<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[181637] releases/WebKitGTK/webkit-2.8</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/181637">181637</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2015-03-17 04:47:53 -0700 (Tue, 17 Mar 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/181600">r181600</a> - AX: Crash viewing http://www.last.fm/
https://bugs.webkit.org/show_bug.cgi?id=142309
Reviewed by Chris Fleizach.
Source/WebCore:
The crash occurs when a not-yet-rendered object emits a children-changed
signal. If an assistive technology is listening, AT-SPI2 will attempt to
create and cache the state set for the child being added and the creation
of the state set assumes a rendered object.
Test: platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html
* accessibility/atk/AXObjectCacheAtk.cpp:
(WebCore::AXObjectCache::attachWrapper):
LayoutTests:
This test doesn't verify the absence of the crash because the crash seems
to require that an assistive technology is listening for events, and that
AT-SPI2 is caching the tree for that assistive technology -- something we
cannot count on being the case on our bots. (I suspect that the reason non-
assistive technology users of Epiphany were getting hit by this is because
Caribou was listening for events in the background, thus they were AT users
without realizing it. That Caribou issue is in theory now resolved.) What
this test does verify is the absence of children-changed:add accessibility
signals for non-rendered objects, which is the source of the crash given
the aforementioned environment.
* platform/gtk/accessibility/no-notification-for-unrendered-iframe-children-expected.txt: Added.
* platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit28LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCoreaccessibilityatkAXObjectCacheAtkcpp">releases/WebKitGTK/webkit-2.8/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit28LayoutTestsplatformgtkaccessibilitynonotificationforunrenderediframechildrenexpectedtxt">releases/WebKitGTK/webkit-2.8/LayoutTests/platform/gtk/accessibility/no-notification-for-unrendered-iframe-children-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit28LayoutTestsplatformgtkaccessibilitynonotificationforunrenderediframechildrenhtml">releases/WebKitGTK/webkit-2.8/LayoutTests/platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit28LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog (181636 => 181637)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog 2015-03-17 11:46:54 UTC (rev 181636)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog 2015-03-17 11:47:53 UTC (rev 181637)
</span><span class="lines">@@ -1,3 +1,24 @@
</span><ins>+2015-03-16 Joanmarie Diggs <jdiggs@igalia.com>
+
+ AX: Crash viewing http://www.last.fm/
+ https://bugs.webkit.org/show_bug.cgi?id=142309
+
+ Reviewed by Chris Fleizach.
+
+ This test doesn't verify the absence of the crash because the crash seems
+ to require that an assistive technology is listening for events, and that
+ AT-SPI2 is caching the tree for that assistive technology -- something we
+ cannot count on being the case on our bots. (I suspect that the reason non-
+ assistive technology users of Epiphany were getting hit by this is because
+ Caribou was listening for events in the background, thus they were AT users
+ without realizing it. That Caribou issue is in theory now resolved.) What
+ this test does verify is the absence of children-changed:add accessibility
+ signals for non-rendered objects, which is the source of the crash given
+ the aforementioned environment.
+
+ * platform/gtk/accessibility/no-notification-for-unrendered-iframe-children-expected.txt: Added.
+ * platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html: Added.
+
</ins><span class="cx"> 2015-03-16 Max Stepin <maxstepin@gmail.com>
</span><span class="cx">
</span><span class="cx"> Add APNG support
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28LayoutTestsplatformgtkaccessibilitynonotificationforunrenderediframechildrenexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/platform/gtk/accessibility/no-notification-for-unrendered-iframe-children-expected.txt (0 => 181637)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/platform/gtk/accessibility/no-notification-for-unrendered-iframe-children-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/platform/gtk/accessibility/no-notification-for-unrendered-iframe-children-expected.txt 2015-03-17 11:47:53 UTC (rev 181637)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+This test ensures that a children-changed notification is not emitted for children of not-yet-rendered nested iframes.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+
+AXChildrenAdded on AXDescription: inner body
+AXChildrenAdded on AXDescription: inner body
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit28LayoutTestsplatformgtkaccessibilitynonotificationforunrenderediframechildrenhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html (0 => 181637)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html 2015-03-17 11:47:53 UTC (rev 181637)
</span><span class="lines">@@ -0,0 +1,50 @@
</span><ins>+<html>
+<head>
+<script src="../../../resources/js-test-pre.js"></script>
+<script src="../../../resources/accessibility-helper.js"></script>
+</head>
+<body aria-label="outer body">
+<p id="description"></p>
+<iframe aria-label="outer iframe" id="iframe"></iframe>
+<div id="console"></div>
+<script>
+window.jsTestIsAsync = true;
+
+description("This test ensures that a children-changed notification is not emitted for children of not-yet-rendered nested iframes.");
+function runTest() {
+
+ if (window.accessibilityController) {
+ var axWebArea = accessibilityController.rootElement.childAtIndex(0);
+
+ // Generate the hierarchy before registering a listener so that we only see new notifications.
+ touchAccessibilityTree(axWebArea);
+
+ accessibilityController.addNotificationListener(function(element, notification) {
+ if (notification == "AXChildrenAdded" && element.role == "AXRole: AXGroup")
+ debug(notification + " on " + element.description);
+ });
+ }
+
+ // Write content in the outer iframe, including an inner iframe. The latter should not emit a notification.
+ var iframe = document.getElementById("iframe");
+ var doc = iframe.contentWindow.document;
+ doc.open();
+ doc.write("<html><body aria-label='inner body'><iframe aria-label='inner iframe' src='about:config'></body></html>");
+ doc.close();
+
+ // Re-generate the hierarchy to trigger the notifications.
+ touchAccessibilityTree(axWebArea);
+
+ window.setTimeout(function() {
+ if (window.accessibilityController) {
+ accessibilityController.removeNotificationListener();
+ }
+
+ finishJSTest();
+ }, 0);
+}
+runTest();
+</script>
+<script src="../../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog (181636 => 181637)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-03-17 11:46:54 UTC (rev 181636)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-03-17 11:47:53 UTC (rev 181637)
</span><span class="lines">@@ -1,3 +1,20 @@
</span><ins>+2015-03-16 Joanmarie Diggs <jdiggs@igalia.com>
+
+ AX: Crash viewing http://www.last.fm/
+ https://bugs.webkit.org/show_bug.cgi?id=142309
+
+ Reviewed by Chris Fleizach.
+
+ The crash occurs when a not-yet-rendered object emits a children-changed
+ signal. If an assistive technology is listening, AT-SPI2 will attempt to
+ create and cache the state set for the child being added and the creation
+ of the state set assumes a rendered object.
+
+ Test: platform/gtk/accessibility/no-notification-for-unrendered-iframe-children.html
+
+ * accessibility/atk/AXObjectCacheAtk.cpp:
+ (WebCore::AXObjectCache::attachWrapper):
+
</ins><span class="cx"> 2015-03-16 Brady Eidson <beidson@apple.com>
</span><span class="cx">
</span><span class="cx"> Addressing additional review feedback after http://trac.webkit.org/changeset/181565
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCoreaccessibilityatkAXObjectCacheAtkcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp (181636 => 181637)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp 2015-03-17 11:46:54 UTC (rev 181636)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp 2015-03-17 11:47:53 UTC (rev 181637)
</span><span class="lines">@@ -80,6 +80,14 @@
</span><span class="cx"> if (obj->accessibilityIsIgnoredByDefault())
</span><span class="cx"> return;
</span><span class="cx">
</span><ins>+ // Don't emit the signal if the object being added is not -- or not yet -- rendered,
+ // which can occur in nested iframes. In these instances we don't want to ignore the
+ // child. But if an assistive technology is listening, AT-SPI2 will attempt to create
+ // and cache the state set for the child upon emission of the signal. If the object
+ // has not yet been rendered, this will result in a crash.
+ if (!obj->renderer())
+ return;
+
</ins><span class="cx"> // Don't emit the signal for objects whose parents won't be exposed directly.
</span><span class="cx"> AccessibilityObject* coreParent = obj->parentObjectUnignored();
</span><span class="cx"> if (!coreParent || coreParent->accessibilityIsIgnoredByDefault())
</span></span></pre>
</div>
</div>
</body>
</html>