[webkit-changes] [216307] trunk

Fri, 05 May 2017 21:42:07 -0700

Title: [216307] trunk
Revision
216307
Author
[email protected]
Date
2017-05-05 21:41:32 -0700 (Fri, 05 May 2017)

Log Message

Renderers being destroyed should not be added to AX's deferred list.
https://bugs.webkit.org/show_bug.cgi?id=171768
<rdar://problem/31955660>

Reviewed by Simon Fraser.

Source/WebCore:

In certain cases, when custom scrollbars are present, while destroying the scrollbars' block parent, we
  - first remove the block from the AX's deferred list (AXObjectCache::remove)
  - destroy the render layer that owns the custom scrollbars (RenderLayer::destroyLayer)
  - detach the scrollbars from the parent (block) (RenderObject::removeFromParent)
    - clean up the block's lines (RenderBlock::deleteLines)
      - push the block back to the AX's deferred list (AXObjectCache::recomputeDeferredIsIgnored)
At this point no one will remove the current block from AX's deferred list.

Test: accessibility/crash-when-renderers-are-added-back-to-deferred-list.html

* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::recomputeDeferredIsIgnored):
(WebCore::AXObjectCache::deferTextChanged):

LayoutTests:

* accessibility/crash-when-renderers-are-added-back-to-deferred-list-expected.txt: Added.
* accessibility/crash-when-renderers-are-added-back-to-deferred-list.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (216306 => 216307)


--- trunk/LayoutTests/ChangeLog	2017-05-06 03:57:42 UTC (rev 216306)
+++ trunk/LayoutTests/ChangeLog	2017-05-06 04:41:32 UTC (rev 216307)
@@ -1,3 +1,14 @@
+2017-05-05  Zalan Bujtas  <[email protected]>
+
+        Renderers being destroyed should not be added to AX's deferred list.
+        https://bugs.webkit.org/show_bug.cgi?id=171768
+        <rdar://problem/31955660>
+
+        Reviewed by Simon Fraser.
+
+        * accessibility/crash-when-renderers-are-added-back-to-deferred-list-expected.txt: Added.
+        * accessibility/crash-when-renderers-are-added-back-to-deferred-list.html: Added.
+
 2017-05-05  Matt Lewis  <[email protected]>
 
         Mark compositing/tiling/non-active-window-tiles-size.html as flaky

Added: trunk/LayoutTests/accessibility/crash-when-renderers-are-added-back-to-deferred-list-expected.txt (0 => 216307)


--- trunk/LayoutTests/accessibility/crash-when-renderers-are-added-back-to-deferred-list-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/accessibility/crash-when-renderers-are-added-back-to-deferred-list-expected.txt	2017-05-06 04:41:32 UTC (rev 216307)
@@ -0,0 +1 @@
+PASS if no crash or assert.

Added: trunk/LayoutTests/accessibility/crash-when-renderers-are-added-back-to-deferred-list.html (0 => 216307)


--- trunk/LayoutTests/accessibility/crash-when-renderers-are-added-back-to-deferred-list.html	                        (rev 0)
+++ trunk/LayoutTests/accessibility/crash-when-renderers-are-added-back-to-deferred-list.html	2017-05-06 04:41:32 UTC (rev 216307)
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This tests that accessibility ignores elements that are being destroyed</title>
+<script>
+if (window.accessibilityController)
+    accessibilityController.accessibleElementById("foo");
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<style>
+::-webkit-scrollbar-corner {
+    border: 1px solid green;
+}
+</style>
+</head>
+<body>
+PASS if no crash or assert.
+<div id=foo style="overflow: scroll; height: 10px;"></div>
+<script>
+document.body.offsetHeight;
+foo.style.display = "none";
+document.body.offsetHeight;
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (216306 => 216307)


--- trunk/Source/WebCore/ChangeLog	2017-05-06 03:57:42 UTC (rev 216306)
+++ trunk/Source/WebCore/ChangeLog	2017-05-06 04:41:32 UTC (rev 216307)
@@ -1,3 +1,25 @@
+2017-05-05  Zalan Bujtas  <[email protected]>
+
+        Renderers being destroyed should not be added to AX's deferred list.
+        https://bugs.webkit.org/show_bug.cgi?id=171768
+        <rdar://problem/31955660>
+
+        Reviewed by Simon Fraser.
+
+        In certain cases, when custom scrollbars are present, while destroying the scrollbars' block parent, we
+          - first remove the block from the AX's deferred list (AXObjectCache::remove)
+          - destroy the render layer that owns the custom scrollbars (RenderLayer::destroyLayer) 
+          - detach the scrollbars from the parent (block) (RenderObject::removeFromParent)
+            - clean up the block's lines (RenderBlock::deleteLines)
+              - push the block back to the AX's deferred list (AXObjectCache::recomputeDeferredIsIgnored)
+        At this point no one will remove the current block from AX's deferred list.
+
+        Test: accessibility/crash-when-renderers-are-added-back-to-deferred-list.html
+
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::recomputeDeferredIsIgnored):
+        (WebCore::AXObjectCache::deferTextChanged):
+
 2017-05-05  Said Abou-Hallawa  <[email protected]>
 
         Crash in ImageFrameCache::decodedSizeChanged() after image load cancellation

Modified: trunk/Source/WebCore/accessibility/AXObjectCache.cpp (216306 => 216307)


--- trunk/Source/WebCore/accessibility/AXObjectCache.cpp	2017-05-06 03:57:42 UTC (rev 216306)
+++ trunk/Source/WebCore/accessibility/AXObjectCache.cpp	2017-05-06 04:41:32 UTC (rev 216307)
@@ -2714,11 +2714,15 @@
 
 void AXObjectCache::recomputeDeferredIsIgnored(RenderBlock& renderer)
 {
+    if (renderer.beingDestroyed())
+        return;
     m_deferredCacheUpdateList.add(&renderer);
 }
 
 void AXObjectCache::deferTextChanged(RenderText& renderer)
 {
+    if (renderer.beingDestroyed())
+        return;
     m_deferredCacheUpdateList.add(&renderer);
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to