Changeset 48521 in webkit

Timestamp:

Sep 18, 2009, 12:00:28 PM (16 years ago)

Author:

mitz@apple.com

Message:

WebCore: Fix <rdar://problem/7050773> REGRESSION (r40098) Crash at
WebCore::RenderBlock::layoutBlock()
​https://bugs.webkit.org/show_bug.cgi?id=29498

Reviewed by Darin Adler.

Test: accessibility/nested-layout-crash.html

• accessibility/AccessibilityRenderObject.cpp:

(WebCore::AccessibilityRenderObject::updateBackingStore): Changed to

call Document::updateLayoutIgnorePendingStylesheets() instead of
calling RenderObject::layoutIfNeeded(). The latter requires that
there be no pending style recalc, which allows methods that call
Document::updateLayout() to be called during layout without risking
re-entry into layout.

• accessibility/mac/AccessibilityObjectWrapper.mm:

(-[AccessibilityObjectWrapper accessibilityActionNames]): Null-check

m_object after calling updateBackingStore(), since style recalc may
destroy the renderer, which destroys the accessibility object and
detaches it from the wrapper.

(-[AccessibilityObjectWrapper accessibilityAttributeNames]): Ditto.
(-[AccessibilityObjectWrapper accessibilityAttributeValue:]): Ditto.
(-[AccessibilityObjectWrapper accessibilityFocusedUIElement]): Ditto.
(-[AccessibilityObjectWrapper accessibilityHitTest:]): Ditto.
(-[AccessibilityObjectWrapper accessibilityIsAttributeSettable:]):

Ditto.

(-[AccessibilityObjectWrapper accessibilityIsIgnored]): Ditto.
(-[AccessibilityObjectWrapper accessibilityParameterizedAttributeNames]):

Ditto.

(-[AccessibilityObjectWrapper accessibilityPerformPressAction]): Ditto.
(-[AccessibilityObjectWrapper accessibilityPerformIncrementAction]):

Ditto.

(-[AccessibilityObjectWrapper accessibilityPerformDecrementAction]):

Ditto.

(-[AccessibilityObjectWrapper accessibilityPerformAction:]): Ditto.
(-[AccessibilityObjectWrapper accessibilitySetValue:forAttribute:]):

Ditto.

(-[AccessibilityObjectWrapper accessibilityAttributeValue:forParameter:]):

Ditto.

(-[AccessibilityObjectWrapper accessibilityIndexOfChild:]): Ditto.
(-[AccessibilityObjectWrapper accessibilityArrayAttributeCount:]):

Ditto.

(-[AccessibilityObjectWrapper accessibilityArrayAttributeValues:index:maxCount:]):

Ditto.

LayoutTests: Test for <rdar://problem/7050773> REGRESSION (r40098) Crash at
WebCore::RenderBlock::layoutBlock()
​https://bugs.webkit.org/show_bug.cgi?id=29498

Reviewed by Darin Adler.

• accessibility/nested-layout-crash-expected.txt: Added.
• accessibility/nested-layout-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/accessibility/nested-layout-crash-expected.txt (added)
• LayoutTests/accessibility/nested-layout-crash.html (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/accessibility/AccessibilityRenderObject.cpp (modified) (1 diff)
• WebCore/accessibility/mac/AccessibilityObjectWrapper.mm (modified) (17 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2009-09-18  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Darin Adler.
+
+        Test for <rdar://problem/7050773> REGRESSION (r40098) Crash at
+        WebCore::RenderBlock::layoutBlock()
+        https://bugs.webkit.org/show_bug.cgi?id=29498
+
+        * accessibility/nested-layout-crash-expected.txt: Added.
+        * accessibility/nested-layout-crash.html: Added.
+
 2009-09-18  Sam Weinig  <sam@webkit.org>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2009-09-18  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Darin Adler.
+
+        Fix <rdar://problem/7050773> REGRESSION (r40098) Crash at
+        WebCore::RenderBlock::layoutBlock()
+        https://bugs.webkit.org/show_bug.cgi?id=29498
+
+        Test: accessibility/nested-layout-crash.html
+
+        * accessibility/AccessibilityRenderObject.cpp:
+        (WebCore::AccessibilityRenderObject::updateBackingStore): Changed to
+            call Document::updateLayoutIgnorePendingStylesheets() instead of
+            calling RenderObject::layoutIfNeeded(). The latter requires that
+            there be no pending style recalc, which allows methods that call
+            Document::updateLayout() to be called during layout without risking
+            re-entry into layout.
+        * accessibility/mac/AccessibilityObjectWrapper.mm:
+        (-[AccessibilityObjectWrapper accessibilityActionNames]): Null-check
+            m_object after calling updateBackingStore(), since style recalc may
+            destroy the renderer, which destroys the accessibility object and
+            detaches it from the wrapper.
+        (-[AccessibilityObjectWrapper accessibilityAttributeNames]): Ditto.
+        (-[AccessibilityObjectWrapper accessibilityAttributeValue:]): Ditto.
+        (-[AccessibilityObjectWrapper accessibilityFocusedUIElement]): Ditto.
+        (-[AccessibilityObjectWrapper accessibilityHitTest:]): Ditto.
+        (-[AccessibilityObjectWrapper accessibilityIsAttributeSettable:]):
+            Ditto.
+        (-[AccessibilityObjectWrapper accessibilityIsIgnored]): Ditto.
+        (-[AccessibilityObjectWrapper accessibilityParameterizedAttributeNames]):
+             Ditto.
+        (-[AccessibilityObjectWrapper accessibilityPerformPressAction]): Ditto.
+        (-[AccessibilityObjectWrapper accessibilityPerformIncrementAction]):
+            Ditto.
+        (-[AccessibilityObjectWrapper accessibilityPerformDecrementAction]):
+            Ditto.
+        (-[AccessibilityObjectWrapper accessibilityPerformAction:]): Ditto.
+        (-[AccessibilityObjectWrapper accessibilitySetValue:forAttribute:]):
+            Ditto.
+        (-[AccessibilityObjectWrapper accessibilityAttributeValue:forParameter:]):
+            Ditto.
+        (-[AccessibilityObjectWrapper accessibilityIndexOfChild:]): Ditto.
+        (-[AccessibilityObjectWrapper accessibilityArrayAttributeCount:]):
+            Ditto.
+        (-[AccessibilityObjectWrapper accessibilityArrayAttributeValues:index:maxCount:]):
+            Ditto.
+
 2009-09-18  Fumitoshi Ukai  <ukai@chromium.org>
 

trunk/WebCore/accessibility/AccessibilityRenderObject.cpp

@@ -2677 +2677 @@
     if (!m_renderer)
         return;
-    m_renderer->view()->layoutIfNeeded();
-}    
-    
+
+    // Updating layout may delete m_renderer and this object.
+    m_renderer->document()->updateLayoutIgnorePendingStylesheets();
+}
+
 } // namespace WebCore

trunk/WebCore/accessibility/mac/AccessibilityObjectWrapper.mm

@@ -547 +547 @@
 
     m_object->updateBackingStore();
+    if (!m_object)
+        return nil;
 
     static NSArray* actionElementActions = [[NSArray alloc] initWithObjects: NSAccessibilityPressAction, NSAccessibilityShowMenuAction, nil];
@@ -574 +576 @@
     
     m_object->updateBackingStore();
+    if (!m_object)
+        return nil;
     
     if (m_object->isAttachment())
@@ -1230 +1234 @@
 
     m_object->updateBackingStore();
+    if (!m_object)
+        return nil;
     
     if ([attributeName isEqualToString: NSAccessibilityRoleAttribute])
@@ -1572 +1578 @@
 
     m_object->updateBackingStore();
+    if (!m_object)
+        return nil;
 
     RefPtr<AccessibilityObject> focusedObj = m_object->focusedUIElement();
@@ -1587 +1595 @@
 
     m_object->updateBackingStore();
+    if (!m_object)
+        return nil;
 
     RefPtr<AccessibilityObject> axObject = m_object->doAccessibilityHitTest(IntPoint(point));
@@ -1600 +1610 @@
 
     m_object->updateBackingStore();
+    if (!m_object)
+        return nil;
 
     if ([attributeName isEqualToString: @"AXSelectedTextMarkerRange"])
@@ -1639 +1651 @@
 
     m_object->updateBackingStore();
+    if (!m_object)
+        return nil;
 
     if (m_object->isAttachment())
@@ -1651 +1665 @@
 
     m_object->updateBackingStore();
+    if (!m_object)
+        return nil;
 
     if (m_object->isAttachment()) 
@@ -1737 +1753 @@
 
     m_object->updateBackingStore();
+    if (!m_object)
+        return;
 
     if (m_object->isAttachment())
@@ -1750 +1768 @@
 
     m_object->updateBackingStore();
+    if (!m_object)
+        return;
 
     if (m_object->isAttachment())
@@ -1763 +1783 @@
 
     m_object->updateBackingStore();
+    if (!m_object)
+        return;
 
     if (m_object->isAttachment())
@@ -1812 +1834 @@
 
     m_object->updateBackingStore();
+    if (!m_object)
+        return;
 
     if ([action isEqualToString:NSAccessibilityPressAction])
@@ -1832 +1856 @@
 
     m_object->updateBackingStore();
+    if (!m_object)
+        return;
 
     WebCoreTextMarkerRange* textMarkerRange = nil;
@@ -1956 +1982 @@
 
     m_object->updateBackingStore();
+    if (!m_object)
+        return nil;
     
     // common parameter type check/casting.  Nil checks in handlers catch wrong type case.
@@ -2214 +2242 @@
 
     m_object->updateBackingStore();
-    
+    if (!m_object)
+        return NSNotFound;
+
     const AccessibilityObject::AccessibilityChildrenVector& children = m_object->children();
        
@@ -2236 +2266 @@
 
     m_object->updateBackingStore();
+    if (!m_object)
+        return 0;
     
     if ([attribute isEqualToString:NSAccessibilityChildrenAttribute]) {
@@ -2254 +2286 @@
 
     m_object->updateBackingStore();
+    if (!m_object)
+        return nil;
     
     if ([attribute isEqualToString:NSAccessibilityChildrenAttribute]) {