Title: [171457] branches/safari-600.1-branch
- Revision
- 171457
- Author
- [email protected]
- Date
- 2014-07-23 00:58:44 -0700 (Wed, 23 Jul 2014)
Log Message
Merged r171347. <rdar://problem/16826229>
Modified Paths
Added Paths
Diff
Modified: branches/safari-600.1-branch/LayoutTests/ChangeLog (171456 => 171457)
--- branches/safari-600.1-branch/LayoutTests/ChangeLog 2014-07-23 07:54:44 UTC (rev 171456)
+++ branches/safari-600.1-branch/LayoutTests/ChangeLog 2014-07-23 07:58:44 UTC (rev 171457)
@@ -1,3 +1,20 @@
+2014-07-23 Lucas Forschler <[email protected]>
+
+ Merge r171347
+
+ 2014-07-21 Myles C. Maxfield <[email protected]>
+
+ Clicking on links while accessibility is enabled does not render as expected
+ https://bugs.webkit.org/show_bug.cgi?id=135074
+
+ Reviewed by Chris Fleizach.
+
+ Delete a node and its parent, then call allAttributes() on the accessibility representation of
+ the deleted child and make sure there is no crash.
+
+ * accessibility/parent-delete-expected.txt: Added
+ * accessibility/parent-delete.html: Added
+
2014-07-22 Dana Burkart <[email protected]>
Merge r171316.
Copied: branches/safari-600.1-branch/LayoutTests/accessibility/parent-delete-expected.txt (from rev 171347, trunk/LayoutTests/accessibility/parent-delete-expected.txt) (0 => 171457)
--- branches/safari-600.1-branch/LayoutTests/accessibility/parent-delete-expected.txt (rev 0)
+++ branches/safari-600.1-branch/LayoutTests/accessibility/parent-delete-expected.txt 2014-07-23 07:58:44 UTC (rev 171457)
@@ -0,0 +1,31 @@
+This test passes if there is no crash.
+AXRole: AXWebArea
+AXRoleDescription: HTML content
+AXChildren: <array of size 1>
+AXHelp:
+AXParent: <AXWebArea>
+AXSize: NSSize: {800, 600}
+AXTitle:
+AXDescription:
+AXValue:
+AXFocused: 0
+AXEnabled: 1
+AXWindow: <AXWebArea>
+AXSelectedTextMarkerRange: (null)
+AXStartTextMarker: <AXWebArea>
+AXEndTextMarker: <AXWebArea>
+AXVisited: 0
+AXLinkedUIElements: (null)
+AXSelected: 0
+AXBlockQuoteLevel: 0
+AXTopLevelUIElement: <AXWebArea>
+AXLanguage:
+AXDOMIdentifier:
+AXDOMClassList: <array of size 0>
+AXLinkUIElements: <array of size 0>
+AXLoaded: 1
+AXLayoutCount: 2
+AXLoadingProgress: 1
+AXURL: LayoutTests/accessibility/parent-delete.html
+AXElementBusy: 0
+
Copied: branches/safari-600.1-branch/LayoutTests/accessibility/parent-delete.html (from rev 171347, trunk/LayoutTests/accessibility/parent-delete.html) (0 => 171457)
--- branches/safari-600.1-branch/LayoutTests/accessibility/parent-delete.html (rev 0)
+++ branches/safari-600.1-branch/LayoutTests/accessibility/parent-delete.html 2014-07-23 07:58:44 UTC (rev 171457)
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+function runTest() {
+ var accessibilityElement;
+ {
+ var outer = document.getElementById("outer");
+ var inner = document.getElementById("inner");
+ var editable = document.getElementById("editable");
+ var result = document.getElementById("result");
+ editable.focus();
+ if (window.accessibilityController) {
+ var accessibilityElement = accessibilityController.focusedElement;
+ }
+ inner.removeChild(editable);
+ outer.removeChild(inner);
+ }
+ if (window.accessibilityController) {
+ result.innerText = accessibilityElement.allAttributes();
+ }
+}
+</script>
+</head>
+<body _onload_="runTest()">
+This test passes if there is no crash.
+<div id="outer" style="display: none;">
+ <div id="inner" style="display: none;">
+ <div id="editable" contenteditable="true" style="display: none;">
+ This is some throwaway text
+ </div>
+ </div>
+</div>
+<div id="result"></div>
+</body>
+</html>
Modified: branches/safari-600.1-branch/Source/WebCore/ChangeLog (171456 => 171457)
--- branches/safari-600.1-branch/Source/WebCore/ChangeLog 2014-07-23 07:54:44 UTC (rev 171456)
+++ branches/safari-600.1-branch/Source/WebCore/ChangeLog 2014-07-23 07:58:44 UTC (rev 171457)
@@ -1,5 +1,28 @@
2014-07-23 Lucas Forschler <[email protected]>
+ Merge r171347
+
+ 2014-07-21 Myles C. Maxfield <[email protected]>
+
+ Clicking on links while accessibility is enabled sometimes crashes
+ https://bugs.webkit.org/show_bug.cgi?id=135074
+
+ Reviewed by Chris Fleizach.
+
+ When an accessibility request comes in from the system, we call updateBackingStore() on the
+ relevant AccessibilityObject, which triggers a relayout of the entire document. This relayout
+ might delete that accessibility node and its parent, which would cause the node to be deleted.
+ After the stack unwinds, we then call a member function on the node without checking for this
+ condition.
+
+ Test: accessibility/parent-delete.html
+
+ * accessibility/AccessibilityObject.cpp:
+ (WebCore::AccessibilityObject::updateBackingStore): Retain the node for the duration of the
+ function.
+
+2014-07-23 Lucas Forschler <[email protected]>
+
Merge r171345
2014-07-22 Jeremy Jones <[email protected]>
Modified: branches/safari-600.1-branch/Source/WebCore/accessibility/AccessibilityObject.cpp (171456 => 171457)
--- branches/safari-600.1-branch/Source/WebCore/accessibility/AccessibilityObject.cpp 2014-07-23 07:54:44 UTC (rev 171456)
+++ branches/safari-600.1-branch/Source/WebCore/accessibility/AccessibilityObject.cpp 2014-07-23 07:58:44 UTC (rev 171457)
@@ -1429,6 +1429,8 @@
void AccessibilityObject::updateBackingStore()
{
// Updating the layout may delete this object.
+ RefPtr<AccessibilityObject> protector(this);
+
if (Document* document = this->document()) {
if (!document->view()->isInLayout())
document->updateLayoutIgnorePendingStylesheets();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
