[webkit-changes] [201417] trunk/Source/WebCore

Thu, 26 May 2016 00:54:57 -0700

Title: [201417] trunk/Source/WebCore
Revision
201417
Author
[email protected]
Date
2016-05-26 00:54:41 -0700 (Thu, 26 May 2016)

Log Message

AX: crash at AccessibilityRenderObject::remoteSVGRootElement const
https://bugs.webkit.org/show_bug.cgi?id=158098

Reviewed by Joanmarie Diggs.

What looks like happens here is that when a document is torn down and we try to detach, we end up creating an accessibility element during detachment phase.
So instead of just clearing the callback pointer on an existing AXObject, we make a new object and access properties of an object being deallocated.

I tried very hard to make a test but it looks like this can really only be triggered during document tear down which also tears down the AXObjectCache. I didn't
have luck reproducing because of that.

* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::remoteSVGElementHitTest):
(WebCore::AccessibilityRenderObject::isSVGImage):
(WebCore::AccessibilityRenderObject::detachRemoteSVGRoot):
(WebCore::AccessibilityRenderObject::remoteSVGRootElement):
(WebCore::AccessibilityRenderObject::addRemoteSVGChildren):
* accessibility/AccessibilityRenderObject.h:

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (201416 => 201417)


--- trunk/Source/WebCore/ChangeLog	2016-05-26 06:50:26 UTC (rev 201416)
+++ trunk/Source/WebCore/ChangeLog	2016-05-26 07:54:41 UTC (rev 201417)
@@ -1,3 +1,24 @@
+2016-05-26  Chris Fleizach  <[email protected]>
+
+        AX: crash at AccessibilityRenderObject::remoteSVGRootElement const
+        https://bugs.webkit.org/show_bug.cgi?id=158098
+
+        Reviewed by Joanmarie Diggs.
+
+        What looks like happens here is that when a document is torn down and we try to detach, we end up creating an accessibility element during detachment phase.
+        So instead of just clearing the callback pointer on an existing AXObject, we make a new object and access properties of an object being deallocated.
+
+        I tried very hard to make a test but it looks like this can really only be triggered during document tear down which also tears down the AXObjectCache. I didn't
+        have luck reproducing because of that.
+
+        * accessibility/AccessibilityRenderObject.cpp:
+        (WebCore::AccessibilityRenderObject::remoteSVGElementHitTest):
+        (WebCore::AccessibilityRenderObject::isSVGImage):
+        (WebCore::AccessibilityRenderObject::detachRemoteSVGRoot):
+        (WebCore::AccessibilityRenderObject::remoteSVGRootElement):
+        (WebCore::AccessibilityRenderObject::addRemoteSVGChildren):
+        * accessibility/AccessibilityRenderObject.h:
+
 2016-05-25  Antti Koivisto  <[email protected]>
 
         Invalidate style for newly added nodes in Node::insertedInto

Modified: trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (201416 => 201417)


--- trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2016-05-26 06:50:26 UTC (rev 201416)
+++ trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2016-05-26 07:54:41 UTC (rev 201417)
@@ -2255,7 +2255,7 @@
 
 AccessibilityObject* AccessibilityRenderObject::remoteSVGElementHitTest(const IntPoint& point) const
 {
-    AccessibilityObject* remote = remoteSVGRootElement();
+    AccessibilityObject* remote = remoteSVGRootElement(Create);
     if (!remote)
         return nullptr;
     
@@ -2968,16 +2968,16 @@
     
 bool AccessibilityRenderObject::isSVGImage() const
 {
-    return remoteSVGRootElement();
+    return remoteSVGRootElement(Create);
 }
     
 void AccessibilityRenderObject::detachRemoteSVGRoot()
 {
-    if (AccessibilitySVGRoot* root = remoteSVGRootElement())
+    if (AccessibilitySVGRoot* root = remoteSVGRootElement(Retrieve))
         root->setParent(nullptr);
 }
 
-AccessibilitySVGRoot* AccessibilityRenderObject::remoteSVGRootElement() const
+AccessibilitySVGRoot* AccessibilityRenderObject::remoteSVGRootElement(CreationChoice createIfNecessary) const
 {
     if (!is<RenderImage>(m_renderer))
         return nullptr;
@@ -3009,11 +3009,11 @@
     AXObjectCache* cache = frame.document()->axObjectCache();
     if (!cache)
         return nullptr;
-    AccessibilityObject* rootSVGObject = cache->getOrCreate(rendererRoot);
+    AccessibilityObject* rootSVGObject = createIfNecessary == Create ? cache->getOrCreate(rendererRoot) : cache->get(rendererRoot);
 
     // In order to connect the AX hierarchy from the SVG root element from the loaded resource
     // the parent must be set, because there's no other way to get back to who created the image.
-    ASSERT(rootSVGObject);
+    ASSERT(!createIfNecessary || rootSVGObject);
     if (!is<AccessibilitySVGRoot>(*rootSVGObject))
         return nullptr;
     
@@ -3022,7 +3022,7 @@
     
 void AccessibilityRenderObject::addRemoteSVGChildren()
 {
-    AccessibilitySVGRoot* root = remoteSVGRootElement();
+    AccessibilitySVGRoot* root = remoteSVGRootElement(Create);
     if (!root)
         return;

Modified: trunk/Source/WebCore/accessibility/AccessibilityRenderObject.h (201416 => 201417)


--- trunk/Source/WebCore/accessibility/AccessibilityRenderObject.h	2016-05-26 06:50:26 UTC (rev 201416)
+++ trunk/Source/WebCore/accessibility/AccessibilityRenderObject.h	2016-05-26 07:54:41 UTC (rev 201417)
@@ -245,7 +245,8 @@
     
     bool isSVGImage() const;
     void detachRemoteSVGRoot();
-    AccessibilitySVGRoot* remoteSVGRootElement() const;
+    enum CreationChoice { Create, Retrieve };
+    AccessibilitySVGRoot* remoteSVGRootElement(CreationChoice createIfNecessary) const;
     AccessibilityObject* remoteSVGElementHitTest(const IntPoint&) const;
     void offsetBoundingBoxForRemoteSVGElement(LayoutRect&) const;
     bool supportsPath() const override;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to