Changeset 181600 in webkit

Timestamp:

Mar 16, 2015 5:12:06 PM (9 years ago)

Author:

jdiggs@igalia.com

Message:

AX: Crash viewing ​http://www.last.fm/
​https://bugs.webkit.org/show_bug.cgi?id=142309

Reviewed by Chris Fleizach.

Source/WebCore:

The crash occurs when a not-yet-rendered object emits a children-changed
signal. If an assistive technology is listening, AT-SPI2 will attempt to
create and cache the state set for the child being added and the creation
of the state set assumes a rendered object.

Test: platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html

• accessibility/atk/AXObjectCacheAtk.cpp:

(WebCore::AXObjectCache::attachWrapper):

LayoutTests:

This test doesn't verify the absence of the crash because the crash seems
to require that an assistive technology is listening for events, and that
AT-SPI2 is caching the tree for that assistive technology -- something we
cannot count on being the case on our bots. (I suspect that the reason non-
assistive technology users of Epiphany were getting hit by this is because
Caribou was listening for events in the background, thus they were AT users
without realizing it. That Caribou issue is in theory now resolved.) What
this test does verify is the absence of children-changed:add accessibility
signals for non-rendered objects, which is the source of the crash given
the aforementioned environment.

• platform/gtk/accessibility/no-notification-for-unrendered-iframe-children-expected.txt: Added.
• platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/platform/gtk/accessibility/no-notification-for-unrendered-iframe-children-expected.txt (added)
• LayoutTests/platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2015-03-16  Joanmarie Diggs  <jdiggs@igalia.com>
+
+        AX: Crash viewing http://www.last.fm/
+        https://bugs.webkit.org/show_bug.cgi?id=142309
+
+        Reviewed by Chris Fleizach.
+
+        This test doesn't verify the absence of the crash because the crash seems
+        to require that an assistive technology is listening for events, and that
+        AT-SPI2 is caching the tree for that assistive technology -- something we
+        cannot count on being the case on our bots. (I suspect that the reason non-
+        assistive technology users of Epiphany were getting hit by this is because
+        Caribou was listening for events in the background, thus they were AT users
+        without realizing it. That Caribou issue is in theory now resolved.) What
+        this test does verify is the absence of children-changed:add accessibility
+        signals for non-rendered objects, which is the source of the crash given
+        the aforementioned environment.
+
+        * platform/gtk/accessibility/no-notification-for-unrendered-iframe-children-expected.txt: Added.
+        * platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html: Added.
+
 2015-03-16  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2015-03-16  Joanmarie Diggs  <jdiggs@igalia.com>
+
+        AX: Crash viewing http://www.last.fm/
+        https://bugs.webkit.org/show_bug.cgi?id=142309
+
+        Reviewed by Chris Fleizach.
+
+        The crash occurs when a not-yet-rendered object emits a children-changed
+        signal. If an assistive technology is listening, AT-SPI2 will attempt to
+        create and cache the state set for the child being added and the creation
+        of the state set assumes a rendered object.
+
+        Test: platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html
+
+        * accessibility/atk/AXObjectCacheAtk.cpp:
+        (WebCore::AXObjectCache::attachWrapper):
+
 2015-03-16  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp

@@ -81 +81 @@
         return;
 
+    // Don't emit the signal if the object being added is not -- or not yet -- rendered,
+    // which can occur in nested iframes. In these instances we don't want to ignore the
+    // child. But if an assistive technology is listening, AT-SPI2 will attempt to create
+    // and cache the state set for the child upon emission of the signal. If the object
+    // has not yet been rendered, this will result in a crash.
+    if (!obj->renderer())
+        return;
+
     // Don't emit the signal for objects whose parents won't be exposed directly.
     AccessibilityObject* coreParent = obj->parentObjectUnignored();