AX: crash at WebCore::AccessibilityObject::supportsARIALiveRegion() const + 24
authorn_wang@apple.com <n_wang@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 9 Aug 2017 17:52:36 +0000 (17:52 +0000)
committern_wang@apple.com <n_wang@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 9 Aug 2017 17:52:36 +0000 (17:52 +0000)
https://bugs.webkit.org/show_bug.cgi?id=175340
<rdar://problem/33782159>

Reviewed by Chris Fleizach.

Source/WebCore:

When adding a psuedo element child to a RenderBlockFlow element, there might be a chance where
the element has already been layed out but we are still holding onto its stale children. Fixed it
by notifying AX correctly when inserting/removing children during layout.

Test: accessibility/add-children-pseudo-element.html

* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::insertFloatingObject):
(WebCore::RenderBlockFlow::removeFloatingObject):

LayoutTests:

* accessibility/add-children-pseudo-element-expected.txt: Added.
* accessibility/add-children-pseudo-element.html: Added.
* accessibility/resources/svg-circle.svg: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220463 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/accessibility/add-children-pseudo-element-expected.txt [new file with mode: 0644]
LayoutTests/accessibility/add-children-pseudo-element.html [new file with mode: 0644]
LayoutTests/accessibility/resources/svg-circle.svg [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBlockFlow.cpp

index 8b4147e1626cb4ebc5e31479597614513f0b56cc..87d991ac0fd97860460a36bbf5a65ca3a46f00cc 100644 (file)
@@ -1,3 +1,15 @@
+2017-08-09  Nan Wang  <n_wang@apple.com>
+
+        AX: crash at WebCore::AccessibilityObject::supportsARIALiveRegion() const + 24
+        https://bugs.webkit.org/show_bug.cgi?id=175340
+        <rdar://problem/33782159>
+
+        Reviewed by Chris Fleizach.
+
+        * accessibility/add-children-pseudo-element-expected.txt: Added.
+        * accessibility/add-children-pseudo-element.html: Added.
+        * accessibility/resources/svg-circle.svg: Added.
+
 2017-08-09  Ms2ger  <Ms2ger@igalia.com>
 
         WPE-focused test gardening.
diff --git a/LayoutTests/accessibility/add-children-pseudo-element-expected.txt b/LayoutTests/accessibility/add-children-pseudo-element-expected.txt
new file mode 100644 (file)
index 0000000..81bca95
--- /dev/null
@@ -0,0 +1,12 @@
+Language Email 
+Make sure that we are updating the render block flow element's children correctly.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS element.childrenCount is 3
+PASS element.childrenCount is 2
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/accessibility/add-children-pseudo-element.html b/LayoutTests/accessibility/add-children-pseudo-element.html
new file mode 100644 (file)
index 0000000..9ad8739
--- /dev/null
@@ -0,0 +1,70 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+</head>
+
+<style>
+.pseudo::after {
+  content: url(resources/svg-circle.svg);
+  width: 18px;
+  height: 20px;
+  position: absolute;
+  margin-top: 6px;
+  right: 6px
+}
+
+.pseudo.hidden::after {
+    content: ' ';
+}
+</style>
+
+<body id="body">
+
+<div id="container">
+<div id="test" style="float : left;">
+<span>Language</span>
+<input id="test">
+</div>
+
+<div id="float" style="display: inline-block;" class="pseudo">
+<span required="" style="color: rgb(194, 0, 0);">Email</span>
+<input type="text" required="" aria-required="true" value="" onkeyup="hidePseudo();">
+</div>
+
+</div>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+
+    description("Make sure that we are updating the render block flow element's children correctly.");
+
+    if (window.accessibilityController) {
+        var element = accessibilityController.accessibleElementById("float");
+        shouldBe("element.childrenCount", "3");
+        
+        eventSender.keyDown('\t');
+        eventSender.keyDown('\t');
+        
+        shouldBe("element.childrenCount", "2");
+        showPseudo();
+        
+        function hidePseudo() {
+            document.getElementById("float").className += "hidden"
+        }
+        
+        function showPseudo() {
+            document.getElementById("float").className = "pseudo";
+        }
+                
+        // Make sure getting the attributes of its children won't cause crash
+        element.attributesOfChildren();
+    }
+
+</script>
+
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/accessibility/resources/svg-circle.svg b/LayoutTests/accessibility/resources/svg-circle.svg
new file mode 100644 (file)
index 0000000..1976976
--- /dev/null
@@ -0,0 +1,6 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+     <g>
+        <text style="float:right"></text>
+        <text>circle</text>
+    </g>
+</svg>
\ No newline at end of file
index 4ead7c8f9807b19425253f1bff471287e767a5fd..9e8fb781bfdf2ee6f359ed3a38e73fc887226b1c 100644 (file)
@@ -1,3 +1,21 @@
+2017-08-09  Nan Wang  <n_wang@apple.com>
+
+        AX: crash at WebCore::AccessibilityObject::supportsARIALiveRegion() const + 24
+        https://bugs.webkit.org/show_bug.cgi?id=175340
+        <rdar://problem/33782159>
+
+        Reviewed by Chris Fleizach.
+
+        When adding a psuedo element child to a RenderBlockFlow element, there might be a chance where
+        the element has already been layed out but we are still holding onto its stale children. Fixed it
+        by notifying AX correctly when inserting/removing children during layout.
+
+        Test: accessibility/add-children-pseudo-element.html
+
+        * rendering/RenderBlockFlow.cpp:
+        (WebCore::RenderBlockFlow::insertFloatingObject):
+        (WebCore::RenderBlockFlow::removeFloatingObject):
+
 2017-08-09  Charlie Turner  <cturner@igalia.com>
 
         [GStreamer][MSE] Add missing lock around getStreamByTrackId
index f9979921a213e0f59d34059823d45a634ab1e9a1..028358b346e738f02d7d2c1481c34bb39c9654bf 100644 (file)
@@ -24,6 +24,7 @@
 #include "config.h"
 #include "RenderBlockFlow.h"
 
+#include "AXObjectCache.h"
 #include "Editor.h"
 #include "FloatingObjects.h"
 #include "Frame.h"
@@ -2352,6 +2353,9 @@ FloatingObject* RenderBlockFlow::insertFloatingObject(RenderBox& floatBox)
     }
 
     setLogicalWidthForFloat(*floatingObject, logicalWidthForChild(floatBox) + marginStartForChild(floatBox) + marginEndForChild(floatBox));
+    
+    if (AXObjectCache* cache = document().existingAXObjectCache())
+        cache->childrenChanged(this);
 
     return m_floatingObjects->add(WTFMove(floatingObject));
 }
@@ -2389,6 +2393,9 @@ void RenderBlockFlow::removeFloatingObject(RenderBox& floatBox)
                 markLinesDirtyInBlockRange(0, logicalBottom);
             }
             m_floatingObjects->remove(&floatingObject);
+            
+            if (AXObjectCache* cache = document().existingAXObjectCache())
+                cache->childrenChanged(this);
         }
     }
 }