Merge r222226 - AXObjectCache::performDeferredCacheUpdate is called r…

…ecursively through FrameView::layout. https://bugs.webkit.org/show_bug.cgi?id=176218 <rdar://problem/34205612> Reviewed by Simon Fraser. Source/WebCore: There are certain cases when we might re-enter performDeferredCacheUpdate through recursive layout calls (see webkit.org/b/177176) and mutate m_deferredTextChangedList multiple times. Test: accessibility/crash-table-recursive-layout.html * accessibility/AXObjectCache.cpp: (WebCore::AXObjectCache::performDeferredCacheUpdate): * accessibility/AXObjectCache.h: LayoutTests: * accessibility/crash-table-recursive-layout-expected.txt: Added. * accessibility/crash-table-recursive-layout.html: Added.
WebKit · Oct 16, 2017 · 6cb08de · 6cb08de
1 parent 1d24157
commit 6cb08de
Show file tree

Hide file tree

Showing 6 changed files with 73 additions and 1 deletion.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2017-09-19  Zalan Bujtas  <zalan@apple.com>
+
+        AXObjectCache::performDeferredCacheUpdate is called recursively through FrameView::layout. 
+        https://bugs.webkit.org/show_bug.cgi?id=176218
+        <rdar://problem/34205612>
+
+        Reviewed by Simon Fraser.
+
+        * accessibility/crash-table-recursive-layout-expected.txt: Added.
+        * accessibility/crash-table-recursive-layout.html: Added.
+
 2017-09-19  Zalan Bujtas  <zalan@apple.com>
 
         Do not mutate RenderText content during layout.

diff --git a/LayoutTests/accessibility/crash-table-recursive-layout-expected.txt b/LayoutTests/accessibility/crash-table-recursive-layout-expected.txt
@@ -0,0 +1,2 @@
+PASS if no crash.
+
diff --git a/LayoutTests/accessibility/crash-table-recursive-layout.html b/LayoutTests/accessibility/crash-table-recursive-layout.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+#colgrp { 
+    display: table-footer-group;
+}
+
+.class1 {
+    text-transform: capitalize;
+    display: -webkit-box;
+}
+</style>
+<script>
+    if (window.accessibilityController)
+        accessibilityController.focusedElement;
+    if (window.testRunner)
+        testRunner.dumpAsText();
+    function runTest() {
+        textarea.setSelectionRange(30, 1);
+        option.defaultSelected = true;
+        col.setAttribute("aria-labeledby", "link");
+    }
+</script>
+</head>
+<body onload=runTest()>
+<link id="link">
+<table>
+<colgroup id="colgrp">
+<col id="col" tabindex="1"></col>
+<thead class="class1">
+<th class="class1">
+<textarea id="textarea" readonly="readonly"></textarea>
+<option id="option"></option>
+</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2017-09-19  Zalan Bujtas  <zalan@apple.com>
+
+        AXObjectCache::performDeferredCacheUpdate is called recursively through FrameView::layout. 
+        https://bugs.webkit.org/show_bug.cgi?id=176218
+        <rdar://problem/34205612>
+
+        Reviewed by Simon Fraser.
+
+        There are certain cases when we might re-enter performDeferredCacheUpdate through recursive
+        layout calls (see webkit.org/b/177176) and mutate m_deferredTextChangedList multiple times.
+
+        Test: accessibility/crash-table-recursive-layout.html
+
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::performDeferredCacheUpdate):
+        * accessibility/AXObjectCache.h:
+
 2017-09-19  Zalan Bujtas  <zalan@apple.com>
 
         Do not mutate RenderText content during layout.

diff --git a/Source/WebCore/accessibility/AXObjectCache.cpp b/Source/WebCore/accessibility/AXObjectCache.cpp
@@ -97,6 +97,7 @@
 #include "TextControlInnerElements.h"
 #include "TextIterator.h"
 #include <wtf/DataLog.h>
+#include <wtf/SetForScope.h>
 
 #if ENABLE(VIDEO)
 #include "MediaControlElements.h"
@@ -2774,6 +2775,10 @@ bool AXObjectCache::nodeIsTextControl(const Node* node)
 
 void AXObjectCache::performDeferredCacheUpdate()
 {
+    if (m_performingDeferredCacheUpdate)
+        return;
+
+    SetForScope<bool> performingDeferredCacheUpdate(m_performingDeferredCacheUpdate, true);
     for (auto* node : m_deferredTextChangedList)
         textChanged(node);
     m_deferredTextChangedList.clear();

diff --git a/Source/WebCore/accessibility/AXObjectCache.h b/Source/WebCore/accessibility/AXObjectCache.h
@@ -436,9 +436,10 @@ class AXObjectCache {
     ListHashSet<Node*> m_ariaModalNodesSet;
 
     AXTextStateChangeIntent m_textSelectionIntent;
-    bool m_isSynchronizingSelection { false };
     ListHashSet<Element*> m_deferredRecomputeIsIgnoredList;
     ListHashSet<Node*> m_deferredTextChangedList;
+    bool m_isSynchronizingSelection { false };
+    bool m_performingDeferredCacheUpdate { false };
 };
 
 class AXAttributeCacheEnabler