[webkit-changes] [227884] branches/safari-605-branch

Wed, 31 Jan 2018 01:09:52 -0800

Title: [227884] branches/safari-605-branch

Diff

Modified: branches/safari-605-branch/LayoutTests/ChangeLog (227883 => 227884)


--- branches/safari-605-branch/LayoutTests/ChangeLog	2018-01-31 09:09:21 UTC (rev 227883)
+++ branches/safari-605-branch/LayoutTests/ChangeLog	2018-01-31 09:09:24 UTC (rev 227884)
@@ -1,5 +1,22 @@
 2018-01-31  Jason Marcell  <[email protected]>
 
+        Cherry-pick r227858. rdar://problem/37049295
+
+    2018-01-30  Ryosuke Niwa  <[email protected]>
+
+            Release assert in updateLayout() via AXObjectCache::childrenChanged
+            https://bugs.webkit.org/show_bug.cgi?id=182279
+            <rdar://problem/36994456>
+
+            Reviewed by Antti Koivisto.
+
+            Added a regression test.
+
+            * accessibility/accessibility-object-update-during-style-resolution-crash-expected.txt: Added.
+            * accessibility/accessibility-object-update-during-style-resolution-crash.html: Added.
+
+2018-01-31  Jason Marcell  <[email protected]>
+
         Cherry-pick r227855. rdar://problem/37059539
 
     2018-01-30  Megan Gardner  <[email protected]>

Added: branches/safari-605-branch/LayoutTests/accessibility/accessibility-object-update-during-style-resolution-crash-expected.txt (0 => 227884)


--- branches/safari-605-branch/LayoutTests/accessibility/accessibility-object-update-during-style-resolution-crash-expected.txt	                        (rev 0)
+++ branches/safari-605-branch/LayoutTests/accessibility/accessibility-object-update-during-style-resolution-crash-expected.txt	2018-01-31 09:09:24 UTC (rev 227884)
@@ -0,0 +1,4 @@
+This tests invoking updateLayout durign a live region update from the style recalc.
+WebKit should not hit a release assertion.
+
+PASS. WebKit did not crash.

Added: branches/safari-605-branch/LayoutTests/accessibility/accessibility-object-update-during-style-resolution-crash.html (0 => 227884)


--- branches/safari-605-branch/LayoutTests/accessibility/accessibility-object-update-during-style-resolution-crash.html	                        (rev 0)
+++ branches/safari-605-branch/LayoutTests/accessibility/accessibility-object-update-during-style-resolution-crash.html	2018-01-31 09:09:24 UTC (rev 227884)
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests invoking updateLayout durign a live region update from the style recalc.<br>
+WebKit should not hit a release assertion.</p>
+<section style="display: none">
+    <label for="" id="input" type="text" aria-labelledby="hello"><div id="in-label" aria-live="polite"></div></label>
+    <span id="hello">hello</span>
+</section>
+<script>
+function runTest()
+{
+    document.querySelector('section').style.display = null;
+    document.body.getBoundingClientRect();
+}
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    document.body.getBoundingClientRect();
+    const webArea = accessibilityController.rootElement.childAtIndex(0);
+    runTest();
+    document.querySelector('section').style.display = 'none';
+    document.write('PASS. WebKit did not crash.');
+} else
+    document.write('<button _onclick_="runTest()">Go</button>');
+
+</script>
+</body>
+</html>

Modified: branches/safari-605-branch/Source/WebCore/ChangeLog (227883 => 227884)


--- branches/safari-605-branch/Source/WebCore/ChangeLog	2018-01-31 09:09:21 UTC (rev 227883)
+++ branches/safari-605-branch/Source/WebCore/ChangeLog	2018-01-31 09:09:24 UTC (rev 227884)
@@ -1,5 +1,34 @@
 2018-01-31  Jason Marcell  <[email protected]>
 
+        Cherry-pick r227858. rdar://problem/37049295
+
+    2018-01-30  Ryosuke Niwa  <[email protected]>
+
+            Release assert in updateLayout() via AXObjectCache::childrenChanged
+            https://bugs.webkit.org/show_bug.cgi?id=182279
+            <rdar://problem/36994456>
+
+            Reviewed by Antti Koivisto.
+
+            Disable the assertion in Document::updateLayout and Document::updateStyle* in this particular circumstance as fixing it
+            would require a large architectural refactoring of the accessibility code.
+
+            Test: accessibility/accessibility-object-update-during-style-resolution-crash.html
+
+            * accessibility/AXObjectCache.cpp:
+            (WebCore::AXObjectCache::childrenChanged): Disabled the release assertion here.
+            * dom/Document.cpp:
+            (WebCore::Document::isSafeToUpdateStyleOrLayout const): Check LayoutAssertionDisableScope::shouldDisable.
+            * dom/ScriptDisallowedScope.h:
+            (WebCore::ScriptDisallowedScope::LayoutAssertionDisableScope): Added.
+            (WebCore::ScriptDisallowedScope::LayoutAssertionDisableScope::LayoutAssertionDisableScope): Added.
+            (WebCore::ScriptDisallowedScope::LayoutAssertionDisableScope::~LayoutAssertionDisableScope): Added.
+            (WebCore::ScriptDisallowedScope::LayoutAssertionDisableScope::shouldDisable): Added.
+            * page/LayoutContext.cpp:
+            (WebCore::LayoutContext::layout): Check LayoutAssertionDisableScope::shouldDisable.
+
+2018-01-31  Jason Marcell  <[email protected]>
+
         Cherry-pick r227841. rdar://problem/37059544
 
     2018-01-30  Dean Jackson  <[email protected]>

Modified: branches/safari-605-branch/Source/WebCore/accessibility/AXObjectCache.cpp (227883 => 227884)


--- branches/safari-605-branch/Source/WebCore/accessibility/AXObjectCache.cpp	2018-01-31 09:09:21 UTC (rev 227883)
+++ branches/safari-605-branch/Source/WebCore/accessibility/AXObjectCache.cpp	2018-01-31 09:09:24 UTC (rev 227884)
@@ -95,6 +95,7 @@
 #include "RenderTableRow.h"
 #include "RenderView.h"
 #include "SVGElement.h"
+#include "ScriptDisallowedScope.h"
 #include "ScrollView.h"
 #include "TextBoundaries.h"
 #include "TextControlInnerElements.h"
@@ -832,7 +833,7 @@
         handleMenuOpened(newChild);
         handleLiveRegionCreated(newChild);
     }
-    
+
     childrenChanged(get(node));
 }
 
@@ -840,6 +841,9 @@
 {
     if (!renderer)
         return;
+
+    // FIXME: Refactor the code to avoid calling updateLayout in this call stack.
+    ScriptDisallowedScope::LayoutAssertionDisableScope disableScope;
     
     if (newChild) {
         handleMenuOpened(newChild->node());

Modified: branches/safari-605-branch/Source/WebCore/dom/Document.cpp (227883 => 227884)


--- branches/safari-605-branch/Source/WebCore/dom/Document.cpp	2018-01-31 09:09:21 UTC (rev 227883)
+++ branches/safari-605-branch/Source/WebCore/dom/Document.cpp	2018-01-31 09:09:24 UTC (rev 227884)
@@ -314,6 +314,8 @@
 static const unsigned cMaxWriteRecursionDepth = 21;
 bool Document::hasEverCreatedAnAXObjectCache = false;
 
+unsigned ScriptDisallowedScope::LayoutAssertionDisableScope::s_layoutAssertionDisableCount = 0;
+
 // DOM Level 2 says (letters added):
 //
 // a) Name start characters must have one of the categories Ll, Lu, Lo, Lt, Nl.
@@ -1940,7 +1942,8 @@
 {
     bool isSafeToExecuteScript = ScriptDisallowedScope::InMainThread::isScriptAllowed();
     bool isInFrameFlattening = view() && view()->isInChildFrameWithFrameFlattening();
-    return isSafeToExecuteScript || isInFrameFlattening || !isInWebProcess();
+    bool isAssertionDisabled = ScriptDisallowedScope::LayoutAssertionDisableScope::shouldDisable();
+    return isSafeToExecuteScript || isInFrameFlattening || !isInWebProcess() || isAssertionDisabled;
 }
 
 bool Document::updateStyleIfNeeded()

Modified: branches/safari-605-branch/Source/WebCore/dom/ScriptDisallowedScope.h (227883 => 227884)


--- branches/safari-605-branch/Source/WebCore/dom/ScriptDisallowedScope.h	2018-01-31 09:09:21 UTC (rev 227883)
+++ branches/safari-605-branch/Source/WebCore/dom/ScriptDisallowedScope.h	2018-01-31 09:09:24 UTC (rev 227884)
@@ -147,6 +147,25 @@
         unsigned m_originalCount { 0 };
     };
 
+    // FIXME: Remove all uses of this class.
+    class LayoutAssertionDisableScope {
+    public:
+        LayoutAssertionDisableScope()
+        {
+            s_layoutAssertionDisableCount++;
+        }
+
+        ~LayoutAssertionDisableScope()
+        {
+            s_layoutAssertionDisableCount--;
+        }
+
+        static bool shouldDisable() { return s_layoutAssertionDisableCount; }
+
+    private:
+        static unsigned s_layoutAssertionDisableCount;
+    };
+
 private:
     WEBCORE_EXPORT static unsigned s_count;
 };

Modified: branches/safari-605-branch/Source/WebCore/page/LayoutContext.cpp (227883 => 227884)


--- branches/safari-605-branch/Source/WebCore/page/LayoutContext.cpp	2018-01-31 09:09:21 UTC (rev 227883)
+++ branches/safari-605-branch/Source/WebCore/page/LayoutContext.cpp	2018-01-31 09:09:24 UTC (rev 227884)
@@ -122,7 +122,7 @@
 {
     LOG_WITH_STREAM(Layout, stream << "FrameView " << &view() << " LayoutContext::layout() with size " << view().layoutSize());
 
-    RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(!frame().document()->inRenderTreeUpdate());
+    RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(!frame().document()->inRenderTreeUpdate() || ScriptDisallowedScope::LayoutAssertionDisableScope::shouldDisable());
     ASSERT(LayoutDisallowedScope::isLayoutAllowed());
     ASSERT(!view().isPainting());
     ASSERT(frame().view() == &view());

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to