ChangeLog (87983 => 87984)

--- branches/safari-534-branch/Source/WebCore/ChangeLog	2011-06-03 01:44:54 UTC (rev 87983)
+++ branches/safari-534-branch/Source/WebCore/ChangeLog	2011-06-03 01:46:55 UTC (rev 87984)
@@ -1,5 +1,33 @@
 2011-06-02  Lucas Forschler  <lforsch...@apple.com>
 
+    Merged 87856.
+
+    2011-06-01  Chris Fleizach  <cfleiz...@apple.com>
+
+        Reviewed by Darin Adler.
+
+        Safari always crashes on http://bbc.co.uk when VoiceOver enabled
+        https://bugs.webkit.org/show_bug.cgi?id=61886
+
+        This crash can happen on webpages that remove an element from the DOM when the element receives focus.
+        When AppKit goes to post a notification to inform VoiceOver the focus has changed, it asks for the AXFocusedUIElement.
+        However by posting that notification, a render tree update is performed. This causes the element to disappear, but
+        AppKit still has a handle to it and continues to try to reference it. When the autorelease pool pops, the reference goes bad.
+
+        To fix, the root element, the AccessibilityScrollView, needs to implement updateBackingStore(), otherwise this method 
+        will not be called in time.
+
+        No test could be created because to cause it depends on an internal AppKit mechanism
+        that is only triggered remotely through the accessibility runtime.
+
+        * accessibility/AccessibilityObject.cpp:
+        (WebCore::AccessibilityObject::updateBackingStore):
+        * accessibility/AccessibilityObject.h:
+        * accessibility/AccessibilityRenderObject.cpp:
+        * accessibility/AccessibilityRenderObject.h:
+
+2011-06-02  Lucas Forschler  <lforsch...@apple.com>
+
     Merged 87844.
 
     2011-06-01  Jer Noble  <jer.no...@apple.com>

Modified: branches/safari-534-branch/Source/WebCore/accessibility/AccessibilityObject.cpp (87983 => 87984)

--- branches/safari-534-branch/Source/WebCore/accessibility/AccessibilityObject.cpp	2011-06-03 01:44:54 UTC (rev 87983)
+++ branches/safari-534-branch/Source/WebCore/accessibility/AccessibilityObject.cpp	2011-06-03 01:46:55 UTC (rev 87984)
@@ -717,6 +717,13 @@
     return lineForPosition(visiblePositionForIndex(index, false));
 }
     
+void AccessibilityObject::updateBackingStore()
+{
+    // Updating the layout may delete this object.
+    if (Document* document = this->document())
+        document->updateLayoutIgnorePendingStylesheets();
+}
+
 Document* AccessibilityObject::document() const
 {
     FrameView* frameView = documentFrameView();

Modified: branches/safari-534-branch/Source/WebCore/accessibility/AccessibilityObject.h (87983 => 87984)

--- branches/safari-534-branch/Source/WebCore/accessibility/AccessibilityObject.h	2011-06-03 01:44:54 UTC (rev 87983)
+++ branches/safari-534-branch/Source/WebCore/accessibility/AccessibilityObject.h	2011-06-03 01:46:55 UTC (rev 87984)
@@ -582,7 +582,7 @@
 
     // allows for an AccessibilityObject to update its render tree or perform
     // other operations update type operations
-    virtual void updateBackingStore() { }
+    void updateBackingStore();
     
 protected:
     AXID m_id;

Modified: branches/safari-534-branch/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (87983 => 87984)

--- branches/safari-534-branch/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2011-06-03 01:44:54 UTC (rev 87983)
+++ branches/safari-534-branch/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2011-06-03 01:46:55 UTC (rev 87984)
@@ -3608,15 +3608,6 @@
         static_cast<Element*>(domNode)->setAttribute(aria_labelAttr, name);
 }
     
-void AccessibilityRenderObject::updateBackingStore()
-{
-    if (!m_renderer)
-        return;
-
-    // Updating layout may delete m_renderer and this object.
-    m_renderer->document()->updateLayoutIgnorePendingStylesheets();
-}
-
 static bool isLinkable(const AccessibilityRenderObject& object)
 {
     if (!object.renderer())

Modified: branches/safari-534-branch/Source/WebCore/accessibility/AccessibilityRenderObject.h (87983 => 87984)

--- branches/safari-534-branch/Source/WebCore/accessibility/AccessibilityRenderObject.h	2011-06-03 01:44:54 UTC (rev 87983)
+++ branches/safari-534-branch/Source/WebCore/accessibility/AccessibilityRenderObject.h	2011-06-03 01:46:55 UTC (rev 87984)
@@ -244,8 +244,6 @@
     virtual String doAXStringForRange(const PlainTextRange&) const;
     virtual IntRect doAXBoundsForRange(const PlainTextRange&) const;
     
-    virtual void updateBackingStore();
-
     virtual String stringValueForMSAA() const;
     virtual String stringRoleForMSAA() const;
     virtual String nameForMSAA() const;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes