[webkit-changes] [222244] branches/safari-604-branch

Tue, 19 Sep 2017 19:13:12 -0700

Title: [222244] branches/safari-604-branch

Diff

Modified: branches/safari-604-branch/LayoutTests/ChangeLog (222243 => 222244)


--- branches/safari-604-branch/LayoutTests/ChangeLog	2017-09-20 01:56:30 UTC (rev 222243)
+++ branches/safari-604-branch/LayoutTests/ChangeLog	2017-09-20 02:12:46 UTC (rev 222244)
@@ -1,5 +1,20 @@
 2017-09-19  Jason Marcell  <[email protected]>
 
+        Cherry-pick r222226. rdar://problem/34534758
+
+    2017-09-19  Zalan Bujtas  <[email protected]>
+
+            AXObjectCache::performDeferredCacheUpdate is called recursively through FrameView::layout.
+            https://bugs.webkit.org/show_bug.cgi?id=176218
+            <rdar://problem/34205612>
+
+            Reviewed by Simon Fraser.
+
+            * accessibility/crash-table-recursive-layout-expected.txt: Added.
+            * accessibility/crash-table-recursive-layout.html: Added.
+
+2017-09-19  Jason Marcell  <[email protected]>
+
         Cherry-pick r222220. rdar://problem/34534766
 
     2017-09-15  Wenson Hsieh  <[email protected]>

Added: branches/safari-604-branch/LayoutTests/accessibility/crash-table-recursive-layout-expected.txt (0 => 222244)


--- branches/safari-604-branch/LayoutTests/accessibility/crash-table-recursive-layout-expected.txt	                        (rev 0)
+++ branches/safari-604-branch/LayoutTests/accessibility/crash-table-recursive-layout-expected.txt	2017-09-20 02:12:46 UTC (rev 222244)
@@ -0,0 +1,2 @@
+PASS if no crash.
+

Added: branches/safari-604-branch/LayoutTests/accessibility/crash-table-recursive-layout.html (0 => 222244)


--- branches/safari-604-branch/LayoutTests/accessibility/crash-table-recursive-layout.html	                        (rev 0)
+++ branches/safari-604-branch/LayoutTests/accessibility/crash-table-recursive-layout.html	2017-09-20 02:12:46 UTC (rev 222244)
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+#colgrp { 
+    display: table-footer-group;
+}
+
+.class1 {
+    text-transform: capitalize;
+    display: -webkit-box;
+}
+</style>
+<script>
+    if (window.accessibilityController)
+        accessibilityController.focusedElement;
+    if (window.testRunner)
+        testRunner.dumpAsText();
+    function runTest() {
+        textarea.setSelectionRange(30, 1);
+        option.defaultSelected = true;
+        col.setAttribute("aria-labeledby", "link");
+    }
+</script>
+</head>
+<body _onload_=runTest()>
+<link id="link">
+<table>
+<colgroup id="colgrp">
+<col id="col" tabindex="1"></col>
+<thead class="class1">
+<th class="class1">
+<textarea id="textarea" readonly="readonly"></textarea>
+<option id="option"></option>
+</body>
+</html>

Modified: branches/safari-604-branch/Source/WebCore/ChangeLog (222243 => 222244)


--- branches/safari-604-branch/Source/WebCore/ChangeLog	2017-09-20 01:56:30 UTC (rev 222243)
+++ branches/safari-604-branch/Source/WebCore/ChangeLog	2017-09-20 02:12:46 UTC (rev 222244)
@@ -1,5 +1,26 @@
 2017-09-19  Jason Marcell  <[email protected]>
 
+        Cherry-pick r222226. rdar://problem/34534758
+
+    2017-09-19  Zalan Bujtas  <[email protected]>
+
+            AXObjectCache::performDeferredCacheUpdate is called recursively through FrameView::layout.
+            https://bugs.webkit.org/show_bug.cgi?id=176218
+            <rdar://problem/34205612>
+
+            Reviewed by Simon Fraser.
+
+            There are certain cases when we might re-enter performDeferredCacheUpdate through recursive
+            layout calls (see webkit.org/b/177176) and mutate m_deferredTextChangedList multiple times.
+
+            Test: accessibility/crash-table-recursive-layout.html
+
+            * accessibility/AXObjectCache.cpp:
+            (WebCore::AXObjectCache::performDeferredCacheUpdate):
+            * accessibility/AXObjectCache.h:
+
+2017-09-19  Jason Marcell  <[email protected]>
+
         Cherry-pick r222220. rdar://problem/34534766
 
     2017-09-15  Wenson Hsieh  <[email protected]>

Modified: branches/safari-604-branch/Source/WebCore/accessibility/AXObjectCache.cpp (222243 => 222244)


--- branches/safari-604-branch/Source/WebCore/accessibility/AXObjectCache.cpp	2017-09-20 01:56:30 UTC (rev 222243)
+++ branches/safari-604-branch/Source/WebCore/accessibility/AXObjectCache.cpp	2017-09-20 02:12:46 UTC (rev 222244)
@@ -97,6 +97,7 @@
 #include "TextControlInnerElements.h"
 #include "TextIterator.h"
 #include <wtf/DataLog.h>
+#include <wtf/SetForScope.h>
 
 #if ENABLE(VIDEO)
 #include "MediaControlElements.h"
@@ -2774,6 +2775,10 @@
     
 void AXObjectCache::performDeferredCacheUpdate()
 {
+    if (m_performingDeferredCacheUpdate)
+        return;
+
+    SetForScope<bool> performingDeferredCacheUpdate(m_performingDeferredCacheUpdate, true);
     for (auto* node : m_deferredTextChangedList)
         textChanged(node);
     m_deferredTextChangedList.clear();

Modified: branches/safari-604-branch/Source/WebCore/accessibility/AXObjectCache.h (222243 => 222244)


--- branches/safari-604-branch/Source/WebCore/accessibility/AXObjectCache.h	2017-09-20 01:56:30 UTC (rev 222243)
+++ branches/safari-604-branch/Source/WebCore/accessibility/AXObjectCache.h	2017-09-20 02:12:46 UTC (rev 222244)
@@ -436,9 +436,10 @@
     ListHashSet<Node*> m_ariaModalNodesSet;
 
     AXTextStateChangeIntent m_textSelectionIntent;
-    bool m_isSynchronizingSelection { false };
     ListHashSet<Element*> m_deferredRecomputeIsIgnoredList;
     ListHashSet<Node*> m_deferredTextChangedList;
+    bool m_isSynchronizingSelection { false };
+    bool m_performingDeferredCacheUpdate { false };
 };
 
 class AXAttributeCacheEnabler

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to