- Revision
- 96973
- Author
- [email protected]
- Date
- 2011-10-07 12:45:14 -0700 (Fri, 07 Oct 2011)
Log Message
Bug 69562 - AccessibilityImageMapLink holds onto it's parent even after it's been freed
https://bugs.webkit.org/show_bug.cgi?id=69562
Source/WebCore:
Some fake objects, like AXImageMapLink, have weak references to their parent's (since they are fake objects and
need some connection to the parent). However, if the parent disappears before the child, then we're left with a
out of date reference to that parent.
The fix is to allow these elements to clear their parentage when the parent goes away.
Reviewed by Darin Adler.
Test: accessibility/image-map-update-parent-crash.html
* accessibility/AccessibilityMenuListOption.cpp:
(WebCore::AccessibilityMenuListOption::isVisible):
* accessibility/AccessibilityMenuListPopup.cpp:
(WebCore::AccessibilityMenuListPopup::isOffScreen):
(WebCore::AccessibilityMenuListPopup::isEnabled):
(WebCore::AccessibilityMenuListPopup::press):
(WebCore::AccessibilityMenuListPopup::addChildren):
(WebCore::AccessibilityMenuListPopup::childrenChanged):
* accessibility/AccessibilityMockObject.h:
(WebCore::AccessibilityMockObject::detachFromParent):
* accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::clearChildren):
* accessibility/AccessibilityObject.h:
(WebCore::AccessibilityObject::detachFromParent):
* accessibility/AccessibilitySlider.cpp:
(WebCore::AccessibilitySliderThumb::elementRect):
* accessibility/AccessibilityTableColumn.cpp:
(WebCore::AccessibilityTableColumn::headerObjectForSection):
LayoutTests:
Reviewed by Darin Adler.
* accessibility/image-map-update-parent-crash-expected.txt: Added.
* accessibility/image-map-update-parent-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (96972 => 96973)
--- trunk/LayoutTests/ChangeLog 2011-10-07 19:32:32 UTC (rev 96972)
+++ trunk/LayoutTests/ChangeLog 2011-10-07 19:45:14 UTC (rev 96973)
@@ -1,3 +1,13 @@
+2011-10-07 Chris Fleizach <[email protected]>
+
+ Bug 69562 - AccessibilityImageMapLink holds onto it's parent even after it's been freed
+ https://bugs.webkit.org/show_bug.cgi?id=69562
+
+ Reviewed by Darin Adler.
+
+ * accessibility/image-map-update-parent-crash-expected.txt: Added.
+ * accessibility/image-map-update-parent-crash.html: Added.
+
2011-10-07 Ryosuke Niwa <[email protected]>
Chromium rebaseline. The test started to pass after r96873.
Added: trunk/LayoutTests/accessibility/image-map-update-parent-crash-expected.txt (0 => 96973)
--- trunk/LayoutTests/accessibility/image-map-update-parent-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/accessibility/image-map-update-parent-crash-expected.txt 2011-10-07 19:45:14 UTC (rev 96973)
@@ -0,0 +1,6 @@
+This tests that an image map's hold on it's parent will be cleared if the parent goes away.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+
Added: trunk/LayoutTests/accessibility/image-map-update-parent-crash.html (0 => 96973)
--- trunk/LayoutTests/accessibility/image-map-update-parent-crash.html (rev 0)
+++ trunk/LayoutTests/accessibility/image-map-update-parent-crash.html 2011-10-07 19:45:14 UTC (rev 96973)
@@ -0,0 +1,54 @@
+<html>
+<head>
+<link rel="stylesheet" href=""
+<script src=""
+
+<script>
+
+if (window.layoutTestController)
+ layoutTestController.waitUntilDone();
+
+function buildAccessibilityTree(accessibilityObject, indent) {
+ var count = accessibilityObject.childrenCount;
+ for (var i = 0; i < count; ++i) {
+ if (!buildAccessibilityTree(accessibilityObject.childAtIndex(i), indent + 1))
+ return false;
+ }
+
+ return true;
+}
+
+function runAXTest() {
+
+
+ description("This tests that an image map's hold on it's parent will be cleared if the parent goes away.");
+
+ // First access all children using AX
+ buildAccessibilityTree(accessibilityController.rootElement, 0);
+
+ var child = document.getElementById('img'); child.parentNode.removeChild(child);
+
+ // Now verify we haven't crashed.
+ buildAccessibilityTree(accessibilityController.rootElement, 0);
+
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+</script>
+
+</head>
+<body>
+
+<map name="map">
+<div id="o7"></div>
+<area id="o20" href=""
+
+<img id="img" usemap=""
+
+<script>setTimeout("runAXTest();", 1);</script>
+
+<p id="description"></p>
+<div id="console"></div>
+
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (96972 => 96973)
--- trunk/Source/WebCore/ChangeLog 2011-10-07 19:32:32 UTC (rev 96972)
+++ trunk/Source/WebCore/ChangeLog 2011-10-07 19:45:14 UTC (rev 96973)
@@ -1,3 +1,37 @@
+2011-10-07 Chris Fleizach <[email protected]>
+
+ Bug 69562 - AccessibilityImageMapLink holds onto it's parent even after it's been freed
+ https://bugs.webkit.org/show_bug.cgi?id=69562
+
+ Some fake objects, like AXImageMapLink, have weak references to their parent's (since they are fake objects and
+ need some connection to the parent). However, if the parent disappears before the child, then we're left with a
+ out of date reference to that parent.
+
+ The fix is to allow these elements to clear their parentage when the parent goes away.
+
+ Reviewed by Darin Adler.
+
+ Test: accessibility/image-map-update-parent-crash.html
+
+ * accessibility/AccessibilityMenuListOption.cpp:
+ (WebCore::AccessibilityMenuListOption::isVisible):
+ * accessibility/AccessibilityMenuListPopup.cpp:
+ (WebCore::AccessibilityMenuListPopup::isOffScreen):
+ (WebCore::AccessibilityMenuListPopup::isEnabled):
+ (WebCore::AccessibilityMenuListPopup::press):
+ (WebCore::AccessibilityMenuListPopup::addChildren):
+ (WebCore::AccessibilityMenuListPopup::childrenChanged):
+ * accessibility/AccessibilityMockObject.h:
+ (WebCore::AccessibilityMockObject::detachFromParent):
+ * accessibility/AccessibilityObject.cpp:
+ (WebCore::AccessibilityObject::clearChildren):
+ * accessibility/AccessibilityObject.h:
+ (WebCore::AccessibilityObject::detachFromParent):
+ * accessibility/AccessibilitySlider.cpp:
+ (WebCore::AccessibilitySliderThumb::elementRect):
+ * accessibility/AccessibilityTableColumn.cpp:
+ (WebCore::AccessibilityTableColumn::headerObjectForSection):
+
2011-10-07 Andreas Kling <[email protected]>
Pack StyleRareNonInheritedData even harder on 64-bit.
Modified: trunk/Source/WebCore/accessibility/AccessibilityMenuListOption.cpp (96972 => 96973)
--- trunk/Source/WebCore/accessibility/AccessibilityMenuListOption.cpp 2011-10-07 19:32:32 UTC (rev 96972)
+++ trunk/Source/WebCore/accessibility/AccessibilityMenuListOption.cpp 2011-10-07 19:45:14 UTC (rev 96973)
@@ -59,6 +59,9 @@
bool AccessibilityMenuListOption::isVisible() const
{
+ if (!m_parent)
+ return false;
+
// In a single-option select with the popup collapsed, only the selected
// item is considered visible.
return !m_parent->isOffScreen() || isSelected();
Modified: trunk/Source/WebCore/accessibility/AccessibilityMenuListPopup.cpp (96972 => 96973)
--- trunk/Source/WebCore/accessibility/AccessibilityMenuListPopup.cpp 2011-10-07 19:32:32 UTC (rev 96972)
+++ trunk/Source/WebCore/accessibility/AccessibilityMenuListPopup.cpp 2011-10-07 19:45:14 UTC (rev 96973)
@@ -48,11 +48,17 @@
bool AccessibilityMenuListPopup::isOffScreen() const
{
+ if (!m_parent)
+ return true;
+
return m_parent->isCollapsed();
}
bool AccessibilityMenuListPopup::isEnabled() const
{
+ if (!m_parent)
+ return false;
+
return m_parent->isEnabled();
}
@@ -72,12 +78,18 @@
bool AccessibilityMenuListPopup::press() const
{
+ if (!m_parent)
+ return false;
+
m_parent->press();
return true;
}
void AccessibilityMenuListPopup::addChildren()
{
+ if (!m_parent)
+ return;
+
Node* selectNode = m_parent->node();
if (!selectNode)
return;
@@ -102,8 +114,10 @@
AXObjectCache* cache = axObjectCache();
for (size_t i = m_children.size(); i > 0 ; --i) {
AccessibilityObject* child = m_children[i - 1].get();
- if (child->actionElement() && !child->actionElement()->attached())
+ if (child->actionElement() && !child->actionElement()->attached()) {
+ child->detachFromParent();
cache->remove(child->axObjectID());
+ }
}
m_children.clear();
Modified: trunk/Source/WebCore/accessibility/AccessibilityMockObject.h (96972 => 96973)
--- trunk/Source/WebCore/accessibility/AccessibilityMockObject.h 2011-10-07 19:32:32 UTC (rev 96972)
+++ trunk/Source/WebCore/accessibility/AccessibilityMockObject.h 2011-10-07 19:45:14 UTC (rev 96973)
@@ -41,7 +41,7 @@
virtual void setParent(AccessibilityObject* parent) { m_parent = parent; };
// Must be called when the parent object clears its children.
- void detachFromParent() { m_parent = 0; }
+ virtual void detachFromParent() { m_parent = 0; }
protected:
AccessibilityObject* m_parent;
Modified: trunk/Source/WebCore/accessibility/AccessibilityObject.cpp (96972 => 96973)
--- trunk/Source/WebCore/accessibility/AccessibilityObject.cpp 2011-10-07 19:32:32 UTC (rev 96972)
+++ trunk/Source/WebCore/accessibility/AccessibilityObject.cpp 2011-10-07 19:45:14 UTC (rev 96973)
@@ -1020,6 +1020,11 @@
void AccessibilityObject::clearChildren()
{
+ // Some objects have weak pointers to their parents and those associations need to be detached.
+ size_t length = m_children.size();
+ for (size_t i = 0; i < length; i++)
+ m_children[i]->detachFromParent();
+
m_children.clear();
m_haveChildren = false;
}
Modified: trunk/Source/WebCore/accessibility/AccessibilityObject.h (96972 => 96973)
--- trunk/Source/WebCore/accessibility/AccessibilityObject.h 2011-10-07 19:32:32 UTC (rev 96972)
+++ trunk/Source/WebCore/accessibility/AccessibilityObject.h 2011-10-07 19:45:14 UTC (rev 96973)
@@ -558,6 +558,7 @@
virtual bool hasChildren() const { return m_haveChildren; }
virtual void updateChildrenIfNecessary();
virtual void clearChildren();
+ virtual void detachFromParent() { }
virtual void selectedChildren(AccessibilityChildrenVector&) { }
virtual void visibleChildren(AccessibilityChildrenVector&) { }
Modified: trunk/Source/WebCore/accessibility/AccessibilitySlider.cpp (96972 => 96973)
--- trunk/Source/WebCore/accessibility/AccessibilitySlider.cpp 2011-10-07 19:32:32 UTC (rev 96972)
+++ trunk/Source/WebCore/accessibility/AccessibilitySlider.cpp 2011-10-07 19:45:14 UTC (rev 96973)
@@ -175,6 +175,9 @@
LayoutRect AccessibilitySliderThumb::elementRect() const
{
+ if (!m_parent)
+ return LayoutRect();
+
RenderObject* sliderRenderer = m_parent->renderer();
if (!sliderRenderer || !sliderRenderer->isSlider())
return LayoutRect();
Modified: trunk/Source/WebCore/accessibility/AccessibilityTableColumn.cpp (96972 => 96973)
--- trunk/Source/WebCore/accessibility/AccessibilityTableColumn.cpp 2011-10-07 19:32:32 UTC (rev 96972)
+++ trunk/Source/WebCore/accessibility/AccessibilityTableColumn.cpp 2011-10-07 19:45:14 UTC (rev 96973)
@@ -161,7 +161,7 @@
if (!cell)
return 0;
- return m_parent->axObjectCache()->getOrCreate(cell);
+ return axObjectCache()->getOrCreate(cell);
}
bool AccessibilityTableColumn::accessibilityIsIgnored() const
