[webkit-changes] [233390] trunk

Fri, 29 Jun 2018 22:41:18 -0700

Title: [233390] trunk
Revision
233390
Author
[email protected]
Date
2018-06-29 22:40:44 -0700 (Fri, 29 Jun 2018)

Log Message

Crash under WebCore::AXObjectCache::handleMenuItemSelected
https://bugs.webkit.org/show_bug.cgi?id=186918
<rdar://problem/41365984>

Reviewed by Chris Fleizach.

Source/WebCore:

When a node is being destroyed, we deregister it from the AX cache through the Node's destructor.
But we did not remove the corresponding entry from the m_deferredFocusedNodeChange list. It would
then lead to a crash if we try to access the deleted node from m_deferredFocusedNodeChange.
Fixed it by removing the entry if the newly focused node is being destroyed.

Test: accessibility/accessibility-crash-focused-element-change.html

* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::remove):

LayoutTests:

* accessibility/accessibility-crash-focused-element-change-expected.txt: Added.
* accessibility/accessibility-crash-focused-element-change.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (233389 => 233390)


--- trunk/LayoutTests/ChangeLog	2018-06-30 03:02:24 UTC (rev 233389)
+++ trunk/LayoutTests/ChangeLog	2018-06-30 05:40:44 UTC (rev 233390)
@@ -1,3 +1,14 @@
+2018-06-29  Nan Wang  <[email protected]>
+
+        Crash under WebCore::AXObjectCache::handleMenuItemSelected
+        https://bugs.webkit.org/show_bug.cgi?id=186918
+        <rdar://problem/41365984>
+
+        Reviewed by Chris Fleizach.
+
+        * accessibility/accessibility-crash-focused-element-change-expected.txt: Added.
+        * accessibility/accessibility-crash-focused-element-change.html: Added.
+
 2018-06-29  Antti Koivisto  <[email protected]>
 
         REGRESSION (r232806): Facebook login fields have blue fill background instead of white

Added: trunk/LayoutTests/accessibility/accessibility-crash-focused-element-change-expected.txt (0 => 233390)


--- trunk/LayoutTests/accessibility/accessibility-crash-focused-element-change-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/accessibility/accessibility-crash-focused-element-change-expected.txt	2018-06-30 05:40:44 UTC (rev 233390)
@@ -0,0 +1 @@
+PASS if no crash.

Added: trunk/LayoutTests/accessibility/accessibility-crash-focused-element-change.html (0 => 233390)


--- trunk/LayoutTests/accessibility/accessibility-crash-focused-element-change.html	                        (rev 0)
+++ trunk/LayoutTests/accessibility/accessibility-crash-focused-element-change.html	2018-06-30 05:40:44 UTC (rev 233390)
@@ -0,0 +1,32 @@
+<!DOCTYPE HTML>
+
+<body _onload_=jsfuzzer()>
+PASS if no crash.
+<script>
+
+if (window.accessibilityController) {
+    var button = accessibilityController.focusedElement;
+}
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+}
+
+function jsfuzzer() {
+    var a;
+     //trigger garbage collector
+    for(var i=0; i<100; i++) {
+        a = new Uint8Array(1024*1024);
+    }
+    document.implementation.createHTMLDocument("doc");
+}
+
+function eventhandler() {
+    try { htmlvar00007.remove(); } catch(e) { }
+}
+</script>
+
+<select id="htmlvar00007" _onblur_="eventhandler()" autofocus="autofocus" min="1" align="Right">
+</select>
+<button id="htmlvar00013" autofocus="autofocus" formmethod="post" formnovalidate="formnovalidate" formmethod="post" formtarget="htmlvar00004" inner="1" valign="middle"></button>
+</body>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (233389 => 233390)


--- trunk/Source/WebCore/ChangeLog	2018-06-30 03:02:24 UTC (rev 233389)
+++ trunk/Source/WebCore/ChangeLog	2018-06-30 05:40:44 UTC (rev 233390)
@@ -1,3 +1,21 @@
+2018-06-29  Nan Wang  <[email protected]>
+
+        Crash under WebCore::AXObjectCache::handleMenuItemSelected
+        https://bugs.webkit.org/show_bug.cgi?id=186918
+        <rdar://problem/41365984>
+
+        Reviewed by Chris Fleizach.
+
+        When a node is being destroyed, we deregister it from the AX cache through the Node's destructor.
+        But we did not remove the corresponding entry from the m_deferredFocusedNodeChange list. It would
+        then lead to a crash if we try to access the deleted node from m_deferredFocusedNodeChange.
+        Fixed it by removing the entry if the newly focused node is being destroyed.
+
+        Test: accessibility/accessibility-crash-focused-element-change.html
+
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::remove):
+
 2018-06-29  Antti Koivisto  <[email protected]>
 
         REGRESSION (r232806): Facebook login fields have blue fill background instead of white

Modified: trunk/Source/WebCore/accessibility/AXObjectCache.cpp (233389 => 233390)


--- trunk/Source/WebCore/accessibility/AXObjectCache.cpp	2018-06-30 03:02:24 UTC (rev 233389)
+++ trunk/Source/WebCore/accessibility/AXObjectCache.cpp	2018-06-30 05:40:44 UTC (rev 233390)
@@ -741,6 +741,10 @@
         m_deferredAttributeChange.remove(downcast<Element>(&node));
     }
     m_deferredTextChangedList.remove(&node);
+    // Remove the entry if the new focused node is being removed.
+    m_deferredFocusedNodeChange.removeAllMatching([&node](auto& entry) -> bool {
+        return entry.second == &node;
+    });
     removeNodeForUse(node);
 
     remove(m_nodeObjectMapping.take(&node));

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to