AX: Crash: com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::AXObjectCache...
authorcfleizach@apple.com <cfleizach@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 7 Jan 2015 16:55:10 +0000 (16:55 +0000)
committercfleizach@apple.com <cfleizach@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 7 Jan 2015 16:55:10 +0000 (16:55 +0000)
commitd34b43914f749537383b993f0f6f1c8114edc6be
tree9a805ffd64cef46afe7cd4ca30929f6dcd603607
parentecd0c23491760f7da5297576c9a546fe9981a716
AX: Crash: com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::AXObjectCache::clearTextMarkerNodesInUse + 149
https://bugs.webkit.org/show_bug.cgi?id=139929

Reviewed by Darin Adler.

Source/WebCore:

When a frame is replaced, there were instances when it was not clearing its associated nodes in the accessibility text marker -> Node cache.
This caused dead Nodes to be left in the cache which would eventually be accessed when the cache was cleaned out at a later time.

To fix this we should be clearing out the cache in Document::prepareForDestruction, instead of Frame::disconnectOwnerElement.

While working on this, it also exposed a problem where when a frame goes away, it doesn't inform its parent to update its children,
which causes an ASSERT to be hit with this test as well.

Tests: accessibility/frame-disconnect-textmarker-cache-crash.html

* dom/Document.cpp:
(WebCore::Document::prepareForDestruction):
* page/Frame.cpp:
(WebCore::Frame::disconnectOwnerElement):
    Remove cache management from here since it is superceded by code in Document::prepareForDestruction
* page/FrameView.cpp:
(WebCore::FrameView::removeFromAXObjectCache):

LayoutTests:

* accessibility/frame-disconnect-textmarker-cache-crash-expected.txt: Added.
* accessibility/frame-disconnect-textmarker-cache-crash.html: Added.
* accessibility/resources/frameset.html: Added.
* accessibility/resources/inform-parent-of-load.html: Added.
* accessibility/resources/text.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@178038 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/accessibility/frame-disconnect-textmarker-cache-crash-expected.txt [new file with mode: 0644]
LayoutTests/accessibility/frame-disconnect-textmarker-cache-crash.html [new file with mode: 0644]
LayoutTests/accessibility/resources/frameset.html [new file with mode: 0644]
LayoutTests/accessibility/resources/inform-parent-of-load.html [new file with mode: 0644]
LayoutTests/accessibility/resources/text.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp
Source/WebCore/page/Frame.cpp
Source/WebCore/page/FrameView.cpp