[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
cfleizach at apple.com
cfleizach at apple.com
Wed Dec 22 13:50:06 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit b38d055e2596e3b9aecf2ec5ced0aedfe90b13ea
Author: cfleizach at apple.com <cfleizach at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Sep 28 00:43:46 2010 +0000
CrashTracer: 1,803 crashes in Safari at com.apple.WebCore: -[AccessibilityObjectWrapper accessibilityIsIgnored] + 56
https://bugs.webkit.org/show_bug.cgi?id=46662
Reviewed by Beth Dakin.
WebCore:
Before calling updateBackingStore(), the wrapper object needs to be retained, lest it be invalidated during
the updateBackingStore call. This consolidates all calls to updateBackingStore().
Test: platform/mac/accessibility/removing-textarea-after-edit-crash.html
* accessibility/mac/AXObjectCacheMac.mm:
(WebCore::AXObjectCache::postPlatformNotification):
Use an ASSERT here to catch the crash because DRT won't cause AppKit to post notifications.
* accessibility/mac/AccessibilityObjectWrapper.mm:
(-[AccessibilityObjectWrapper prepareAccessibilityMethod]):
(-[AccessibilityObjectWrapper accessibilityActionNames]):
(-[AccessibilityObjectWrapper accessibilityAttributeNames]):
(-[AccessibilityObjectWrapper accessibilityAttributeValue:]):
(-[AccessibilityObjectWrapper accessibilityFocusedUIElement]):
(-[AccessibilityObjectWrapper accessibilityHitTest:]):
(-[AccessibilityObjectWrapper accessibilityIsAttributeSettable:]):
(-[AccessibilityObjectWrapper accessibilityIsIgnored]):
(-[AccessibilityObjectWrapper accessibilityParameterizedAttributeNames]):
(-[AccessibilityObjectWrapper accessibilityPerformPressAction]):
(-[AccessibilityObjectWrapper accessibilityPerformIncrementAction]):
(-[AccessibilityObjectWrapper accessibilityPerformDecrementAction]):
(-[AccessibilityObjectWrapper accessibilityPerformAction:]):
(-[AccessibilityObjectWrapper accessibilitySetValue:forAttribute:]):
(-[AccessibilityObjectWrapper accessibilityAttributeValue:forParameter:]):
(-[AccessibilityObjectWrapper accessibilityIndexOfChild:]):
(-[AccessibilityObjectWrapper accessibilityArrayAttributeCount:]):
(-[AccessibilityObjectWrapper accessibilityArrayAttributeValues:index:maxCount:]):
LayoutTests:
* platform/mac/accessibility/removing-textarea-after-edit-crash-expected.txt: Added.
* platform/mac/accessibility/removing-textarea-after-edit-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@68461 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 7a1a3ee..0b9ab08 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-09-27 Chris Fleizach <cfleizach at apple.com>
+
+ Reviewed by Beth Dakin.
+
+ CrashTracer: 1,803 crashes in Safari at com.apple.WebCore: -[AccessibilityObjectWrapper accessibilityIsIgnored] + 56
+ https://bugs.webkit.org/show_bug.cgi?id=46662
+
+ * platform/mac/accessibility/removing-textarea-after-edit-crash-expected.txt: Added.
+ * platform/mac/accessibility/removing-textarea-after-edit-crash.html: Added.
+
2010-09-27 Adrienne Walker <enne at google.com>
Reviewed by Adam Barth.
diff --git a/LayoutTests/platform/mac/accessibility/removing-textarea-after-edit-crash-expected.txt b/LayoutTests/platform/mac/accessibility/removing-textarea-after-edit-crash-expected.txt
new file mode 100644
index 0000000..8262153
--- /dev/null
+++ b/LayoutTests/platform/mac/accessibility/removing-textarea-after-edit-crash-expected.txt
@@ -0,0 +1,6 @@
+This tests that when an element is removed from the DOM while a notification referencing it is pending, it will not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+
diff --git a/LayoutTests/platform/mac/accessibility/removing-textarea-after-edit-crash.html b/LayoutTests/platform/mac/accessibility/removing-textarea-after-edit-crash.html
new file mode 100644
index 0000000..22a9a4b
--- /dev/null
+++ b/LayoutTests/platform/mac/accessibility/removing-textarea-after-edit-crash.html
@@ -0,0 +1,66 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="../../../fast/js/resources/js-test-style.css">
+<script>
+ var successfullyParsed = false;
+</script>
+<script src="../../../fast/js/resources/js-test-pre.js"></script>
+</head>
+<body id="body">
+
+<div class="hidden" id="div">
+
+<div>
+<textarea placeholder="hello" id="textarea">a</textarea>
+text
+</div>
+
+<input type="text" id="textfield">
+
+</div>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+ description("This tests that when an element is removed from the DOM while a notification referencing it is pending, it will not crash.");
+
+ // Triggering this is quite complicated, because the ValueChange notification needs to be the one to trigger the layoutUpdate
+ // Sending the XMLHttpRequest after a timeout and then having a handler set the display: NONE, seems to do it.
+ function processStateChange() {
+ if (req.readyState == 4) {
+ document.getElementById("textarea").value = "";
+ document.getElementById("div").style.display = "NONE";
+
+ // we now have to wait for the value change to be propagated to trigger the crash.
+ setTimeout("window.layoutTestController.notifyDone();", 1);
+ }
+ }
+</script>
+
+<script>
+ var req = 0;
+ if (window.accessibilityController) {
+ window.layoutTestController.waitUntilDone();
+ document.getElementById("body").focus();
+ body = accessibilityController.focusedElement;
+
+ // Access the text area so that an accessibility element is created (so that it will send out notifications).
+ body.childAtIndex(0).childAtIndex(0);
+
+ document.getElementById("textarea").focus();
+
+ req = new XMLHttpRequest;
+ req.onreadystatechange = processStateChange;
+ req.open("get", "../../../http/tests/xmlhttprequest/methods.cgi", true);
+ // Sending this after a timeout makes is so that the layout does not happen until the value change is sent.
+ setTimeout("req.send('')", 1);
+
+ successfullyParsed = true;
+ }
+
+</script>
+
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index f91caab..33df113 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,38 @@
+2010-09-27 Chris Fleizach <cfleizach at apple.com>
+
+ Reviewed by Beth Dakin.
+
+ CrashTracer: 1,803 crashes in Safari at com.apple.WebCore: -[AccessibilityObjectWrapper accessibilityIsIgnored] + 56
+ https://bugs.webkit.org/show_bug.cgi?id=46662
+
+ Before calling updateBackingStore(), the wrapper object needs to be retained, lest it be invalidated during
+ the updateBackingStore call. This consolidates all calls to updateBackingStore().
+
+ Test: platform/mac/accessibility/removing-textarea-after-edit-crash.html
+
+ * accessibility/mac/AXObjectCacheMac.mm:
+ (WebCore::AXObjectCache::postPlatformNotification):
+ Use an ASSERT here to catch the crash because DRT won't cause AppKit to post notifications.
+ * accessibility/mac/AccessibilityObjectWrapper.mm:
+ (-[AccessibilityObjectWrapper prepareAccessibilityMethod]):
+ (-[AccessibilityObjectWrapper accessibilityActionNames]):
+ (-[AccessibilityObjectWrapper accessibilityAttributeNames]):
+ (-[AccessibilityObjectWrapper accessibilityAttributeValue:]):
+ (-[AccessibilityObjectWrapper accessibilityFocusedUIElement]):
+ (-[AccessibilityObjectWrapper accessibilityHitTest:]):
+ (-[AccessibilityObjectWrapper accessibilityIsAttributeSettable:]):
+ (-[AccessibilityObjectWrapper accessibilityIsIgnored]):
+ (-[AccessibilityObjectWrapper accessibilityParameterizedAttributeNames]):
+ (-[AccessibilityObjectWrapper accessibilityPerformPressAction]):
+ (-[AccessibilityObjectWrapper accessibilityPerformIncrementAction]):
+ (-[AccessibilityObjectWrapper accessibilityPerformDecrementAction]):
+ (-[AccessibilityObjectWrapper accessibilityPerformAction:]):
+ (-[AccessibilityObjectWrapper accessibilitySetValue:forAttribute:]):
+ (-[AccessibilityObjectWrapper accessibilityAttributeValue:forParameter:]):
+ (-[AccessibilityObjectWrapper accessibilityIndexOfChild:]):
+ (-[AccessibilityObjectWrapper accessibilityArrayAttributeCount:]):
+ (-[AccessibilityObjectWrapper accessibilityArrayAttributeValues:index:maxCount:]):
+
2010-09-27 Adrienne Walker <enne at google.com>
Reviewed by Adam Barth.
diff --git a/WebCore/accessibility/mac/AXObjectCacheMac.mm b/WebCore/accessibility/mac/AXObjectCacheMac.mm
index e651a75..fbb485d 100644
--- a/WebCore/accessibility/mac/AXObjectCacheMac.mm
+++ b/WebCore/accessibility/mac/AXObjectCacheMac.mm
@@ -108,6 +108,10 @@ void AXObjectCache::postPlatformNotification(AccessibilityObject* obj, AXNotific
return;
}
+ // NSAccessibilityPostNotification will call this method, (but not when running DRT), so ASSERT here to make sure it does not crash.
+ // https://bugs.webkit.org/show_bug.cgi?id=46662
+ ASSERT([obj->wrapper() accessibilityIsIgnored] || true);
+
NSAccessibilityPostNotification(obj->wrapper(), macNotification);
// Used by DRT to know when notifications are posted.
diff --git a/WebCore/accessibility/mac/AccessibilityObjectWrapper.mm b/WebCore/accessibility/mac/AccessibilityObjectWrapper.mm
index e3e28d7..2e7758e 100644
--- a/WebCore/accessibility/mac/AccessibilityObjectWrapper.mm
+++ b/WebCore/accessibility/mac/AccessibilityObjectWrapper.mm
@@ -200,6 +200,22 @@ typedef unsigned NSUInteger;
m_object = 0;
}
+- (BOOL)updateObjectBackingStore
+{
+ // Calling updateBackingStore() can invalidate this element so self must be retained.
+ // If it does become invalidated, m_object will be nil.
+ [[self retain] autorelease];
+
+ if (!m_object)
+ return NO;
+
+ m_object->updateBackingStore();
+ if (!m_object)
+ return NO;
+
+ return YES;
+}
+
- (AccessibilityObject*)accessibilityObject
{
return m_object;
@@ -571,11 +587,7 @@ static WebCoreTextMarkerRange* textMarkerRangeFromVisiblePositions(VisiblePositi
- (NSArray*)accessibilityActionNames
{
- if (!m_object)
- return nil;
-
- m_object->updateBackingStore();
- if (!m_object)
+ if (![self updateObjectBackingStore])
return nil;
static NSArray* actionElementActions = [[NSArray alloc] initWithObjects: NSAccessibilityPressAction, NSAccessibilityShowMenuAction, nil];
@@ -638,11 +650,7 @@ static WebCoreTextMarkerRange* textMarkerRangeFromVisiblePositions(VisiblePositi
- (NSArray*)accessibilityAttributeNames
{
- if (!m_object)
- return nil;
-
- m_object->updateBackingStore();
- if (!m_object)
+ if (![self updateObjectBackingStore])
return nil;
if (m_object->isAttachment())
@@ -1354,11 +1362,7 @@ static NSString* roleValueToNSString(AccessibilityRole value)
// or maybe pointers to member functions
- (id)accessibilityAttributeValue:(NSString*)attributeName
{
- if (!m_object)
- return nil;
-
- m_object->updateBackingStore();
- if (!m_object)
+ if (![self updateObjectBackingStore])
return nil;
if ([attributeName isEqualToString: NSAccessibilityRoleAttribute])
@@ -1889,11 +1893,7 @@ static NSString* roleValueToNSString(AccessibilityRole value)
- (id)accessibilityFocusedUIElement
{
- if (!m_object)
- return nil;
-
- m_object->updateBackingStore();
- if (!m_object)
+ if (![self updateObjectBackingStore])
return nil;
RefPtr<AccessibilityObject> focusedObj = m_object->focusedUIElement();
@@ -1906,11 +1906,7 @@ static NSString* roleValueToNSString(AccessibilityRole value)
- (id)accessibilityHitTest:(NSPoint)point
{
- if (!m_object)
- return nil;
-
- m_object->updateBackingStore();
- if (!m_object)
+ if (![self updateObjectBackingStore])
return nil;
RefPtr<AccessibilityObject> axObject = m_object->doAccessibilityHitTest(IntPoint(point));
@@ -1921,11 +1917,7 @@ static NSString* roleValueToNSString(AccessibilityRole value)
- (BOOL)accessibilityIsAttributeSettable:(NSString*)attributeName
{
- if (!m_object)
- return nil;
-
- m_object->updateBackingStore();
- if (!m_object)
+ if (![self updateObjectBackingStore])
return nil;
if ([attributeName isEqualToString: @"AXSelectedTextMarkerRange"])
@@ -1971,11 +1963,7 @@ static NSString* roleValueToNSString(AccessibilityRole value)
// Registering an object is also required for observing notifications. Only registered objects can be observed.
- (BOOL)accessibilityIsIgnored
{
- if (!m_object)
- return YES;
-
- m_object->updateBackingStore();
- if (!m_object)
+ if (![self updateObjectBackingStore])
return YES;
if (m_object->isAttachment())
@@ -1985,11 +1973,7 @@ static NSString* roleValueToNSString(AccessibilityRole value)
- (NSArray* )accessibilityParameterizedAttributeNames
{
- if (!m_object)
- return nil;
-
- m_object->updateBackingStore();
- if (!m_object)
+ if (![self updateObjectBackingStore])
return nil;
if (m_object->isAttachment())
@@ -2073,11 +2057,7 @@ static NSString* roleValueToNSString(AccessibilityRole value)
- (void)accessibilityPerformPressAction
{
- if (!m_object)
- return;
-
- m_object->updateBackingStore();
- if (!m_object)
+ if (![self updateObjectBackingStore])
return;
if (m_object->isAttachment())
@@ -2088,11 +2068,7 @@ static NSString* roleValueToNSString(AccessibilityRole value)
- (void)accessibilityPerformIncrementAction
{
- if (!m_object)
- return;
-
- m_object->updateBackingStore();
- if (!m_object)
+ if (![self updateObjectBackingStore])
return;
if (m_object->isAttachment())
@@ -2103,11 +2079,7 @@ static NSString* roleValueToNSString(AccessibilityRole value)
- (void)accessibilityPerformDecrementAction
{
- if (!m_object)
- return;
-
- m_object->updateBackingStore();
- if (!m_object)
+ if (![self updateObjectBackingStore])
return;
if (m_object->isAttachment())
@@ -2158,11 +2130,7 @@ static NSString* roleValueToNSString(AccessibilityRole value)
- (void)accessibilityPerformAction:(NSString*)action
{
- if (!m_object)
- return;
-
- m_object->updateBackingStore();
- if (!m_object)
+ if (![self updateObjectBackingStore])
return;
if ([action isEqualToString:NSAccessibilityPressAction])
@@ -2180,11 +2148,7 @@ static NSString* roleValueToNSString(AccessibilityRole value)
- (void)accessibilitySetValue:(id)value forAttribute:(NSString*)attributeName
{
- if (!m_object)
- return;
-
- m_object->updateBackingStore();
- if (!m_object)
+ if (![self updateObjectBackingStore])
return;
WebCoreTextMarkerRange* textMarkerRange = nil;
@@ -2317,8 +2281,7 @@ static RenderObject* rendererForView(NSView* view)
if (!m_object || !attribute || !parameter)
return nil;
- m_object->updateBackingStore();
- if (!m_object)
+ if (![self updateObjectBackingStore])
return nil;
// common parameter type check/casting. Nil checks in handlers catch wrong type case.
@@ -2614,11 +2577,7 @@ static RenderObject* rendererForView(NSView* view)
// API that AppKit uses for faster access
- (NSUInteger)accessibilityIndexOfChild:(id)child
{
- if (!m_object)
- return NSNotFound;
-
- m_object->updateBackingStore();
- if (!m_object)
+ if (![self updateObjectBackingStore])
return NSNotFound;
// Tree objects return their rows as their children. We can use the original method
@@ -2643,11 +2602,7 @@ static RenderObject* rendererForView(NSView* view)
- (NSUInteger)accessibilityArrayAttributeCount:(NSString *)attribute
{
- if (!m_object)
- return 0;
-
- m_object->updateBackingStore();
- if (!m_object)
+ if (![self updateObjectBackingStore])
return 0;
if ([attribute isEqualToString:NSAccessibilityChildrenAttribute]) {
@@ -2668,11 +2623,7 @@ static RenderObject* rendererForView(NSView* view)
- (NSArray *)accessibilityArrayAttributeValues:(NSString *)attribute index:(NSUInteger)index maxCount:(NSUInteger)maxCount
{
- if (!m_object)
- return nil;
-
- m_object->updateBackingStore();
- if (!m_object)
+ if (![self updateObjectBackingStore])
return nil;
if ([attribute isEqualToString:NSAccessibilityChildrenAttribute]) {
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list