Commit ca290e54 authored by mitz@apple.com's avatar mitz@apple.com

WebCore: Fix <rdar://problem/7050773> REGRESSION (r40098) Crash at

WebCore::RenderBlock::layoutBlock()
https://bugs.webkit.org/show_bug.cgi?id=29498

Reviewed by Darin Adler.

Test: accessibility/nested-layout-crash.html

* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::updateBackingStore): Changed to
    call Document::updateLayoutIgnorePendingStylesheets() instead of
    calling RenderObject::layoutIfNeeded(). The latter requires that
    there be no pending style recalc, which allows methods that call
    Document::updateLayout() to be called during layout without risking
    re-entry into layout.
* accessibility/mac/AccessibilityObjectWrapper.mm:
(-[AccessibilityObjectWrapper accessibilityActionNames]): Null-check
    m_object after calling updateBackingStore(), since style recalc may
    destroy the renderer, which destroys the accessibility object and
    detaches it from the wrapper.
(-[AccessibilityObjectWrapper accessibilityAttributeNames]): Ditto.
(-[AccessibilityObjectWrapper accessibilityAttributeValue:]): Ditto.
(-[AccessibilityObjectWrapper accessibilityFocusedUIElement]): Ditto.
(-[AccessibilityObjectWrapper accessibilityHitTest:]): Ditto.
(-[AccessibilityObjectWrapper accessibilityIsAttributeSettable:]):
    Ditto.
(-[AccessibilityObjectWrapper accessibilityIsIgnored]): Ditto.
(-[AccessibilityObjectWrapper accessibilityParameterizedAttributeNames]):
     Ditto.
(-[AccessibilityObjectWrapper accessibilityPerformPressAction]): Ditto.
(-[AccessibilityObjectWrapper accessibilityPerformIncrementAction]):
    Ditto.
(-[AccessibilityObjectWrapper accessibilityPerformDecrementAction]):
    Ditto.
(-[AccessibilityObjectWrapper accessibilityPerformAction:]): Ditto.
(-[AccessibilityObjectWrapper accessibilitySetValue:forAttribute:]):
    Ditto.
(-[AccessibilityObjectWrapper accessibilityAttributeValue:forParameter:]):
    Ditto.
(-[AccessibilityObjectWrapper accessibilityIndexOfChild:]): Ditto.
(-[AccessibilityObjectWrapper accessibilityArrayAttributeCount:]):
    Ditto.
(-[AccessibilityObjectWrapper accessibilityArrayAttributeValues:index:maxCount:]):
    Ditto.

LayoutTests: Test for <rdar://problem/7050773> REGRESSION (r40098) Crash at
WebCore::RenderBlock::layoutBlock()
https://bugs.webkit.org/show_bug.cgi?id=29498

Reviewed by Darin Adler.

* accessibility/nested-layout-crash-expected.txt: Added.
* accessibility/nested-layout-crash.html: Added.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@48521 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 35738bfb
2009-09-18 Dan Bernstein <mitz@apple.com>
Reviewed by Darin Adler.
Test for <rdar://problem/7050773> REGRESSION (r40098) Crash at
WebCore::RenderBlock::layoutBlock()
https://bugs.webkit.org/show_bug.cgi?id=29498
* accessibility/nested-layout-crash-expected.txt: Added.
* accessibility/nested-layout-crash.html: Added.
2009-09-18 Sam Weinig <sam@webkit.org>
Reviewed by Adele Peterson.
......
Test for rdar://problem/7050773 Crash at WebCore::RenderBlock::layoutBlock().
The test passes if it does not crash or cause an assertion failure.
<p>
Test for <i><a href="rdar://problem/7050773">rdar://problem/7050773</a>
Crash at WebCore::RenderBlock::layoutBlock()</i>.
</p>
<p>
The test passes if it does not crash or cause an assertion failure.
</p>
<textarea rows="5" id="container">
</textarea>
<script>
var container = document.getElementById("container");
container.focus();
container.scrollTop = 200;
document.body.offsetTop;
container.rows = "20";
if (window.layoutTestController) {
layoutTestController.dumpAsText();
accessibilityController.focusedElement;
}
</script>
2009-09-18 Dan Bernstein <mitz@apple.com>
Reviewed by Darin Adler.
Fix <rdar://problem/7050773> REGRESSION (r40098) Crash at
WebCore::RenderBlock::layoutBlock()
https://bugs.webkit.org/show_bug.cgi?id=29498
Test: accessibility/nested-layout-crash.html
* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::updateBackingStore): Changed to
call Document::updateLayoutIgnorePendingStylesheets() instead of
calling RenderObject::layoutIfNeeded(). The latter requires that
there be no pending style recalc, which allows methods that call
Document::updateLayout() to be called during layout without risking
re-entry into layout.
* accessibility/mac/AccessibilityObjectWrapper.mm:
(-[AccessibilityObjectWrapper accessibilityActionNames]): Null-check
m_object after calling updateBackingStore(), since style recalc may
destroy the renderer, which destroys the accessibility object and
detaches it from the wrapper.
(-[AccessibilityObjectWrapper accessibilityAttributeNames]): Ditto.
(-[AccessibilityObjectWrapper accessibilityAttributeValue:]): Ditto.
(-[AccessibilityObjectWrapper accessibilityFocusedUIElement]): Ditto.
(-[AccessibilityObjectWrapper accessibilityHitTest:]): Ditto.
(-[AccessibilityObjectWrapper accessibilityIsAttributeSettable:]):
Ditto.
(-[AccessibilityObjectWrapper accessibilityIsIgnored]): Ditto.
(-[AccessibilityObjectWrapper accessibilityParameterizedAttributeNames]):
Ditto.
(-[AccessibilityObjectWrapper accessibilityPerformPressAction]): Ditto.
(-[AccessibilityObjectWrapper accessibilityPerformIncrementAction]):
Ditto.
(-[AccessibilityObjectWrapper accessibilityPerformDecrementAction]):
Ditto.
(-[AccessibilityObjectWrapper accessibilityPerformAction:]): Ditto.
(-[AccessibilityObjectWrapper accessibilitySetValue:forAttribute:]):
Ditto.
(-[AccessibilityObjectWrapper accessibilityAttributeValue:forParameter:]):
Ditto.
(-[AccessibilityObjectWrapper accessibilityIndexOfChild:]): Ditto.
(-[AccessibilityObjectWrapper accessibilityArrayAttributeCount:]):
Ditto.
(-[AccessibilityObjectWrapper accessibilityArrayAttributeValues:index:maxCount:]):
Ditto.
2009-09-18 Fumitoshi Ukai <ukai@chromium.org>
Reviewed by Simon Hausmann.
......@@ -2676,7 +2676,9 @@ void AccessibilityRenderObject::updateBackingStore()
{
if (!m_renderer)
return;
m_renderer->view()->layoutIfNeeded();
}
// Updating layout may delete m_renderer and this object.
m_renderer->document()->updateLayoutIgnorePendingStylesheets();
}
} // namespace WebCore
......@@ -546,6 +546,8 @@ static WebCoreTextMarkerRange* textMarkerRangeFromVisiblePositions(VisiblePositi
return nil;
m_object->updateBackingStore();
if (!m_object)
return nil;
static NSArray* actionElementActions = [[NSArray alloc] initWithObjects: NSAccessibilityPressAction, NSAccessibilityShowMenuAction, nil];
static NSArray* defaultElementActions = [[NSArray alloc] initWithObjects: NSAccessibilityShowMenuAction, nil];
......@@ -573,6 +575,8 @@ static WebCoreTextMarkerRange* textMarkerRangeFromVisiblePositions(VisiblePositi
return nil;
m_object->updateBackingStore();
if (!m_object)
return nil;
if (m_object->isAttachment())
return [[self attachmentView] accessibilityAttributeNames];
......@@ -1229,6 +1233,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return nil;
m_object->updateBackingStore();
if (!m_object)
return nil;
if ([attributeName isEqualToString: NSAccessibilityRoleAttribute])
return [self role];
......@@ -1571,6 +1577,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return nil;
m_object->updateBackingStore();
if (!m_object)
return nil;
RefPtr<AccessibilityObject> focusedObj = m_object->focusedUIElement();
......@@ -1586,6 +1594,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return nil;
m_object->updateBackingStore();
if (!m_object)
return nil;
RefPtr<AccessibilityObject> axObject = m_object->doAccessibilityHitTest(IntPoint(point));
if (axObject)
......@@ -1599,6 +1609,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return nil;
m_object->updateBackingStore();
if (!m_object)
return nil;
if ([attributeName isEqualToString: @"AXSelectedTextMarkerRange"])
return YES;
......@@ -1638,6 +1650,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return nil;
m_object->updateBackingStore();
if (!m_object)
return nil;
if (m_object->isAttachment())
return [[self attachmentView] accessibilityIsIgnored];
......@@ -1650,6 +1664,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return nil;
m_object->updateBackingStore();
if (!m_object)
return nil;
if (m_object->isAttachment())
return nil;
......@@ -1736,6 +1752,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return;
m_object->updateBackingStore();
if (!m_object)
return;
if (m_object->isAttachment())
[[self attachmentView] accessibilityPerformAction:NSAccessibilityPressAction];
......@@ -1749,6 +1767,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return;
m_object->updateBackingStore();
if (!m_object)
return;
if (m_object->isAttachment())
[[self attachmentView] accessibilityPerformAction:NSAccessibilityIncrementAction];
......@@ -1762,6 +1782,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return;
m_object->updateBackingStore();
if (!m_object)
return;
if (m_object->isAttachment())
[[self attachmentView] accessibilityPerformAction:NSAccessibilityDecrementAction];
......@@ -1811,6 +1833,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return;
m_object->updateBackingStore();
if (!m_object)
return;
if ([action isEqualToString:NSAccessibilityPressAction])
[self accessibilityPerformPressAction];
......@@ -1831,6 +1855,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return;
m_object->updateBackingStore();
if (!m_object)
return;
WebCoreTextMarkerRange* textMarkerRange = nil;
NSNumber* number = nil;
......@@ -1955,6 +1981,8 @@ static RenderObject* rendererForView(NSView* view)
return nil;
m_object->updateBackingStore();
if (!m_object)
return nil;
// common parameter type check/casting. Nil checks in handlers catch wrong type case.
// NOTE: This assumes nil is not a valid parameter, because it is indistinguishable from
......@@ -2213,7 +2241,9 @@ static RenderObject* rendererForView(NSView* view)
return NSNotFound;
m_object->updateBackingStore();
if (!m_object)
return NSNotFound;
const AccessibilityObject::AccessibilityChildrenVector& children = m_object->children();
if (children.isEmpty())
......@@ -2235,6 +2265,8 @@ static RenderObject* rendererForView(NSView* view)
return 0;
m_object->updateBackingStore();
if (!m_object)
return 0;
if ([attribute isEqualToString:NSAccessibilityChildrenAttribute]) {
const AccessibilityObject::AccessibilityChildrenVector& children = m_object->children();
......@@ -2253,6 +2285,8 @@ static RenderObject* rendererForView(NSView* view)
return nil;
m_object->updateBackingStore();
if (!m_object)
return nil;
if ([attribute isEqualToString:NSAccessibilityChildrenAttribute]) {
if (m_object->children().isEmpty()) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment