Skip to site navigation (Press enter)

[webkit-changes] [140340] trunk

commit-queue Mon, 21 Jan 2013 08:55:53 -0800

Title: [140340] trunk

Revision: 140340
Author: [email protected]
Date: 2013-01-21 08:57:38 -0800 (Mon, 21 Jan 2013)

Log Message

Crash in AccessibilityTableCell::parentTable()
https://bugs.webkit.org/show_bug.cgi?id=107261


Patch by Joanmarie Diggs <[email protected]> on 2013-01-21
Reviewed by Chris Fleizach.

Source/WebCore:

Test: accessibility/table-destroyed-crash.html

Getting the parent table in order to get the role value should not be
done when objects are being destroyed. Also, it does not seem safe to
assume we have an AXObjectCache.

Moving the logic from roleValue() to determineAccessibilityRole() has
the side effect of not being able to verify the cell is in an AXTable
when that AXTable has not yet been created. Therefore isTableCell()
should look to see if it is the descendant of an AXRow.

* accessibility/AccessibilityTableCell.cpp:
(WebCore::AccessibilityTableCell::parentTable):
(WebCore::AccessibilityTableCell::isTableCell):
(WebCore::AccessibilityTableCell::determineAccessibilityRole):
* accessibility/AccessibilityTableCell.h:
(AccessibilityTableCell):

LayoutTests:

Getting the parent table in order to get the role value should not be
done when objects are being destroyed. Also, it does not seem safe to
assume we have an AXObjectCache.

* accessibility/table-destroyed-crash-expected.txt: Added.
* accessibility/table-destroyed-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/accessibility/AccessibilityTableCell.cpp
trunk/Source/WebCore/accessibility/AccessibilityTableCell.h

Added Paths

trunk/LayoutTests/accessibility/table-destroyed-crash-expected.txt
trunk/LayoutTests/accessibility/table-destroyed-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (140339 => 140340)


--- trunk/LayoutTests/ChangeLog	2013-01-21 16:39:34 UTC (rev 140339)
+++ trunk/LayoutTests/ChangeLog	2013-01-21 16:57:38 UTC (rev 140340)
@@ -1,3 +1,17 @@
+2013-01-21  Joanmarie Diggs  <[email protected]>
+
+        Crash in AccessibilityTableCell::parentTable()
+        https://bugs.webkit.org/show_bug.cgi?id=107261
+
+        Reviewed by Chris Fleizach.
+
+        Getting the parent table in order to get the role value should not be
+        done when objects are being destroyed. Also, it does not seem safe to
+        assume we have an AXObjectCache.
+
+        * accessibility/table-destroyed-crash-expected.txt: Added.
+        * accessibility/table-destroyed-crash.html: Added.
+
 2013-01-21  Ádám Kallai  <[email protected]>
 
         [Qt] Unreviewed gardening. Skip failing test.

Added: trunk/LayoutTests/accessibility/table-destroyed-crash-expected.txt (0 => 140340)


--- trunk/LayoutTests/accessibility/table-destroyed-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/accessibility/table-destroyed-crash-expected.txt	2013-01-21 16:57:38 UTC (rev 140340)
@@ -0,0 +1,9 @@
+This tests that we do not crash when a table is destroyed.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/accessibility/table-destroyed-crash.html (0 => 140340)


--- trunk/LayoutTests/accessibility/table-destroyed-crash.html	                        (rev 0)
+++ trunk/LayoutTests/accessibility/table-destroyed-crash.html	2013-01-21 16:57:38 UTC (rev 140340)
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script>
+    function createAXObjects(accessibilityObject) {
+        var count = accessibilityObject.childrenCount;
+        for (var i = 0; i < count; ++i)
+            createAXObjects(accessibilityObject.childAtIndex(i));
+    }
+</script>
+<script src=""
+</head>
+<body id="body">
+<table id="table">
+  <tr id="row"><td id="cell">foo</td></tr>
+  <tr><td>bar</td></tr>
+</table>
+<script>
+
+    description("This tests that we do not crash when a table is destroyed.");
+
+    if (window.accessibilityController) {
+        document.body.focus();
+        var body = accessibilityController.focusedElement;
+        createAXObjects(body);
+    }
+
+    var element = document.getElementById("table");
+    element.parentNode.removeChild(element);
+
+</script>
+
+<script src=""
+</body>
+</html>
+

Modified: trunk/Source/WebCore/ChangeLog (140339 => 140340)


--- trunk/Source/WebCore/ChangeLog	2013-01-21 16:39:34 UTC (rev 140339)
+++ trunk/Source/WebCore/ChangeLog	2013-01-21 16:57:38 UTC (rev 140340)
@@ -1,3 +1,28 @@
+2013-01-21  Joanmarie Diggs  <[email protected]>
+
+        Crash in AccessibilityTableCell::parentTable()
+        https://bugs.webkit.org/show_bug.cgi?id=107261
+
+        Reviewed by Chris Fleizach.
+
+        Test: accessibility/table-destroyed-crash.html
+
+        Getting the parent table in order to get the role value should not be
+        done when objects are being destroyed. Also, it does not seem safe to
+        assume we have an AXObjectCache.
+
+        Moving the logic from roleValue() to determineAccessibilityRole() has
+        the side effect of not being able to verify the cell is in an AXTable
+        when that AXTable has not yet been created. Therefore isTableCell()
+        should look to see if it is the descendant of an AXRow.
+
+        * accessibility/AccessibilityTableCell.cpp:
+        (WebCore::AccessibilityTableCell::parentTable):
+        (WebCore::AccessibilityTableCell::isTableCell):
+        (WebCore::AccessibilityTableCell::determineAccessibilityRole):
+        * accessibility/AccessibilityTableCell.h:
+        (AccessibilityTableCell):
+
 2013-01-21  Halton Huo  <[email protected]>
 
         [GTK] Volume button should not be shown for videos without audio

Modified: trunk/Source/WebCore/accessibility/AccessibilityTableCell.cpp (140339 => 140340)


--- trunk/Source/WebCore/accessibility/AccessibilityTableCell.cpp	2013-01-21 16:39:34 UTC (rev 140339)
+++ trunk/Source/WebCore/accessibility/AccessibilityTableCell.cpp	2013-01-21 16:57:38 UTC (rev 140340)
@@ -74,6 +74,10 @@
 {
     if (!m_renderer || !m_renderer->isTableCell())
         return 0;
+
+    // If the document no longer exists, we might not have an axObjectCache.
+    if (!axObjectCache())
+        return 0;
     
     // Do not use getOrCreate. parentTable() can be called while the render tree is being modified 
     // by _javascript_, and creating a table element may try to access the render tree while in a bad state.
@@ -85,17 +89,17 @@
     
 bool AccessibilityTableCell::isTableCell() const
 {
-    AccessibilityObject* table = parentTable();
-    if (!table || !table->isAccessibilityTable())
+    AccessibilityObject* parent = parentObjectUnignored();
+    if (!parent || !parent->isTableRow())
         return false;
     
     return true;
 }
     
-AccessibilityRole AccessibilityTableCell::roleValue() const
+AccessibilityRole AccessibilityTableCell::determineAccessibilityRole()
 {
     if (!isTableCell())
-        return AccessibilityRenderObject::roleValue();
+        return AccessibilityRenderObject::determineAccessibilityRole();
     
     return CellRole;
 }

Modified: trunk/Source/WebCore/accessibility/AccessibilityTableCell.h (140339 => 140340)


--- trunk/Source/WebCore/accessibility/AccessibilityTableCell.h	2013-01-21 16:39:34 UTC (rev 140339)
+++ trunk/Source/WebCore/accessibility/AccessibilityTableCell.h	2013-01-21 16:57:38 UTC (rev 140340)
@@ -42,7 +42,6 @@
     virtual ~AccessibilityTableCell();
     
     virtual bool isTableCell() const;
-    virtual AccessibilityRole roleValue() const;
     
     virtual bool accessibilityIsIgnored() const;
 
@@ -54,6 +53,7 @@
 protected:
     virtual AccessibilityObject* parentTable() const;
     int m_rowIndex;
+    virtual AccessibilityRole determineAccessibilityRole();
 
 private:
     // If a table cell is not exposed as a table cell, a TH element can serve as its title UI element.

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes