- Revision
- 277434
- Author
- [email protected]
- Date
- 2021-05-13 07:30:23 -0700 (Thu, 13 May 2021)
Log Message
AX: Crash at WebCore::Document::updateLayout
https://bugs.webkit.org/show_bug.cgi?id=225677
Reviewed by Alan Bujtas.
Source/WebCore:
Handling notifications while during layout is risky because we can call back into an update method.
We have handled many other cases like this by deferring the notification, as we do here.
Special note: this test can't be made to crash because actual crash requires the accessibility
runtime to be initialized and posting real notifications to the system. But, we can verify that the
notification is still sent correctly under conditions that could lead to a crash.
Test: accessibility/mac/menu-selection-notification-crash.html
* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::deferMenuListValueChange):
(WebCore::AXObjectCache::performDeferredCacheUpdate):
* accessibility/AXObjectCache.h:
* accessibility/AccessibilityMenuList.cpp:
(WebCore::AccessibilityMenuList::didUpdateActiveOption):
LayoutTests:
* accessibility/mac/menu-selection-notification-crash-expected.txt: Added.
* accessibility/mac/menu-selection-notification-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (277433 => 277434)
--- trunk/LayoutTests/ChangeLog 2021-05-13 14:12:22 UTC (rev 277433)
+++ trunk/LayoutTests/ChangeLog 2021-05-13 14:30:23 UTC (rev 277434)
@@ -1,3 +1,13 @@
+2021-05-13 Chris Fleizach <[email protected]>
+
+ AX: Crash at WebCore::Document::updateLayout
+ https://bugs.webkit.org/show_bug.cgi?id=225677
+
+ Reviewed by Alan Bujtas.
+
+ * accessibility/mac/menu-selection-notification-crash-expected.txt: Added.
+ * accessibility/mac/menu-selection-notification-crash.html: Added.
+
2021-05-13 Enrique Ocaña González <[email protected]>
[GStreamer] media/track/in-band/track-in-band-srt-mkv-kind.html is a flaky crash
Added: trunk/LayoutTests/accessibility/mac/menu-selection-notification-crash-expected.txt (0 => 277434)
--- trunk/LayoutTests/accessibility/mac/menu-selection-notification-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/accessibility/mac/menu-selection-notification-crash-expected.txt 2021-05-13 14:30:23 UTC (rev 277434)
@@ -0,0 +1,13 @@
+
+This tests that inserting a node into a select menu won't cause a crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS addedNotification is true
+menu role: AXRole: AXPopUpButton
+Notification received successfully.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/accessibility/mac/menu-selection-notification-crash.html (0 => 277434)
--- trunk/LayoutTests/accessibility/mac/menu-selection-notification-crash.html (rev 0)
+++ trunk/LayoutTests/accessibility/mac/menu-selection-notification-crash.html 2021-05-13 14:30:23 UTC (rev 277434)
@@ -0,0 +1,48 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+<script src=""
+</head>
+<body id="body">
+
+<div id="content">
+<select id="menu">
+</select>
+</div>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+
+ description("This tests that inserting a node into a select menu won't cause a crash.");
+
+ var axNotificationElement = null;
+ function notificationCallback(element, notification, state) {
+ if (notification == "AXMenuItemSelected") {
+ debug("Notification received successfully.");
+ finishJSTest();
+ }
+ }
+
+ if (window.accessibilityController) {
+ jsTestIsAsync = true;
+ var addedNotification = accessibilityController.addNotificationListener(notificationCallback);
+ shouldBeTrue("addedNotification");
+
+ var menu = accessibilityController.accessibleElementById("menu");
+ debug("menu role: " + menu.role);
+
+ setTimeout(function() {
+ var opt = document.createElement('option');
+ opt.value = "c";
+ opt.innerHTML = "c";
+ document.getElementById("menu").appendChild(opt);
+ }, 0);
+ }
+
+</script>
+<script src=""
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (277433 => 277434)
--- trunk/Source/WebCore/ChangeLog 2021-05-13 14:12:22 UTC (rev 277433)
+++ trunk/Source/WebCore/ChangeLog 2021-05-13 14:30:23 UTC (rev 277434)
@@ -1,3 +1,25 @@
+2021-05-13 Chris Fleizach <[email protected]>
+
+ AX: Crash at WebCore::Document::updateLayout
+ https://bugs.webkit.org/show_bug.cgi?id=225677
+
+ Reviewed by Alan Bujtas.
+
+ Handling notifications while during layout is risky because we can call back into an update method.
+ We have handled many other cases like this by deferring the notification, as we do here.
+ Special note: this test can't be made to crash because actual crash requires the accessibility
+ runtime to be initialized and posting real notifications to the system. But, we can verify that the
+ notification is still sent correctly under conditions that could lead to a crash.
+
+ Test: accessibility/mac/menu-selection-notification-crash.html
+
+ * accessibility/AXObjectCache.cpp:
+ (WebCore::AXObjectCache::deferMenuListValueChange):
+ (WebCore::AXObjectCache::performDeferredCacheUpdate):
+ * accessibility/AXObjectCache.h:
+ * accessibility/AccessibilityMenuList.cpp:
+ (WebCore::AccessibilityMenuList::didUpdateActiveOption):
+
2021-05-13 Enrique Ocaña González <[email protected]>
[GStreamer] media/track/in-band/track-in-band-srt-mkv-kind.html is a flaky crash
Modified: trunk/Source/WebCore/accessibility/AXObjectCache.cpp (277433 => 277434)
--- trunk/Source/WebCore/accessibility/AXObjectCache.cpp 2021-05-13 14:12:22 UTC (rev 277433)
+++ trunk/Source/WebCore/accessibility/AXObjectCache.cpp 2021-05-13 14:30:23 UTC (rev 277434)
@@ -1230,6 +1230,13 @@
handleFocusedUIElementChanged(oldNode, newNode);
}
+void AXObjectCache::deferMenuListValueChange(Element* element)
+{
+ m_deferredMenuListChange.add(element);
+ if (!m_performCacheUpdateTimer.isActive())
+ m_performCacheUpdateTimer.startOneShot(0_s);
+}
+
void AXObjectCache::deferModalChange(Element* element)
{
m_deferredModalChangedList.add(element);
@@ -3196,6 +3203,10 @@
handleModalChange(deferredModalChangedElement);
m_deferredModalChangedList.clear();
+ for (auto& deferredMenuListChangeElement : m_deferredMenuListChange)
+ postNotification(&deferredMenuListChangeElement, AXObjectCache::AXMenuListValueChanged);
+ m_deferredMenuListChange.clear();
+
platformPerformDeferredCacheUpdate();
}
Modified: trunk/Source/WebCore/accessibility/AXObjectCache.h (277433 => 277434)
--- trunk/Source/WebCore/accessibility/AXObjectCache.h 2021-05-13 14:12:22 UTC (rev 277433)
+++ trunk/Source/WebCore/accessibility/AXObjectCache.h 2021-05-13 14:30:23 UTC (rev 277434)
@@ -187,6 +187,7 @@
void deferFocusedUIElementChangeIfNeeded(Node* oldFocusedNode, Node* newFocusedNode);
void deferModalChange(Element*);
+ void deferMenuListValueChange(Element*);
void handleScrolledToAnchor(const Node* anchorNode);
void handleScrollbarUpdate(ScrollView*);
@@ -513,6 +514,7 @@
ListHashSet<RefPtr<AXCoreObject>> m_deferredChildrenChangedList;
ListHashSet<Node*> m_deferredChildrenChangedNodeList;
WeakHashSet<Element> m_deferredModalChangedList;
+ WeakHashSet<Element> m_deferredMenuListChange;
HashMap<Element*, String> m_deferredTextFormControlValue;
HashMap<Element*, QualifiedName> m_deferredAttributeChange;
Vector<std::pair<Node*, Node*>> m_deferredFocusedNodeChange;
Modified: trunk/Source/WebCore/accessibility/AccessibilityMenuList.cpp (277433 => 277434)
--- trunk/Source/WebCore/accessibility/AccessibilityMenuList.cpp 2021-05-13 14:12:22 UTC (rev 277433)
+++ trunk/Source/WebCore/accessibility/AccessibilityMenuList.cpp 2021-05-13 14:30:23 UTC (rev 277434)
@@ -136,7 +136,7 @@
}
if (auto* cache = document->axObjectCache())
- cache->postNotification(this, document.ptr(), AXObjectCache::AXMenuListValueChanged);
+ cache->deferMenuListValueChange(element());
}
} // namespace WebCore
