Diff
Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog (211940 => 211941)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2017-02-09 08:55:52 UTC (rev 211940)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2017-02-09 08:56:03 UTC (rev 211941)
@@ -1,3 +1,14 @@
+2016-12-16 Zalan Bujtas <[email protected]>
+
+ Defer certain accessibility callbacks until after layout is finished.
+ https://bugs.webkit.org/show_bug.cgi?id=165861
+ rdar://problem/29646301
+
+ Reviewed by Chris Fleizach.
+
+ * accessibility/accessibility-crash-with-dynamic-inline-content-expected.txt: Added.
+ * accessibility/accessibility-crash-with-dynamic-inline-content.html: Added.
+
2016-12-18 Brent Fulgham <[email protected]>
Side effects while restting form elements
Added: releases/WebKitGTK/webkit-2.14/LayoutTests/accessibility/accessibility-crash-with-dynamic-inline-content-expected.txt (0 => 211941)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/accessibility/accessibility-crash-with-dynamic-inline-content-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/accessibility/accessibility-crash-with-dynamic-inline-content-expected.txt 2017-02-09 08:56:03 UTC (rev 211941)
@@ -0,0 +1,3 @@
+PASS if no crash or assert. foo
+foobar
+
Added: releases/WebKitGTK/webkit-2.14/LayoutTests/accessibility/accessibility-crash-with-dynamic-inline-content.html (0 => 211941)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/accessibility/accessibility-crash-with-dynamic-inline-content.html (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/accessibility/accessibility-crash-with-dynamic-inline-content.html 2017-02-09 08:56:03 UTC (rev 211941)
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<title>This tests accessibility with dynamic inline content.</title>
+</head>
+<body>
+PASS if no crash or assert.
+<span id="ariafoo">foo</span><div aria-labeledby = "ariafoo">foobar<details id="details" open="true">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+setTimeout(function() {
+ details.open = false;
+ testRunner.notifyDone();
+}, 0);
+</script>
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog (211940 => 211941)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2017-02-09 08:55:52 UTC (rev 211940)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2017-02-09 08:56:03 UTC (rev 211941)
@@ -1,3 +1,28 @@
+2016-12-16 Zalan Bujtas <[email protected]>
+
+ Defer certain accessibility callbacks until after layout is finished.
+ https://bugs.webkit.org/show_bug.cgi?id=165861
+ rdar://problem/29646301
+
+ Reviewed by Chris Fleizach.
+
+ Currently with certain AXObjectCache callbacks, we can end up in a layout while the render tree is being mutated.
+ This patch ensures that such callbacks are deferred until after tree mutation/layout is finished.
+
+ Test: accessibility/accessibility-crash-with-dynamic-inline-content.html
+
+ * accessibility/AXObjectCache.cpp:
+ (WebCore::AXObjectCache::remove):
+ (WebCore::AXObjectCache::performDeferredIsIgnoredChange):
+ (WebCore::AXObjectCache::insertDeferredIsIgnoredChange):
+ * accessibility/AXObjectCache.h:
+ * page/FrameView.cpp:
+ (WebCore::FrameView::performPostLayoutTasks):
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::deleteLines):
+ * rendering/RenderBlockLineLayout.cpp:
+ (WebCore::RenderBlockFlow::createAndAppendRootInlineBox):
+
2016-01-04 Brent Fulgham <[email protected]>
Correct DOMWindow handling during FrameLoader::clear
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/accessibility/AXObjectCache.cpp (211940 => 211941)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/accessibility/AXObjectCache.cpp 2017-02-09 08:55:52 UTC (rev 211940)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/accessibility/AXObjectCache.cpp 2017-02-09 08:56:03 UTC (rev 211941)
@@ -708,6 +708,8 @@
AXID axID = m_renderObjectMapping.get(renderer);
remove(axID);
m_renderObjectMapping.remove(renderer);
+ if (is<RenderBlock>(*renderer))
+ m_deferredIsIgnoredChangeList.remove(downcast<RenderBlock>(renderer));
}
void AXObjectCache::remove(Node* node)
@@ -2614,6 +2616,18 @@
return axObject && axObject->isTextControl();
}
+void AXObjectCache::performDeferredIsIgnoredChange()
+{
+ for (auto* renderer : m_deferredIsIgnoredChangeList)
+ recomputeIsIgnored(renderer);
+ m_deferredIsIgnoredChangeList.clear();
+}
+
+void AXObjectCache::recomputeDeferredIsIgnored(RenderBlock& renderer)
+{
+ m_deferredIsIgnoredChangeList.add(&renderer);
+}
+
bool isNodeAriaVisible(Node* node)
{
if (!node)
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/accessibility/AXObjectCache.h (211940 => 211941)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/accessibility/AXObjectCache.h 2017-02-09 08:55:52 UTC (rev 211940)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/accessibility/AXObjectCache.h 2017-02-09 08:56:03 UTC (rev 211941)
@@ -44,6 +44,7 @@
class HTMLAreaElement;
class Node;
class Page;
+class RenderBlock;
class RenderObject;
class ScrollView;
class VisiblePosition;
@@ -324,6 +325,8 @@
#if PLATFORM(MAC)
static void setShouldRepostNotificationsForTests(bool value);
#endif
+ void recomputeDeferredIsIgnored(RenderBlock& renderer);
+ void performDeferredIsIgnoredChange();
protected:
void postPlatformNotification(AccessibilityObject*, AXNotification);
@@ -422,6 +425,7 @@
AXTextStateChangeIntent m_textSelectionIntent;
bool m_isSynchronizingSelection { false };
+ ListHashSet<RenderBlock*> m_deferredIsIgnoredChangeList;
};
class AXAttributeCacheEnabler
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/page/FrameView.cpp (211940 => 211941)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/page/FrameView.cpp 2017-02-09 08:55:52 UTC (rev 211940)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/page/FrameView.cpp 2017-02-09 08:56:03 UTC (rev 211941)
@@ -3259,6 +3259,9 @@
viewportContentsChanged();
updateScrollSnapState();
+
+ if (AXObjectCache* cache = frame().document()->existingAXObjectCache())
+ cache->performDeferredIsIgnoredChange();
}
IntSize FrameView::sizeForResizeEvent() const
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/RenderBlock.cpp (211940 => 211941)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/RenderBlock.cpp 2017-02-09 08:55:52 UTC (rev 211940)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/RenderBlock.cpp 2017-02-09 08:56:03 UTC (rev 211941)
@@ -683,7 +683,7 @@
void RenderBlock::deleteLines()
{
if (AXObjectCache* cache = document().existingAXObjectCache())
- cache->recomputeIsIgnored(this);
+ cache->recomputeDeferredIsIgnored(*this);
}
void RenderBlock::makeChildrenNonInline(RenderObject* insertionPoint)
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/RenderBlockLineLayout.cpp (211940 => 211941)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/RenderBlockLineLayout.cpp 2017-02-09 08:55:52 UTC (rev 211940)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/rendering/RenderBlockLineLayout.cpp 2017-02-09 08:56:03 UTC (rev 211941)
@@ -130,7 +130,7 @@
if (UNLIKELY(AXObjectCache::accessibilityEnabled()) && firstRootBox() == rootBox) {
if (AXObjectCache* cache = document().existingAXObjectCache())
- cache->recomputeIsIgnored(this);
+ cache->recomputeDeferredIsIgnored(*this);
}
return rootBox;
