diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index 633d68261b954dc8da90a664dcc52c1076ad676e..c5bb065871b4d1143705cb35adf72e11fc2661d8 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,14 @@ +2009-09-18 Dan Bernstein + + Reviewed by Darin Adler. + + Test for REGRESSION (r40098) Crash at + WebCore::RenderBlock::layoutBlock() + https://bugs.webkit.org/show_bug.cgi?id=29498 + + * accessibility/nested-layout-crash-expected.txt: Added. + * accessibility/nested-layout-crash.html: Added. + 2009-09-18 Sam Weinig Reviewed by Adele Peterson. diff --git a/LayoutTests/accessibility/nested-layout-crash-expected.txt b/LayoutTests/accessibility/nested-layout-crash-expected.txt new file mode 100644 index 0000000000000000000000000000000000000000..52c4205cb372075da5f5b26fbb0555b799749c74 --- /dev/null +++ b/LayoutTests/accessibility/nested-layout-crash-expected.txt @@ -0,0 +1,5 @@ +Test for rdar://problem/7050773 Crash at WebCore::RenderBlock::layoutBlock(). + +The test passes if it does not crash or cause an assertion failure. + + diff --git a/LayoutTests/accessibility/nested-layout-crash.html b/LayoutTests/accessibility/nested-layout-crash.html new file mode 100644 index 0000000000000000000000000000000000000000..4da702046c0eb3ab5d010cf7f23dd44db1ffd98d --- /dev/null +++ b/LayoutTests/accessibility/nested-layout-crash.html @@ -0,0 +1,31 @@ +

+ Test for rdar://problem/7050773 + Crash at WebCore::RenderBlock::layoutBlock(). +

+

+ The test passes if it does not crash or cause an assertion failure. +

+ + diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog index 3892f093dd27bab4ccab31b4fd8c775efb3023e1..7c1665f981f7e37098b496ba0ecc48473702c9d6 100644 --- a/WebCore/ChangeLog +++ b/WebCore/ChangeLog @@ -1,3 +1,50 @@ +2009-09-18 Dan Bernstein + + Reviewed by Darin Adler. + + Fix REGRESSION (r40098) Crash at + WebCore::RenderBlock::layoutBlock() + https://bugs.webkit.org/show_bug.cgi?id=29498 + + Test: accessibility/nested-layout-crash.html + + * accessibility/AccessibilityRenderObject.cpp: + (WebCore::AccessibilityRenderObject::updateBackingStore): Changed to + call Document::updateLayoutIgnorePendingStylesheets() instead of + calling RenderObject::layoutIfNeeded(). The latter requires that + there be no pending style recalc, which allows methods that call + Document::updateLayout() to be called during layout without risking + re-entry into layout. + * accessibility/mac/AccessibilityObjectWrapper.mm: + (-[AccessibilityObjectWrapper accessibilityActionNames]): Null-check + m_object after calling updateBackingStore(), since style recalc may + destroy the renderer, which destroys the accessibility object and + detaches it from the wrapper. + (-[AccessibilityObjectWrapper accessibilityAttributeNames]): Ditto. + (-[AccessibilityObjectWrapper accessibilityAttributeValue:]): Ditto. + (-[AccessibilityObjectWrapper accessibilityFocusedUIElement]): Ditto. + (-[AccessibilityObjectWrapper accessibilityHitTest:]): Ditto. + (-[AccessibilityObjectWrapper accessibilityIsAttributeSettable:]): + Ditto. + (-[AccessibilityObjectWrapper accessibilityIsIgnored]): Ditto. + (-[AccessibilityObjectWrapper accessibilityParameterizedAttributeNames]): + Ditto. + (-[AccessibilityObjectWrapper accessibilityPerformPressAction]): Ditto. + (-[AccessibilityObjectWrapper accessibilityPerformIncrementAction]): + Ditto. + (-[AccessibilityObjectWrapper accessibilityPerformDecrementAction]): + Ditto. + (-[AccessibilityObjectWrapper accessibilityPerformAction:]): Ditto. + (-[AccessibilityObjectWrapper accessibilitySetValue:forAttribute:]): + Ditto. + (-[AccessibilityObjectWrapper accessibilityAttributeValue:forParameter:]): + Ditto. + (-[AccessibilityObjectWrapper accessibilityIndexOfChild:]): Ditto. + (-[AccessibilityObjectWrapper accessibilityArrayAttributeCount:]): + Ditto. + (-[AccessibilityObjectWrapper accessibilityArrayAttributeValues:index:maxCount:]): + Ditto. + 2009-09-18 Fumitoshi Ukai Reviewed by Simon Hausmann. diff --git a/WebCore/accessibility/AccessibilityRenderObject.cpp b/WebCore/accessibility/AccessibilityRenderObject.cpp index 449deb5091211ecf83bd672dc2af5abd408aedbf..834e931a9ce880097b49bb07709dcc7f7eb1d834 100644 --- a/WebCore/accessibility/AccessibilityRenderObject.cpp +++ b/WebCore/accessibility/AccessibilityRenderObject.cpp @@ -2676,7 +2676,9 @@ void AccessibilityRenderObject::updateBackingStore() { if (!m_renderer) return; - m_renderer->view()->layoutIfNeeded(); -} - + + // Updating layout may delete m_renderer and this object. + m_renderer->document()->updateLayoutIgnorePendingStylesheets(); +} + } // namespace WebCore diff --git a/WebCore/accessibility/mac/AccessibilityObjectWrapper.mm b/WebCore/accessibility/mac/AccessibilityObjectWrapper.mm index 7a3d0d36421237bc3fe2d91adfe638c77035b91b..e56e77ccfa39702cfa73cf46b14521d2a4a4ae1e 100644 --- a/WebCore/accessibility/mac/AccessibilityObjectWrapper.mm +++ b/WebCore/accessibility/mac/AccessibilityObjectWrapper.mm @@ -546,6 +546,8 @@ static WebCoreTextMarkerRange* textMarkerRangeFromVisiblePositions(VisiblePositi return nil; m_object->updateBackingStore(); + if (!m_object) + return nil; static NSArray* actionElementActions = [[NSArray alloc] initWithObjects: NSAccessibilityPressAction, NSAccessibilityShowMenuAction, nil]; static NSArray* defaultElementActions = [[NSArray alloc] initWithObjects: NSAccessibilityShowMenuAction, nil]; @@ -573,6 +575,8 @@ static WebCoreTextMarkerRange* textMarkerRangeFromVisiblePositions(VisiblePositi return nil; m_object->updateBackingStore(); + if (!m_object) + return nil; if (m_object->isAttachment()) return [[self attachmentView] accessibilityAttributeNames]; @@ -1229,6 +1233,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) return nil; m_object->updateBackingStore(); + if (!m_object) + return nil; if ([attributeName isEqualToString: NSAccessibilityRoleAttribute]) return [self role]; @@ -1571,6 +1577,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) return nil; m_object->updateBackingStore(); + if (!m_object) + return nil; RefPtr focusedObj = m_object->focusedUIElement(); @@ -1586,6 +1594,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) return nil; m_object->updateBackingStore(); + if (!m_object) + return nil; RefPtr axObject = m_object->doAccessibilityHitTest(IntPoint(point)); if (axObject) @@ -1599,6 +1609,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) return nil; m_object->updateBackingStore(); + if (!m_object) + return nil; if ([attributeName isEqualToString: @"AXSelectedTextMarkerRange"]) return YES; @@ -1638,6 +1650,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) return nil; m_object->updateBackingStore(); + if (!m_object) + return nil; if (m_object->isAttachment()) return [[self attachmentView] accessibilityIsIgnored]; @@ -1650,6 +1664,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) return nil; m_object->updateBackingStore(); + if (!m_object) + return nil; if (m_object->isAttachment()) return nil; @@ -1736,6 +1752,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) return; m_object->updateBackingStore(); + if (!m_object) + return; if (m_object->isAttachment()) [[self attachmentView] accessibilityPerformAction:NSAccessibilityPressAction]; @@ -1749,6 +1767,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) return; m_object->updateBackingStore(); + if (!m_object) + return; if (m_object->isAttachment()) [[self attachmentView] accessibilityPerformAction:NSAccessibilityIncrementAction]; @@ -1762,6 +1782,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) return; m_object->updateBackingStore(); + if (!m_object) + return; if (m_object->isAttachment()) [[self attachmentView] accessibilityPerformAction:NSAccessibilityDecrementAction]; @@ -1811,6 +1833,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) return; m_object->updateBackingStore(); + if (!m_object) + return; if ([action isEqualToString:NSAccessibilityPressAction]) [self accessibilityPerformPressAction]; @@ -1831,6 +1855,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) return; m_object->updateBackingStore(); + if (!m_object) + return; WebCoreTextMarkerRange* textMarkerRange = nil; NSNumber* number = nil; @@ -1955,6 +1981,8 @@ static RenderObject* rendererForView(NSView* view) return nil; m_object->updateBackingStore(); + if (!m_object) + return nil; // common parameter type check/casting. Nil checks in handlers catch wrong type case. // NOTE: This assumes nil is not a valid parameter, because it is indistinguishable from @@ -2213,7 +2241,9 @@ static RenderObject* rendererForView(NSView* view) return NSNotFound; m_object->updateBackingStore(); - + if (!m_object) + return NSNotFound; + const AccessibilityObject::AccessibilityChildrenVector& children = m_object->children(); if (children.isEmpty()) @@ -2235,6 +2265,8 @@ static RenderObject* rendererForView(NSView* view) return 0; m_object->updateBackingStore(); + if (!m_object) + return 0; if ([attribute isEqualToString:NSAccessibilityChildrenAttribute]) { const AccessibilityObject::AccessibilityChildrenVector& children = m_object->children(); @@ -2253,6 +2285,8 @@ static RenderObject* rendererForView(NSView* view) return nil; m_object->updateBackingStore(); + if (!m_object) + return nil; if ([attribute isEqualToString:NSAccessibilityChildrenAttribute]) { if (m_object->children().isEmpty()) {