CrashTracer: [USER] 300 crashes in Safari at com.apple.WebCore: WebCore::Accessibilit...
authorcfleizach@apple.com <cfleizach@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 20 Jul 2010 21:34:11 +0000 (21:34 +0000)
committercfleizach@apple.com <cfleizach@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 20 Jul 2010 21:34:11 +0000 (21:34 +0000)
https://bugs.webkit.org/show_bug.cgi?id=42652

Reviewed by Beth Dakin.

WebCore:

When a table cell accesses its parent table, we should not use getOrCreate, because creating an AXTable inspects its render tree state
which may be out of date, leading to a crash.
By using only get(), it implies that the AXTable must be created before AXTableCells. This should
always be the case when AT clients access a table.

Test: accessibility/updating-attribute-in-table-causes-crash.html

* accessibility/AccessibilityTableCell.cpp:
(WebCore::AccessibilityTableCell::parentTable):

LayoutTests:

* accessibility/updating-attribute-in-table-causes-crash-expected.txt: Added.
* accessibility/updating-attribute-in-table-causes-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@63774 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/accessibility/updating-attribute-in-table-causes-crash-expected.txt [new file with mode: 0644]
LayoutTests/accessibility/updating-attribute-in-table-causes-crash.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/accessibility/AccessibilityTableCell.cpp

index 7bdb89a..31e503a 100644 (file)
@@ -1,3 +1,13 @@
+2010-07-20  Chris Fleizach  <cfleizach@apple.com>
+
+        Reviewed by Beth Dakin.
+
+        CrashTracer: [USER] 300 crashes in Safari at com.apple.WebCore: WebCore::AccessibilityTable::isTableExposableThroughAccessibility + 573
+        https://bugs.webkit.org/show_bug.cgi?id=42652
+
+        * accessibility/updating-attribute-in-table-causes-crash-expected.txt: Added.
+        * accessibility/updating-attribute-in-table-causes-crash.html: Added.
+
 2010-07-20  Abhishek Arya  <inferno@chromium.org>
 
         Reviewed by David Hyatt.
diff --git a/LayoutTests/accessibility/updating-attribute-in-table-causes-crash-expected.txt b/LayoutTests/accessibility/updating-attribute-in-table-causes-crash-expected.txt
new file mode 100644 (file)
index 0000000..c80c8f8
--- /dev/null
@@ -0,0 +1,11 @@
+1      2
+asdf
+This tests for a crash that can occur while altering an attribute on a table cell because it accesses the table when its in a bad state.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/accessibility/updating-attribute-in-table-causes-crash.html b/LayoutTests/accessibility/updating-attribute-in-table-causes-crash.html
new file mode 100644 (file)
index 0000000..51f0fc7
--- /dev/null
@@ -0,0 +1,42 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="../fast/js/resources/js-test-style.css">
+<script>
+    var successfullyParsed = false;
+</script>
+<script src="../fast/js/resources/js-test-pre.js"></script>
+</head>
+<body id="body">
+
+<table id="table">
+<tr id="row"><td id="tablecell" tabindex=0>1</td><td>2</td></tr>
+<tr id="row2"><td id="tablecell2" tabindex=0>1</td><td>2</td></tr>
+</table>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+    description("This tests for a crash that can occur while altering an attribute on a table cell because it accesses the table when its in a bad state.");
+
+    if (window.accessibilityController) {
+        document.getElementById("body").focus();
+        var body = accessibilityController.focusedElement;
+        var tr = document.createElement("tr");
+        var td = document.createElement("td");
+        td.appendChild(document.createTextNode("asdf"));
+        tr.appendChild(td);
+
+        // To reproduce, we need to remove a row and replace with another row, then set an attribute in the meantime.
+        document.getElementById("table").getElementsByTagName("TBODY")[0].removeChild(document.getElementById("row2"));
+        document.getElementById("table").getElementsByTagName("TBODY")[0].appendChild(tr);
+        document.getElementById("tablecell").setAttribute("title", "test");
+    }
+
+    successfullyParsed = true;
+</script>
+
+<script src="../fast/js/resources/js-test-post.js"></script>
+</body>
+</html>
index 7471a48..0d56de0 100644 (file)
@@ -1,3 +1,20 @@
+2010-07-20  Chris Fleizach  <cfleizach@apple.com>
+
+        Reviewed by Beth Dakin.
+
+        CrashTracer: [USER] 300 crashes in Safari at com.apple.WebCore: WebCore::AccessibilityTable::isTableExposableThroughAccessibility + 573
+        https://bugs.webkit.org/show_bug.cgi?id=42652
+
+        When a table cell accesses its parent table, we should not use getOrCreate, because creating an AXTable inspects its render tree state
+        which may be out of date, leading to a crash.
+        By using only get(), it implies that the AXTable must be created before AXTableCells. This should
+        always be the case when AT clients access a table.
+
+        Test: accessibility/updating-attribute-in-table-causes-crash.html
+
+        * accessibility/AccessibilityTableCell.cpp:
+        (WebCore::AccessibilityTableCell::parentTable):
+
 2010-07-20  Abhishek Arya  <inferno@chromium.org>
 
         Reviewed by David Hyatt.
index 7fadb88..28e66ad 100644 (file)
@@ -73,7 +73,12 @@ AccessibilityObject* AccessibilityTableCell::parentTable() const
     if (!m_renderer || !m_renderer->isTableCell())
         return 0;
     
-    return axObjectCache()->getOrCreate(toRenderTableCell(m_renderer)->table());
+    // Do not use getOrCreate. parentTable() can be called while the render tree is being modified 
+    // by javascript, and creating a table element may try to access the render tree while in a bad state.
+    // By using only get() implies that the AXTable must be created before AXTableCells. This should
+    // always be the case when AT clients access a table.
+    // https://bugs.webkit.org/show_bug.cgi?id=42652    
+    return axObjectCache()->get(toRenderTableCell(m_renderer)->table());
 }
     
 bool AccessibilityTableCell::isTableCell() const