Ensure clean tree before AX cache update.
authorzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 8 May 2017 15:33:47 +0000 (15:33 +0000)
committerzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 8 May 2017 15:33:47 +0000 (15:33 +0000)
commitcafa257b63cb21b13266022f268a38a6d8d6180f
tree1a01e324428a91da2e9f850b39995027663e8f25
parent311c5eaf9db29b942ddb95899085affdf04b77bd
Ensure clean tree before AX cache update.
https://bugs.webkit.org/show_bug.cgi?id=171546
<rdar://problem/31934942>

Source/WebCore:

While updating an accessibility object state, we might
perform unintentional style updates. This style update could
end up destroying renderes that are still referenced by function calls
on the callstack.
To avoid that, AXObjectCache should operate on a clean tree only.

Reviewed by Chris Fleizach.

Test: accessibility/crash-when-render-tree-is-not-clean.html

* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::checkedStateChanged):
(WebCore::AXObjectCache::selectedChildrenChanged):
(WebCore::AXObjectCache::handleAriaExpandedChange):
(WebCore::AXObjectCache::handleActiveDescendantChanged):
(WebCore::AXObjectCache::handleAriaRoleChanged):
(WebCore::AXObjectCache::handleAttributeChanged):
(WebCore::AXObjectCache::handleAriaModalChange):
(WebCore::AXObjectCache::labelChanged):
* accessibility/AXObjectCache.h:
(WebCore::AXObjectCache::checkedStateChanged):
(WebCore::AXObjectCache::handleActiveDescendantChanged):
(WebCore::AXObjectCache::handleAriaExpandedChange):
(WebCore::AXObjectCache::handleAriaRoleChanged):
(WebCore::AXObjectCache::handleAriaModalChange):
(WebCore::AXObjectCache::handleAttributeChanged):
(WebCore::AXObjectCache::selectedChildrenChanged):
* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::handleAriaExpandedChanged):
* dom/Element.cpp:
(WebCore::Element::attributeChanged):
* html/HTMLInputElement.cpp:
(WebCore::HTMLInputElement::setChecked):

LayoutTests:

Reviewed by Chris Fleizach.

* accessibility/crash-when-render-tree-is-not-clean.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@216419 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/accessibility/crash-when-render-tree-is-not-clean-expected.txt [new file with mode: 0644]
LayoutTests/accessibility/crash-when-render-tree-is-not-clean.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/accessibility/AXObjectCache.cpp
Source/WebCore/accessibility/AXObjectCache.h
Source/WebCore/accessibility/AccessibilityRenderObject.cpp
Source/WebCore/dom/Element.cpp
Source/WebCore/html/HTMLInputElement.cpp