Title: [223386] releases/WebKitGTK/webkit-2.18
- Revision
- 223386
- Author
- [email protected]
- Date
- 2017-10-16 04:22:19 -0700 (Mon, 16 Oct 2017)
Log Message
Merge r222226 - AXObjectCache::performDeferredCacheUpdate is called recursively through FrameView::layout.
https://bugs.webkit.org/show_bug.cgi?id=176218
<rdar://problem/34205612>
Reviewed by Simon Fraser.
Source/WebCore:
There are certain cases when we might re-enter performDeferredCacheUpdate through recursive
layout calls (see webkit.org/b/177176) and mutate m_deferredTextChangedList multiple times.
Test: accessibility/crash-table-recursive-layout.html
* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::performDeferredCacheUpdate):
* accessibility/AXObjectCache.h:
LayoutTests:
* accessibility/crash-table-recursive-layout-expected.txt: Added.
* accessibility/crash-table-recursive-layout.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.18/LayoutTests/ChangeLog (223385 => 223386)
--- releases/WebKitGTK/webkit-2.18/LayoutTests/ChangeLog 2017-10-16 11:13:47 UTC (rev 223385)
+++ releases/WebKitGTK/webkit-2.18/LayoutTests/ChangeLog 2017-10-16 11:22:19 UTC (rev 223386)
@@ -1,5 +1,16 @@
2017-09-19 Zalan Bujtas <[email protected]>
+ AXObjectCache::performDeferredCacheUpdate is called recursively through FrameView::layout.
+ https://bugs.webkit.org/show_bug.cgi?id=176218
+ <rdar://problem/34205612>
+
+ Reviewed by Simon Fraser.
+
+ * accessibility/crash-table-recursive-layout-expected.txt: Added.
+ * accessibility/crash-table-recursive-layout.html: Added.
+
+2017-09-19 Zalan Bujtas <[email protected]>
+
Do not mutate RenderText content during layout.
https://bugs.webkit.org/show_bug.cgi?id=176219
<rdar://problem/34205724>
Added: releases/WebKitGTK/webkit-2.18/LayoutTests/accessibility/crash-table-recursive-layout-expected.txt (0 => 223386)
--- releases/WebKitGTK/webkit-2.18/LayoutTests/accessibility/crash-table-recursive-layout-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.18/LayoutTests/accessibility/crash-table-recursive-layout-expected.txt 2017-10-16 11:22:19 UTC (rev 223386)
@@ -0,0 +1,2 @@
+PASS if no crash.
+
Added: releases/WebKitGTK/webkit-2.18/LayoutTests/accessibility/crash-table-recursive-layout.html (0 => 223386)
--- releases/WebKitGTK/webkit-2.18/LayoutTests/accessibility/crash-table-recursive-layout.html (rev 0)
+++ releases/WebKitGTK/webkit-2.18/LayoutTests/accessibility/crash-table-recursive-layout.html 2017-10-16 11:22:19 UTC (rev 223386)
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+#colgrp {
+ display: table-footer-group;
+}
+
+.class1 {
+ text-transform: capitalize;
+ display: -webkit-box;
+}
+</style>
+<script>
+ if (window.accessibilityController)
+ accessibilityController.focusedElement;
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ function runTest() {
+ textarea.setSelectionRange(30, 1);
+ option.defaultSelected = true;
+ col.setAttribute("aria-labeledby", "link");
+ }
+</script>
+</head>
+<body _onload_=runTest()>
+<link id="link">
+<table>
+<colgroup id="colgrp">
+<col id="col" tabindex="1"></col>
+<thead class="class1">
+<th class="class1">
+<textarea id="textarea" readonly="readonly"></textarea>
+<option id="option"></option>
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.18/Source/WebCore/ChangeLog (223385 => 223386)
--- releases/WebKitGTK/webkit-2.18/Source/WebCore/ChangeLog 2017-10-16 11:13:47 UTC (rev 223385)
+++ releases/WebKitGTK/webkit-2.18/Source/WebCore/ChangeLog 2017-10-16 11:22:19 UTC (rev 223386)
@@ -1,5 +1,22 @@
2017-09-19 Zalan Bujtas <[email protected]>
+ AXObjectCache::performDeferredCacheUpdate is called recursively through FrameView::layout.
+ https://bugs.webkit.org/show_bug.cgi?id=176218
+ <rdar://problem/34205612>
+
+ Reviewed by Simon Fraser.
+
+ There are certain cases when we might re-enter performDeferredCacheUpdate through recursive
+ layout calls (see webkit.org/b/177176) and mutate m_deferredTextChangedList multiple times.
+
+ Test: accessibility/crash-table-recursive-layout.html
+
+ * accessibility/AXObjectCache.cpp:
+ (WebCore::AXObjectCache::performDeferredCacheUpdate):
+ * accessibility/AXObjectCache.h:
+
+2017-09-19 Zalan Bujtas <[email protected]>
+
Do not mutate RenderText content during layout.
https://bugs.webkit.org/show_bug.cgi?id=176219
<rdar://problem/34205724>
Modified: releases/WebKitGTK/webkit-2.18/Source/WebCore/accessibility/AXObjectCache.cpp (223385 => 223386)
--- releases/WebKitGTK/webkit-2.18/Source/WebCore/accessibility/AXObjectCache.cpp 2017-10-16 11:13:47 UTC (rev 223385)
+++ releases/WebKitGTK/webkit-2.18/Source/WebCore/accessibility/AXObjectCache.cpp 2017-10-16 11:22:19 UTC (rev 223386)
@@ -97,6 +97,7 @@
#include "TextControlInnerElements.h"
#include "TextIterator.h"
#include <wtf/DataLog.h>
+#include <wtf/SetForScope.h>
#if ENABLE(VIDEO)
#include "MediaControlElements.h"
@@ -2774,6 +2775,10 @@
void AXObjectCache::performDeferredCacheUpdate()
{
+ if (m_performingDeferredCacheUpdate)
+ return;
+
+ SetForScope<bool> performingDeferredCacheUpdate(m_performingDeferredCacheUpdate, true);
for (auto* node : m_deferredTextChangedList)
textChanged(node);
m_deferredTextChangedList.clear();
Modified: releases/WebKitGTK/webkit-2.18/Source/WebCore/accessibility/AXObjectCache.h (223385 => 223386)
--- releases/WebKitGTK/webkit-2.18/Source/WebCore/accessibility/AXObjectCache.h 2017-10-16 11:13:47 UTC (rev 223385)
+++ releases/WebKitGTK/webkit-2.18/Source/WebCore/accessibility/AXObjectCache.h 2017-10-16 11:22:19 UTC (rev 223386)
@@ -436,9 +436,10 @@
ListHashSet<Node*> m_ariaModalNodesSet;
AXTextStateChangeIntent m_textSelectionIntent;
- bool m_isSynchronizingSelection { false };
ListHashSet<Element*> m_deferredRecomputeIsIgnoredList;
ListHashSet<Node*> m_deferredTextChangedList;
+ bool m_isSynchronizingSelection { false };
+ bool m_performingDeferredCacheUpdate { false };
};
class AXAttributeCacheEnabler
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
