Diff
Modified: trunk/LayoutTests/ChangeLog (140657 => 140658)
--- trunk/LayoutTests/ChangeLog 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/LayoutTests/ChangeLog 2013-01-24 08:16:00 UTC (rev 140658)
@@ -1,3 +1,17 @@
+2013-01-24 Dominic Mazzoni <[email protected]>
+
+ AX: should init an AXObject only after AXObjectCache has added it
+ https://bugs.webkit.org/show_bug.cgi?id=107533
+
+ Reviewed by Chris Fleizach.
+
+ Adds a new test that demonstrates a crash if an AXObject
+ initializes itself before the AXObjectCache has added it to
+ the cache.
+
+ * accessibility/duplicate-axrenderobject-crash-expected.txt: Added.
+ * accessibility/duplicate-axrenderobject-crash.html: Added.
+
2013-01-23 Kentaro Hara <[email protected]>
Implement MouseEvent constructor
Added: trunk/LayoutTests/accessibility/duplicate-axrenderobject-crash-expected.txt (0 => 140658)
--- trunk/LayoutTests/accessibility/duplicate-axrenderobject-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/accessibility/duplicate-axrenderobject-crash-expected.txt 2013-01-24 08:16:00 UTC (rev 140658)
@@ -0,0 +1,7 @@
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
+Ensures that it's not possible to have two AXRenderObjects that point to the same renderer, if the initialization of an AXRenderObject results in another object with the same renderer being created before AXObjectCache has added that mapping to its hash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
Added: trunk/LayoutTests/accessibility/duplicate-axrenderobject-crash.html (0 => 140658)
--- trunk/LayoutTests/accessibility/duplicate-axrenderobject-crash.html (rev 0)
+++ trunk/LayoutTests/accessibility/duplicate-axrenderobject-crash.html 2013-01-24 08:16:00 UTC (rev 140658)
@@ -0,0 +1,28 @@
+<!doctype html>
+<html>
+<head>
+<link rel="stylesheet" href=""
+<script src=""
+</head>
+<body>
+
+<label>
+ <summary>
+ <ul style="display: table-header-group">
+ <keygen></keygen>
+ </ul>
+ </summary>
+</label>
+
+<p id="description"></p>
+
+<script>
+ description("Ensures that it's not possible to have two AXRenderObjects that point to the same renderer, if the initialization of an AXRenderObject results in another object with the same renderer being created before AXObjectCache has added that mapping to its hash.");
+ if (window.accessibilityController)
+ accessibilityController.accessibleElementById("dummy");
+</script>
+
+<script src=""
+
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (140657 => 140658)
--- trunk/Source/WebCore/ChangeLog 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/Source/WebCore/ChangeLog 2013-01-24 08:16:00 UTC (rev 140658)
@@ -1,3 +1,59 @@
+2013-01-24 Dominic Mazzoni <[email protected]>
+
+ AX: should init an AXObject only after AXObjectCache has added it
+ https://bugs.webkit.org/show_bug.cgi?id=107533
+
+ Reviewed by Chris Fleizach.
+
+ Initialize each AXObject after the AXObjectCache has
+ finished adding it to its hash maps, so that it's
+ impossible for initialization of an AXObject to result in
+ exploring the tree and creating another AXObject instance
+ that points to the same renderer / node.
+
+ Test: accessibility/duplicate-axrenderobject-crash.html
+
+ * accessibility/AXObjectCache.cpp:
+ (WebCore::AXObjectCache::getOrCreate):
+ * accessibility/AccessibilityARIAGrid.cpp:
+ (WebCore::AccessibilityARIAGrid::create):
+ * accessibility/AccessibilityARIAGridCell.cpp:
+ (WebCore::AccessibilityARIAGridCell::create):
+ * accessibility/AccessibilityARIAGridRow.cpp:
+ (WebCore::AccessibilityARIAGridRow::create):
+ * accessibility/AccessibilityList.cpp:
+ (WebCore::AccessibilityList::create):
+ * accessibility/AccessibilityListBox.cpp:
+ (WebCore::AccessibilityListBox::create):
+ * accessibility/AccessibilityMediaControls.cpp:
+ (WebCore::AccessibilityMediaControl::create):
+ (WebCore::AccessibilityMediaControlsContainer::create):
+ (WebCore::AccessibilityMediaTimeline::create):
+ (WebCore::AccessibilityMediaTimeDisplay::create):
+ * accessibility/AccessibilityMenuList.cpp:
+ (WebCore::AccessibilityMenuList::create):
+ * accessibility/AccessibilityNodeObject.cpp:
+ (WebCore::AccessibilityNodeObject::create):
+ * accessibility/AccessibilityObject.h:
+ (WebCore::AccessibilityObject::init):
+ (AccessibilityObject):
+ * accessibility/AccessibilityProgressIndicator.cpp:
+ (WebCore::AccessibilityProgressIndicator::create):
+ * accessibility/AccessibilityRenderObject.cpp:
+ (WebCore::AccessibilityRenderObject::create):
+ (WebCore::AccessibilityRenderObject::accessibilityIsIgnored):
+ assert that the object has been initialized
+ * accessibility/AccessibilitySVGRoot.cpp:
+ (WebCore::AccessibilitySVGRoot::create):
+ * accessibility/AccessibilitySlider.cpp:
+ (WebCore::AccessibilitySlider::create):
+ * accessibility/AccessibilityTable.cpp:
+ (WebCore::AccessibilityTable::create):
+ * accessibility/AccessibilityTableCell.cpp:
+ (WebCore::AccessibilityTableCell::create):
+ * accessibility/AccessibilityTableRow.cpp:
+ (WebCore::AccessibilityTableRow::create):
+
2013-01-23 Kentaro Hara <[email protected]>
Implement MouseEvent constructor
Modified: trunk/Source/WebCore/accessibility/AXObjectCache.cpp (140657 => 140658)
--- trunk/Source/WebCore/accessibility/AXObjectCache.cpp 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/Source/WebCore/accessibility/AXObjectCache.cpp 2013-01-24 08:16:00 UTC (rev 140658)
@@ -314,6 +314,7 @@
m_widgetObjectMapping.set(widget, newObj->axObjectID());
m_objects.set(newObj->axObjectID(), newObj);
attachWrapper(newObj.get());
+ newObj->init();
return newObj.get();
}
@@ -349,6 +350,7 @@
m_objects.set(newObj->axObjectID(), newObj);
attachWrapper(newObj.get());
+ newObj->init();
newObj->setCachedIsIgnoredValue(newObj->accessibilityIsIgnored());
return newObj.get();
@@ -373,6 +375,7 @@
m_objects.set(newObj->axObjectID(), newObj);
attachWrapper(newObj.get());
+ newObj->init();
newObj->setCachedIsIgnoredValue(newObj->accessibilityIsIgnored());
return newObj.get();
@@ -440,6 +443,7 @@
m_objects.set(obj->axObjectID(), obj);
attachWrapper(obj.get());
+ obj->init();
return obj.get();
}
Modified: trunk/Source/WebCore/accessibility/AccessibilityARIAGrid.cpp (140657 => 140658)
--- trunk/Source/WebCore/accessibility/AccessibilityARIAGrid.cpp 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/Source/WebCore/accessibility/AccessibilityARIAGrid.cpp 2013-01-24 08:16:00 UTC (rev 140658)
@@ -61,9 +61,7 @@
PassRefPtr<AccessibilityARIAGrid> AccessibilityARIAGrid::create(RenderObject* renderer)
{
- AccessibilityARIAGrid* obj = new AccessibilityARIAGrid(renderer);
- obj->init();
- return adoptRef(obj);
+ return adoptRef(new AccessibilityARIAGrid(renderer));
}
bool AccessibilityARIAGrid::addTableCellChild(AccessibilityObject* child, HashSet<AccessibilityObject*>& appendedRows, unsigned& columnCount)
Modified: trunk/Source/WebCore/accessibility/AccessibilityARIAGridCell.cpp (140657 => 140658)
--- trunk/Source/WebCore/accessibility/AccessibilityARIAGridCell.cpp 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/Source/WebCore/accessibility/AccessibilityARIAGridCell.cpp 2013-01-24 08:16:00 UTC (rev 140658)
@@ -48,9 +48,7 @@
PassRefPtr<AccessibilityARIAGridCell> AccessibilityARIAGridCell::create(RenderObject* renderer)
{
- AccessibilityARIAGridCell* obj = new AccessibilityARIAGridCell(renderer);
- obj->init();
- return adoptRef(obj);
+ return adoptRef(new AccessibilityARIAGridCell(renderer));
}
AccessibilityObject* AccessibilityARIAGridCell::parentTable() const
Modified: trunk/Source/WebCore/accessibility/AccessibilityARIAGridRow.cpp (140657 => 140658)
--- trunk/Source/WebCore/accessibility/AccessibilityARIAGridRow.cpp 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/Source/WebCore/accessibility/AccessibilityARIAGridRow.cpp 2013-01-24 08:16:00 UTC (rev 140658)
@@ -48,9 +48,7 @@
PassRefPtr<AccessibilityARIAGridRow> AccessibilityARIAGridRow::create(RenderObject* renderer)
{
- AccessibilityARIAGridRow* obj = new AccessibilityARIAGridRow(renderer);
- obj->init();
- return adoptRef(obj);
+ return adoptRef(new AccessibilityARIAGridRow(renderer));
}
bool AccessibilityARIAGridRow::isARIATreeGridRow() const
Modified: trunk/Source/WebCore/accessibility/AccessibilityList.cpp (140657 => 140658)
--- trunk/Source/WebCore/accessibility/AccessibilityList.cpp 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/Source/WebCore/accessibility/AccessibilityList.cpp 2013-01-24 08:16:00 UTC (rev 140658)
@@ -50,9 +50,7 @@
PassRefPtr<AccessibilityList> AccessibilityList::create(RenderObject* renderer)
{
- AccessibilityList* obj = new AccessibilityList(renderer);
- obj->init();
- return adoptRef(obj);
+ return adoptRef(new AccessibilityList(renderer));
}
bool AccessibilityList::accessibilityIsIgnored() const
Modified: trunk/Source/WebCore/accessibility/AccessibilityListBox.cpp (140657 => 140658)
--- trunk/Source/WebCore/accessibility/AccessibilityListBox.cpp 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/Source/WebCore/accessibility/AccessibilityListBox.cpp 2013-01-24 08:16:00 UTC (rev 140658)
@@ -54,9 +54,7 @@
PassRefPtr<AccessibilityListBox> AccessibilityListBox::create(RenderObject* renderer)
{
- AccessibilityListBox* obj = new AccessibilityListBox(renderer);
- obj->init();
- return adoptRef(obj);
+ return adoptRef(new AccessibilityListBox(renderer));
}
bool AccessibilityListBox::canSetSelectedChildrenAttribute() const
Modified: trunk/Source/WebCore/accessibility/AccessibilityMediaControls.cpp (140657 => 140658)
--- trunk/Source/WebCore/accessibility/AccessibilityMediaControls.cpp 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/Source/WebCore/accessibility/AccessibilityMediaControls.cpp 2013-01-24 08:16:00 UTC (rev 140658)
@@ -67,11 +67,8 @@
case MediaControlsPanel:
return AccessibilityMediaControlsContainer::create(renderer);
- default: {
- AccessibilityMediaControl* obj = new AccessibilityMediaControl(renderer);
- obj->init();
- return adoptRef(obj);
- }
+ default:
+ return adoptRef(new AccessibilityMediaControl(renderer));
}
}
@@ -226,9 +223,7 @@
PassRefPtr<AccessibilityObject> AccessibilityMediaControlsContainer::create(RenderObject* renderer)
{
- AccessibilityMediaControlsContainer* obj = new AccessibilityMediaControlsContainer(renderer);
- obj->init();
- return adoptRef(obj);
+ return adoptRef(new AccessibilityMediaControlsContainer(renderer));
}
String AccessibilityMediaControlsContainer::accessibilityDescription() const
@@ -272,9 +267,7 @@
PassRefPtr<AccessibilityObject> AccessibilityMediaTimeline::create(RenderObject* renderer)
{
- AccessibilityMediaTimeline* obj = new AccessibilityMediaTimeline(renderer);
- obj->init();
- return adoptRef(obj);
+ return adoptRef(new AccessibilityMediaTimeline(renderer));
}
String AccessibilityMediaTimeline::valueDescription() const
@@ -304,9 +297,7 @@
PassRefPtr<AccessibilityObject> AccessibilityMediaTimeDisplay::create(RenderObject* renderer)
{
- AccessibilityMediaTimeDisplay* obj = new AccessibilityMediaTimeDisplay(renderer);
- obj->init();
- return adoptRef(obj);
+ return adoptRef(new AccessibilityMediaTimeDisplay(renderer));
}
bool AccessibilityMediaTimeDisplay::accessibilityIsIgnored() const
Modified: trunk/Source/WebCore/accessibility/AccessibilityMenuList.cpp (140657 => 140658)
--- trunk/Source/WebCore/accessibility/AccessibilityMenuList.cpp 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/Source/WebCore/accessibility/AccessibilityMenuList.cpp 2013-01-24 08:16:00 UTC (rev 140658)
@@ -39,9 +39,7 @@
PassRefPtr<AccessibilityMenuList> AccessibilityMenuList::create(RenderMenuList* renderer)
{
- AccessibilityMenuList* obj = new AccessibilityMenuList(renderer);
- obj->init();
- return adoptRef(obj);
+ return adoptRef(new AccessibilityMenuList(renderer));
}
bool AccessibilityMenuList::press() const
Modified: trunk/Source/WebCore/accessibility/AccessibilityNodeObject.cpp (140657 => 140658)
--- trunk/Source/WebCore/accessibility/AccessibilityNodeObject.cpp 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/Source/WebCore/accessibility/AccessibilityNodeObject.cpp 2013-01-24 08:16:00 UTC (rev 140658)
@@ -89,6 +89,9 @@
, m_childrenDirty(false)
, m_roleForMSAA(UnknownRole)
, m_node(node)
+#ifndef NDEBUG
+ , m_initialized(false)
+#endif
{
}
@@ -99,14 +102,16 @@
void AccessibilityNodeObject::init()
{
+#ifndef NDEBUG
+ ASSERT(!m_initialized);
+ m_initialized = true;
+#endif
m_role = determineAccessibilityRole();
}
PassRefPtr<AccessibilityNodeObject> AccessibilityNodeObject::create(Node* node)
{
- AccessibilityNodeObject* obj = new AccessibilityNodeObject(node);
- obj->init();
- return adoptRef(obj);
+ return adoptRef(new AccessibilityNodeObject(node));
}
void AccessibilityNodeObject::detach()
@@ -386,6 +391,12 @@
bool AccessibilityNodeObject::accessibilityIsIgnored() const
{
+#ifndef NDEBUG
+ // Double-check that an AccessibilityObject is never accessed before
+ // it's been initialized.
+ ASSERT(m_initialized);
+#endif
+
// If this element is within a parent that cannot have children, it should not be exposed.
if (isDescendantOfBarrenParent())
return true;
Modified: trunk/Source/WebCore/accessibility/AccessibilityNodeObject.h (140657 => 140658)
--- trunk/Source/WebCore/accessibility/AccessibilityNodeObject.h 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/Source/WebCore/accessibility/AccessibilityNodeObject.h 2013-01-24 08:16:00 UTC (rev 140658)
@@ -153,6 +153,9 @@
AccessibilityRole m_ariaRole;
bool m_childrenDirty;
mutable AccessibilityRole m_roleForMSAA;
+#ifndef NDEBUG
+ bool m_initialized;
+#endif
virtual bool isDetached() const { return !m_node; }
Modified: trunk/Source/WebCore/accessibility/AccessibilityObject.h (140657 => 140658)
--- trunk/Source/WebCore/accessibility/AccessibilityObject.h 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/Source/WebCore/accessibility/AccessibilityObject.h 2013-01-24 08:16:00 UTC (rev 140658)
@@ -355,6 +355,15 @@
public:
virtual ~AccessibilityObject();
+
+ // After constructing an AccessibilityObject, it must be given a
+ // unique ID, then added to AXObjectCache, and finally init() must
+ // be called last.
+ void setAXObjectID(AXID axObjectID) { m_id = axObjectID; }
+ virtual void init() { }
+
+ // When the corresponding WebCore object that this AccessibilityObject
+ // wraps is deleted, it must be detached.
virtual void detach();
virtual bool isDetached() const;
@@ -569,7 +578,6 @@
virtual AXObjectCache* axObjectCache() const;
AXID axObjectID() const { return m_id; }
- void setAXObjectID(AXID axObjectID) { m_id = axObjectID; }
static AccessibilityObject* anchorElementForNode(Node*);
virtual Element* anchorElement() const { return 0; }
Modified: trunk/Source/WebCore/accessibility/AccessibilityProgressIndicator.cpp (140657 => 140658)
--- trunk/Source/WebCore/accessibility/AccessibilityProgressIndicator.cpp 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/Source/WebCore/accessibility/AccessibilityProgressIndicator.cpp 2013-01-24 08:16:00 UTC (rev 140658)
@@ -39,9 +39,7 @@
PassRefPtr<AccessibilityProgressIndicator> AccessibilityProgressIndicator::create(RenderProgress* renderer)
{
- AccessibilityProgressIndicator* obj = new AccessibilityProgressIndicator(renderer);
- obj->init();
- return adoptRef(obj);
+ return adoptRef(new AccessibilityProgressIndicator(renderer));
}
bool AccessibilityProgressIndicator::accessibilityIsIgnored() const
Modified: trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (140657 => 140658)
--- trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp 2013-01-24 08:16:00 UTC (rev 140658)
@@ -123,9 +123,7 @@
PassRefPtr<AccessibilityRenderObject> AccessibilityRenderObject::create(RenderObject* renderer)
{
- AccessibilityRenderObject* obj = new AccessibilityRenderObject(renderer);
- obj->init();
- return adoptRef(obj);
+ return adoptRef(new AccessibilityRenderObject(renderer));
}
void AccessibilityRenderObject::detach()
@@ -1126,6 +1124,10 @@
bool AccessibilityRenderObject::accessibilityIsIgnored() const
{
+#ifndef NDEBUG
+ ASSERT(m_initialized);
+#endif
+
// Check first if any of the common reasons cause this element to be ignored.
// Then process other use cases that need to be applied to all the various roles
// that AccessibilityRenderObjects take on.
Modified: trunk/Source/WebCore/accessibility/AccessibilitySVGRoot.cpp (140657 => 140658)
--- trunk/Source/WebCore/accessibility/AccessibilitySVGRoot.cpp 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/Source/WebCore/accessibility/AccessibilitySVGRoot.cpp 2013-01-24 08:16:00 UTC (rev 140658)
@@ -45,9 +45,7 @@
PassRefPtr<AccessibilitySVGRoot> AccessibilitySVGRoot::create(RenderObject* renderer)
{
- AccessibilitySVGRoot* obj = new AccessibilitySVGRoot(renderer);
- obj->init();
- return adoptRef(obj);
+ return adoptRef(new AccessibilitySVGRoot(renderer));
}
AccessibilityObject* AccessibilitySVGRoot::parentObject() const
Modified: trunk/Source/WebCore/accessibility/AccessibilitySlider.cpp (140657 => 140658)
--- trunk/Source/WebCore/accessibility/AccessibilitySlider.cpp 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/Source/WebCore/accessibility/AccessibilitySlider.cpp 2013-01-24 08:16:00 UTC (rev 140658)
@@ -47,9 +47,7 @@
PassRefPtr<AccessibilitySlider> AccessibilitySlider::create(RenderObject* renderer)
{
- AccessibilitySlider* obj = new AccessibilitySlider(renderer);
- obj->init();
- return adoptRef(obj);
+ return adoptRef(new AccessibilitySlider(renderer));
}
AccessibilityOrientation AccessibilitySlider::orientation() const
Modified: trunk/Source/WebCore/accessibility/AccessibilityTable.cpp (140657 => 140658)
--- trunk/Source/WebCore/accessibility/AccessibilityTable.cpp 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/Source/WebCore/accessibility/AccessibilityTable.cpp 2013-01-24 08:16:00 UTC (rev 140658)
@@ -69,9 +69,7 @@
PassRefPtr<AccessibilityTable> AccessibilityTable::create(RenderObject* renderer)
{
- AccessibilityTable* obj = new AccessibilityTable(renderer);
- obj->init();
- return adoptRef(obj);
+ return adoptRef(new AccessibilityTable(renderer));
}
bool AccessibilityTable::hasARIARole() const
Modified: trunk/Source/WebCore/accessibility/AccessibilityTableCell.cpp (140657 => 140658)
--- trunk/Source/WebCore/accessibility/AccessibilityTableCell.cpp 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/Source/WebCore/accessibility/AccessibilityTableCell.cpp 2013-01-24 08:16:00 UTC (rev 140658)
@@ -51,9 +51,7 @@
PassRefPtr<AccessibilityTableCell> AccessibilityTableCell::create(RenderObject* renderer)
{
- AccessibilityTableCell* obj = new AccessibilityTableCell(renderer);
- obj->init();
- return adoptRef(obj);
+ return adoptRef(new AccessibilityTableCell(renderer));
}
bool AccessibilityTableCell::accessibilityIsIgnored() const
Modified: trunk/Source/WebCore/accessibility/AccessibilityTableRow.cpp (140657 => 140658)
--- trunk/Source/WebCore/accessibility/AccessibilityTableRow.cpp 2013-01-24 07:42:07 UTC (rev 140657)
+++ trunk/Source/WebCore/accessibility/AccessibilityTableRow.cpp 2013-01-24 08:16:00 UTC (rev 140658)
@@ -54,9 +54,7 @@
PassRefPtr<AccessibilityTableRow> AccessibilityTableRow::create(RenderObject* renderer)
{
- AccessibilityTableRow* obj = new AccessibilityTableRow(renderer);
- obj->init();
- return adoptRef(obj);
+ return adoptRef(new AccessibilityTableRow(renderer));
}
AccessibilityRole AccessibilityTableRow::determineAccessibilityRole()
