[Webkit-unassigned] [Bug 182280] New: AXObjectCache::childrenChanged shouldn't update layout or style during another style recalc

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jan 29 23:23:56 PST 2018


https://bugs.webkit.org/show_bug.cgi?id=182280

            Bug ID: 182280
           Summary: AXObjectCache::childrenChanged shouldn't update layout
                    or style during another style recalc
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Accessibility
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: rniwa at webkit.org
                CC: webkit-bug-importer at group.apple.com

It's not safe or desirable to update layout or style while the render tree is being constructed.

Unfortunately, this currently happens with the following backtrace:

ASSERTION FAILED: !frame().document()->inRenderTreeUpdate()
/Volumes/Data/webkit2/Source/WebCore/page/LayoutContext.cpp(125) : void WebCore::LayoutContext::layout()
1   0x2b06af78d WTFCrash
2   0x2b06af7a9 WTFCrashWithSecurityImplication
3   0x2a2666ea3 WebCore::LayoutContext::layout()
4   0x2a1da8482 WebCore::Document::updateLayout()
5   0x2a1dadd2e WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks)
6   0x2a1e5af04 WebCore::Element::innerText()
7   0x2a182c265 WebCore::accessibleNameForNode(WebCore::Node*, WebCore::Node*)
8   0x2a182f00f WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements(WTF::Vector<WebCore::Element*, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) const
9   0x2a182f259 WebCore::AccessibilityNodeObject::ariaLabeledByAttribute() const
10  0x2a182a58f WebCore::AccessibilityNodeObject::ariaAccessibilityDescription() const
11  0x2a18442e4 WebCore::AccessibilityRenderObject::hasTextAlternative() const
12  0x2a184464b WebCore::AccessibilityRenderObject::exposesTitleUIElement() const
13  0x2a1844da0 WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored() const
14  0x2a183d4f5 WebCore::AccessibilityObject::accessibilityIsIgnored() const
15  0x2a17dd394 WebCore::AXObjectCache::getOrCreate(WebCore::RenderObject*)
16  0x2a17dbebd WebCore::AXObjectCache::getOrCreate(WebCore::Node*)
17  0x2a17dfcfa WebCore::AXObjectCache::handleLiveRegionCreated(WebCore::Node*)
18  0x2a17dfe4a WebCore::AXObjectCache::childrenChanged(WebCore::RenderObject*, WebCore::RenderObject*)
19  0x2a2d7dd85 WebCore::RenderElement::insertChildInternal(std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*)
20  0x2a314ddbd WebCore::RenderTreeBuilder::insertChildToRenderElement(WebCore::RenderElement&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*)
21  0x2a2d7cc7a WebCore::RenderElement::addChild(WebCore::RenderTreeBuilder&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*)
22  0x2a31501d2 WebCore::RenderTreeBuilder::Block::insertChildIgnoringContinuation(WebCore::RenderBlock&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*)
23  0x2a314e5f6 WebCore::RenderTreeBuilder::Block::insertChild(WebCore::RenderBlock&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*)
24  0x2a314e0e6 WebCore::RenderTreeBuilder::insertChildToRenderBlock(WebCore::RenderBlock&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*)
25  0x2a3155bc6 WebCore::RenderTreeBuilder::BlockFlow::insertChild(WebCore::RenderBlockFlow&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*)
26  0x2a3155606 WebCore::RenderTreeBuilder::insertChildToRenderBlockFlow(WebCore::RenderBlockFlow&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*)
27  0x2a2ca2266 WebCore::RenderBlockFlow::addChild(WebCore::RenderTreeBuilder&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*)
28  0x2a314c080 WebCore::RenderTreeBuilder::insertChild(WebCore::RenderElement&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*)
29  0x2a3155151 WebCore::RenderTreeBuilder::Inline::splitFlow(WebCore::RenderInline&, WebCore::RenderObject*, std::__1::unique_ptr<WebCore::RenderBlock, WebCore::RenderObjectDeleter>, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderBoxModelObject*)
30  0x2a315221d WebCore::RenderTreeBuilder::Inline::insertChildIgnoringContinuation(WebCore::RenderInline&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*)
31  0x2a3151895 WebCore::RenderTreeBuilder::Inline::insertChild(WebCore::RenderInline&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180130/24e3df3a/attachment.html>


More information about the webkit-unassigned mailing list