Commit ca290e54 authored by mitz@apple.com's avatar mitz@apple.com

WebCore: Fix <rdar://problem/7050773> REGRESSION (r40098) Crash at

WebCore::RenderBlock::layoutBlock()
https://bugs.webkit.org/show_bug.cgi?id=29498

Reviewed by Darin Adler.

Test: accessibility/nested-layout-crash.html

* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::updateBackingStore): Changed to
    call Document::updateLayoutIgnorePendingStylesheets() instead of
    calling RenderObject::layoutIfNeeded(). The latter requires that
    there be no pending style recalc, which allows methods that call
    Document::updateLayout() to be called during layout without risking
    re-entry into layout.
* accessibility/mac/AccessibilityObjectWrapper.mm:
(-[AccessibilityObjectWrapper accessibilityActionNames]): Null-check
    m_object after calling updateBackingStore(), since style recalc may
    destroy the renderer, which destroys the accessibility object and
    detaches it from the wrapper.
(-[AccessibilityObjectWrapper accessibilityAttributeNames]): Ditto.
(-[AccessibilityObjectWrapper accessibilityAttributeValue:]): Ditto.
(-[AccessibilityObjectWrapper accessibilityFocusedUIElement]): Ditto.
(-[AccessibilityObjectWrapper accessibilityHitTest:]): Ditto.
(-[AccessibilityObjectWrapper accessibilityIsAttributeSettable:]):
    Ditto.
(-[AccessibilityObjectWrapper accessibilityIsIgnored]): Ditto.
(-[AccessibilityObjectWrapper accessibilityParameterizedAttributeNames]):
     Ditto.
(-[AccessibilityObjectWrapper accessibilityPerformPressAction]): Ditto.
(-[AccessibilityObjectWrapper accessibilityPerformIncrementAction]):
    Ditto.
(-[AccessibilityObjectWrapper accessibilityPerformDecrementAction]):
    Ditto.
(-[AccessibilityObjectWrapper accessibilityPerformAction:]): Ditto.
(-[AccessibilityObjectWrapper accessibilitySetValue:forAttribute:]):
    Ditto.
(-[AccessibilityObjectWrapper accessibilityAttributeValue:forParameter:]):
    Ditto.
(-[AccessibilityObjectWrapper accessibilityIndexOfChild:]): Ditto.
(-[AccessibilityObjectWrapper accessibilityArrayAttributeCount:]):
    Ditto.
(-[AccessibilityObjectWrapper accessibilityArrayAttributeValues:index:maxCount:]):
    Ditto.

LayoutTests: Test for <rdar://problem/7050773> REGRESSION (r40098) Crash at
WebCore::RenderBlock::layoutBlock()
https://bugs.webkit.org/show_bug.cgi?id=29498

Reviewed by Darin Adler.

* accessibility/nested-layout-crash-expected.txt: Added.
* accessibility/nested-layout-crash.html: Added.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@48521 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 35738bfb
2009-09-18 Dan Bernstein <mitz@apple.com>
Reviewed by Darin Adler.
Test for <rdar://problem/7050773> REGRESSION (r40098) Crash at
WebCore::RenderBlock::layoutBlock()
https://bugs.webkit.org/show_bug.cgi?id=29498
* accessibility/nested-layout-crash-expected.txt: Added.
* accessibility/nested-layout-crash.html: Added.
2009-09-18 Sam Weinig <sam@webkit.org> 2009-09-18 Sam Weinig <sam@webkit.org>
Reviewed by Adele Peterson. Reviewed by Adele Peterson.
......
Test for rdar://problem/7050773 Crash at WebCore::RenderBlock::layoutBlock().
The test passes if it does not crash or cause an assertion failure.
<p>
Test for <i><a href="rdar://problem/7050773">rdar://problem/7050773</a>
Crash at WebCore::RenderBlock::layoutBlock()</i>.
</p>
<p>
The test passes if it does not crash or cause an assertion failure.
</p>
<textarea rows="5" id="container">
</textarea>
<script>
var container = document.getElementById("container");
container.focus();
container.scrollTop = 200;
document.body.offsetTop;
container.rows = "20";
if (window.layoutTestController) {
layoutTestController.dumpAsText();
accessibilityController.focusedElement;
}
</script>
2009-09-18 Dan Bernstein <mitz@apple.com>
Reviewed by Darin Adler.
Fix <rdar://problem/7050773> REGRESSION (r40098) Crash at
WebCore::RenderBlock::layoutBlock()
https://bugs.webkit.org/show_bug.cgi?id=29498
Test: accessibility/nested-layout-crash.html
* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::updateBackingStore): Changed to
call Document::updateLayoutIgnorePendingStylesheets() instead of
calling RenderObject::layoutIfNeeded(). The latter requires that
there be no pending style recalc, which allows methods that call
Document::updateLayout() to be called during layout without risking
re-entry into layout.
* accessibility/mac/AccessibilityObjectWrapper.mm:
(-[AccessibilityObjectWrapper accessibilityActionNames]): Null-check
m_object after calling updateBackingStore(), since style recalc may
destroy the renderer, which destroys the accessibility object and
detaches it from the wrapper.
(-[AccessibilityObjectWrapper accessibilityAttributeNames]): Ditto.
(-[AccessibilityObjectWrapper accessibilityAttributeValue:]): Ditto.
(-[AccessibilityObjectWrapper accessibilityFocusedUIElement]): Ditto.
(-[AccessibilityObjectWrapper accessibilityHitTest:]): Ditto.
(-[AccessibilityObjectWrapper accessibilityIsAttributeSettable:]):
Ditto.
(-[AccessibilityObjectWrapper accessibilityIsIgnored]): Ditto.
(-[AccessibilityObjectWrapper accessibilityParameterizedAttributeNames]):
Ditto.
(-[AccessibilityObjectWrapper accessibilityPerformPressAction]): Ditto.
(-[AccessibilityObjectWrapper accessibilityPerformIncrementAction]):
Ditto.
(-[AccessibilityObjectWrapper accessibilityPerformDecrementAction]):
Ditto.
(-[AccessibilityObjectWrapper accessibilityPerformAction:]): Ditto.
(-[AccessibilityObjectWrapper accessibilitySetValue:forAttribute:]):
Ditto.
(-[AccessibilityObjectWrapper accessibilityAttributeValue:forParameter:]):
Ditto.
(-[AccessibilityObjectWrapper accessibilityIndexOfChild:]): Ditto.
(-[AccessibilityObjectWrapper accessibilityArrayAttributeCount:]):
Ditto.
(-[AccessibilityObjectWrapper accessibilityArrayAttributeValues:index:maxCount:]):
Ditto.
2009-09-18 Fumitoshi Ukai <ukai@chromium.org> 2009-09-18 Fumitoshi Ukai <ukai@chromium.org>
Reviewed by Simon Hausmann. Reviewed by Simon Hausmann.
...@@ -2676,7 +2676,9 @@ void AccessibilityRenderObject::updateBackingStore() ...@@ -2676,7 +2676,9 @@ void AccessibilityRenderObject::updateBackingStore()
{ {
if (!m_renderer) if (!m_renderer)
return; return;
m_renderer->view()->layoutIfNeeded();
} // Updating layout may delete m_renderer and this object.
m_renderer->document()->updateLayoutIgnorePendingStylesheets();
}
} // namespace WebCore } // namespace WebCore
...@@ -546,6 +546,8 @@ static WebCoreTextMarkerRange* textMarkerRangeFromVisiblePositions(VisiblePositi ...@@ -546,6 +546,8 @@ static WebCoreTextMarkerRange* textMarkerRangeFromVisiblePositions(VisiblePositi
return nil; return nil;
m_object->updateBackingStore(); m_object->updateBackingStore();
if (!m_object)
return nil;
static NSArray* actionElementActions = [[NSArray alloc] initWithObjects: NSAccessibilityPressAction, NSAccessibilityShowMenuAction, nil]; static NSArray* actionElementActions = [[NSArray alloc] initWithObjects: NSAccessibilityPressAction, NSAccessibilityShowMenuAction, nil];
static NSArray* defaultElementActions = [[NSArray alloc] initWithObjects: NSAccessibilityShowMenuAction, nil]; static NSArray* defaultElementActions = [[NSArray alloc] initWithObjects: NSAccessibilityShowMenuAction, nil];
...@@ -573,6 +575,8 @@ static WebCoreTextMarkerRange* textMarkerRangeFromVisiblePositions(VisiblePositi ...@@ -573,6 +575,8 @@ static WebCoreTextMarkerRange* textMarkerRangeFromVisiblePositions(VisiblePositi
return nil; return nil;
m_object->updateBackingStore(); m_object->updateBackingStore();
if (!m_object)
return nil;
if (m_object->isAttachment()) if (m_object->isAttachment())
return [[self attachmentView] accessibilityAttributeNames]; return [[self attachmentView] accessibilityAttributeNames];
...@@ -1229,6 +1233,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) ...@@ -1229,6 +1233,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return nil; return nil;
m_object->updateBackingStore(); m_object->updateBackingStore();
if (!m_object)
return nil;
if ([attributeName isEqualToString: NSAccessibilityRoleAttribute]) if ([attributeName isEqualToString: NSAccessibilityRoleAttribute])
return [self role]; return [self role];
...@@ -1571,6 +1577,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) ...@@ -1571,6 +1577,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return nil; return nil;
m_object->updateBackingStore(); m_object->updateBackingStore();
if (!m_object)
return nil;
RefPtr<AccessibilityObject> focusedObj = m_object->focusedUIElement(); RefPtr<AccessibilityObject> focusedObj = m_object->focusedUIElement();
...@@ -1586,6 +1594,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) ...@@ -1586,6 +1594,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return nil; return nil;
m_object->updateBackingStore(); m_object->updateBackingStore();
if (!m_object)
return nil;
RefPtr<AccessibilityObject> axObject = m_object->doAccessibilityHitTest(IntPoint(point)); RefPtr<AccessibilityObject> axObject = m_object->doAccessibilityHitTest(IntPoint(point));
if (axObject) if (axObject)
...@@ -1599,6 +1609,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) ...@@ -1599,6 +1609,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return nil; return nil;
m_object->updateBackingStore(); m_object->updateBackingStore();
if (!m_object)
return nil;
if ([attributeName isEqualToString: @"AXSelectedTextMarkerRange"]) if ([attributeName isEqualToString: @"AXSelectedTextMarkerRange"])
return YES; return YES;
...@@ -1638,6 +1650,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) ...@@ -1638,6 +1650,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return nil; return nil;
m_object->updateBackingStore(); m_object->updateBackingStore();
if (!m_object)
return nil;
if (m_object->isAttachment()) if (m_object->isAttachment())
return [[self attachmentView] accessibilityIsIgnored]; return [[self attachmentView] accessibilityIsIgnored];
...@@ -1650,6 +1664,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) ...@@ -1650,6 +1664,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return nil; return nil;
m_object->updateBackingStore(); m_object->updateBackingStore();
if (!m_object)
return nil;
if (m_object->isAttachment()) if (m_object->isAttachment())
return nil; return nil;
...@@ -1736,6 +1752,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) ...@@ -1736,6 +1752,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return; return;
m_object->updateBackingStore(); m_object->updateBackingStore();
if (!m_object)
return;
if (m_object->isAttachment()) if (m_object->isAttachment())
[[self attachmentView] accessibilityPerformAction:NSAccessibilityPressAction]; [[self attachmentView] accessibilityPerformAction:NSAccessibilityPressAction];
...@@ -1749,6 +1767,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) ...@@ -1749,6 +1767,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return; return;
m_object->updateBackingStore(); m_object->updateBackingStore();
if (!m_object)
return;
if (m_object->isAttachment()) if (m_object->isAttachment())
[[self attachmentView] accessibilityPerformAction:NSAccessibilityIncrementAction]; [[self attachmentView] accessibilityPerformAction:NSAccessibilityIncrementAction];
...@@ -1762,6 +1782,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) ...@@ -1762,6 +1782,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return; return;
m_object->updateBackingStore(); m_object->updateBackingStore();
if (!m_object)
return;
if (m_object->isAttachment()) if (m_object->isAttachment())
[[self attachmentView] accessibilityPerformAction:NSAccessibilityDecrementAction]; [[self attachmentView] accessibilityPerformAction:NSAccessibilityDecrementAction];
...@@ -1811,6 +1833,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) ...@@ -1811,6 +1833,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return; return;
m_object->updateBackingStore(); m_object->updateBackingStore();
if (!m_object)
return;
if ([action isEqualToString:NSAccessibilityPressAction]) if ([action isEqualToString:NSAccessibilityPressAction])
[self accessibilityPerformPressAction]; [self accessibilityPerformPressAction];
...@@ -1831,6 +1855,8 @@ static NSString* roleValueToNSString(AccessibilityRole value) ...@@ -1831,6 +1855,8 @@ static NSString* roleValueToNSString(AccessibilityRole value)
return; return;
m_object->updateBackingStore(); m_object->updateBackingStore();
if (!m_object)
return;
WebCoreTextMarkerRange* textMarkerRange = nil; WebCoreTextMarkerRange* textMarkerRange = nil;
NSNumber* number = nil; NSNumber* number = nil;
...@@ -1955,6 +1981,8 @@ static RenderObject* rendererForView(NSView* view) ...@@ -1955,6 +1981,8 @@ static RenderObject* rendererForView(NSView* view)
return nil; return nil;
m_object->updateBackingStore(); m_object->updateBackingStore();
if (!m_object)
return nil;
// common parameter type check/casting. Nil checks in handlers catch wrong type case. // common parameter type check/casting. Nil checks in handlers catch wrong type case.
// NOTE: This assumes nil is not a valid parameter, because it is indistinguishable from // NOTE: This assumes nil is not a valid parameter, because it is indistinguishable from
...@@ -2213,7 +2241,9 @@ static RenderObject* rendererForView(NSView* view) ...@@ -2213,7 +2241,9 @@ static RenderObject* rendererForView(NSView* view)
return NSNotFound; return NSNotFound;
m_object->updateBackingStore(); m_object->updateBackingStore();
if (!m_object)
return NSNotFound;
const AccessibilityObject::AccessibilityChildrenVector& children = m_object->children(); const AccessibilityObject::AccessibilityChildrenVector& children = m_object->children();
if (children.isEmpty()) if (children.isEmpty())
...@@ -2235,6 +2265,8 @@ static RenderObject* rendererForView(NSView* view) ...@@ -2235,6 +2265,8 @@ static RenderObject* rendererForView(NSView* view)
return 0; return 0;
m_object->updateBackingStore(); m_object->updateBackingStore();
if (!m_object)
return 0;
if ([attribute isEqualToString:NSAccessibilityChildrenAttribute]) { if ([attribute isEqualToString:NSAccessibilityChildrenAttribute]) {
const AccessibilityObject::AccessibilityChildrenVector& children = m_object->children(); const AccessibilityObject::AccessibilityChildrenVector& children = m_object->children();
...@@ -2253,6 +2285,8 @@ static RenderObject* rendererForView(NSView* view) ...@@ -2253,6 +2285,8 @@ static RenderObject* rendererForView(NSView* view)
return nil; return nil;
m_object->updateBackingStore(); m_object->updateBackingStore();
if (!m_object)
return nil;
if ([attribute isEqualToString:NSAccessibilityChildrenAttribute]) { if ([attribute isEqualToString:NSAccessibilityChildrenAttribute]) {
if (m_object->children().isEmpty()) { if (m_object->children().isEmpty()) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment