[webkit-changes] [222226] trunk

Tue, 19 Sep 2017 14:23:52 -0700

Title: [222226] trunk
Revision
222226
Author
[email protected]
Date
2017-09-19 14:23:18 -0700 (Tue, 19 Sep 2017)

Log Message

AXObjectCache::performDeferredCacheUpdate is called recursively through FrameView::layout.
https://bugs.webkit.org/show_bug.cgi?id=176218
<rdar://problem/34205612>

Reviewed by Simon Fraser.

Source/WebCore:

There are certain cases when we might re-enter performDeferredCacheUpdate through recursive
layout calls (see webkit.org/b/177176) and mutate m_deferredTextChangedList multiple times.

Test: accessibility/crash-table-recursive-layout.html

* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::performDeferredCacheUpdate):
* accessibility/AXObjectCache.h:

LayoutTests:

* accessibility/crash-table-recursive-layout-expected.txt: Added.
* accessibility/crash-table-recursive-layout.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (222225 => 222226)


--- trunk/LayoutTests/ChangeLog	2017-09-19 21:15:46 UTC (rev 222225)
+++ trunk/LayoutTests/ChangeLog	2017-09-19 21:23:18 UTC (rev 222226)
@@ -1,3 +1,14 @@
+2017-09-19  Zalan Bujtas  <[email protected]>
+
+        AXObjectCache::performDeferredCacheUpdate is called recursively through FrameView::layout. 
+        https://bugs.webkit.org/show_bug.cgi?id=176218
+        <rdar://problem/34205612>
+
+        Reviewed by Simon Fraser.
+
+        * accessibility/crash-table-recursive-layout-expected.txt: Added.
+        * accessibility/crash-table-recursive-layout.html: Added.
+
 2017-09-19  Jer Noble  <[email protected]>
 
         [Cocoa] Add an ImageDecoder subclass backed by AVFoundation

Added: trunk/LayoutTests/accessibility/crash-table-recursive-layout-expected.txt (0 => 222226)


--- trunk/LayoutTests/accessibility/crash-table-recursive-layout-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/accessibility/crash-table-recursive-layout-expected.txt	2017-09-19 21:23:18 UTC (rev 222226)
@@ -0,0 +1,2 @@
+PASS if no crash.
+

Added: trunk/LayoutTests/accessibility/crash-table-recursive-layout.html (0 => 222226)


--- trunk/LayoutTests/accessibility/crash-table-recursive-layout.html	                        (rev 0)
+++ trunk/LayoutTests/accessibility/crash-table-recursive-layout.html	2017-09-19 21:23:18 UTC (rev 222226)
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+#colgrp { 
+    display: table-footer-group;
+}
+
+.class1 {
+    text-transform: capitalize;
+    display: -webkit-box;
+}
+</style>
+<script>
+    if (window.accessibilityController)
+        accessibilityController.focusedElement;
+    if (window.testRunner)
+        testRunner.dumpAsText();
+    function runTest() {
+        textarea.setSelectionRange(30, 1);
+        option.defaultSelected = true;
+        col.setAttribute("aria-labeledby", "link");
+    }
+</script>
+</head>
+<body _onload_=runTest()>
+<link id="link">
+<table>
+<colgroup id="colgrp">
+<col id="col" tabindex="1"></col>
+<thead class="class1">
+<th class="class1">
+<textarea id="textarea" readonly="readonly"></textarea>
+<option id="option"></option>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (222225 => 222226)


--- trunk/Source/WebCore/ChangeLog	2017-09-19 21:15:46 UTC (rev 222225)
+++ trunk/Source/WebCore/ChangeLog	2017-09-19 21:23:18 UTC (rev 222226)
@@ -1,3 +1,20 @@
+2017-09-19  Zalan Bujtas  <[email protected]>
+
+        AXObjectCache::performDeferredCacheUpdate is called recursively through FrameView::layout. 
+        https://bugs.webkit.org/show_bug.cgi?id=176218
+        <rdar://problem/34205612>
+
+        Reviewed by Simon Fraser.
+
+        There are certain cases when we might re-enter performDeferredCacheUpdate through recursive
+        layout calls (see webkit.org/b/177176) and mutate m_deferredTextChangedList multiple times.
+
+        Test: accessibility/crash-table-recursive-layout.html
+
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::performDeferredCacheUpdate):
+        * accessibility/AXObjectCache.h:
+
 2017-09-19  Jer Noble  <[email protected]>
 
         [Cocoa] Add an ImageDecoder subclass backed by AVFoundation

Modified: trunk/Source/WebCore/accessibility/AXObjectCache.cpp (222225 => 222226)


--- trunk/Source/WebCore/accessibility/AXObjectCache.cpp	2017-09-19 21:15:46 UTC (rev 222225)
+++ trunk/Source/WebCore/accessibility/AXObjectCache.cpp	2017-09-19 21:23:18 UTC (rev 222226)
@@ -97,6 +97,7 @@
 #include "TextControlInnerElements.h"
 #include "TextIterator.h"
 #include <wtf/DataLog.h>
+#include <wtf/SetForScope.h>
 
 #if ENABLE(VIDEO)
 #include "MediaControlElements.h"
@@ -2767,6 +2768,10 @@
     
 void AXObjectCache::performDeferredCacheUpdate()
 {
+    if (m_performingDeferredCacheUpdate)
+        return;
+
+    SetForScope<bool> performingDeferredCacheUpdate(m_performingDeferredCacheUpdate, true);
     for (auto* node : m_deferredTextChangedList)
         textChanged(node);
     m_deferredTextChangedList.clear();

Modified: trunk/Source/WebCore/accessibility/AXObjectCache.h (222225 => 222226)


--- trunk/Source/WebCore/accessibility/AXObjectCache.h	2017-09-19 21:15:46 UTC (rev 222225)
+++ trunk/Source/WebCore/accessibility/AXObjectCache.h	2017-09-19 21:23:18 UTC (rev 222226)
@@ -436,9 +436,10 @@
     ListHashSet<Node*> m_ariaModalNodesSet;
 
     AXTextStateChangeIntent m_textSelectionIntent;
-    bool m_isSynchronizingSelection { false };
     ListHashSet<Element*> m_deferredRecomputeIsIgnoredList;
     ListHashSet<Node*> m_deferredTextChangedList;
+    bool m_isSynchronizingSelection { false };
+    bool m_performingDeferredCacheUpdate { false };
 };
 
 class AXAttributeCacheEnabler

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to