AX: Crash at WebCore::AccessibilityMenuList::addChildren()
authorcfleizach@apple.com <cfleizach@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 11 May 2015 15:08:00 +0000 (15:08 +0000)
committercfleizach@apple.com <cfleizach@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 11 May 2015 15:08:00 +0000 (15:08 +0000)
https://bugs.webkit.org/show_bug.cgi?id=144860

Reviewed by Mario Sanchez Prada.

Source/WebCore:

There were some unsafe pointer accesses in AccessibilityMenuList code that needed to be cleaned up.

Test: accessibility/menu-list-crash2.html

* accessibility/AccessibilityMenuList.cpp:
(WebCore::AccessibilityMenuList::addChildren):

LayoutTests:

* accessibility/menu-list-crash2-expected.txt: Added.
* accessibility/menu-list-crash2.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@184097 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/accessibility/menu-list-crash2-expected.txt [new file with mode: 0644]
LayoutTests/accessibility/menu-list-crash2.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/accessibility/AccessibilityMenuList.cpp

index 6adc772fb2c7e9fa4201df905e7f441ca214a1dc..c1075fd4df3f67f0d65439ba85a7ab49315bb371 100644 (file)
@@ -1,3 +1,13 @@
+2015-05-11  Chris Fleizach  <cfleizach@apple.com>
+
+        AX: Crash at WebCore::AccessibilityMenuList::addChildren()
+        https://bugs.webkit.org/show_bug.cgi?id=144860
+
+        Reviewed by Mario Sanchez Prada.
+
+        * accessibility/menu-list-crash2-expected.txt: Added.
+        * accessibility/menu-list-crash2.html: Added.
+
 2015-05-11  Marcos Chavarría Teijeiro  <chavarria1991@gmail.com>
 
         [GTK] Gardening 7th May.
diff --git a/LayoutTests/accessibility/menu-list-crash2-expected.txt b/LayoutTests/accessibility/menu-list-crash2-expected.txt
new file mode 100644 (file)
index 0000000..4a4fc44
--- /dev/null
@@ -0,0 +1,13 @@
+TEST
+TEST
+This tests that there's no crash if we hide menu list and then try to access accessibility information.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Role before removal: AXRole: AXPopUpButton
+Role after removal: AXRole: 
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/accessibility/menu-list-crash2.html b/LayoutTests/accessibility/menu-list-crash2.html
new file mode 100644 (file)
index 0000000..0a4cb0f
--- /dev/null
@@ -0,0 +1,48 @@
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+
+TEST
+<div id="content">
+
+<select id="menulist">
+  <option selected>One</option>
+  <option>Two</option>
+  <option>Three</option>
+</select>
+
+</div>
+TEST
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+
+function runTest() {
+    description("This tests that there's no crash if we hide menu list and then try to access accessibility information.");
+
+    if (window.accessibilityController) {
+        var menulist = document.getElementById("menulist");
+        menulist.focus();
+        menulist.selectedIndex = 1;
+
+        var accessibleMenulist = accessibilityController.focusedElement;
+        debug("Role before removal: " + accessibleMenulist.role);
+
+        menulist.style.display = "none";
+        gc();
+
+        // Don't crash!
+        debug("Role after removal: " + accessibleMenulist.role);
+    }
+}
+
+runTest();
+</script>
+
+</body>
+<script src="../resources/js-test-post.js"></script>
+</html>
index 5a6f900b23be1fe9ead676b426e4d474b3e54f7a..cbe965669d6d91b24023e283bfcd911f273b2d19 100644 (file)
@@ -1,3 +1,17 @@
+2015-05-11  Chris Fleizach  <cfleizach@apple.com>
+
+        AX: Crash at WebCore::AccessibilityMenuList::addChildren()
+        https://bugs.webkit.org/show_bug.cgi?id=144860
+
+        Reviewed by Mario Sanchez Prada.
+
+        There were some unsafe pointer accesses in AccessibilityMenuList code that needed to be cleaned up.
+
+        Test: accessibility/menu-list-crash2.html
+
+        * accessibility/AccessibilityMenuList.cpp:
+        (WebCore::AccessibilityMenuList::addChildren):
+
 2015-05-11  Przemyslaw Szymanski  <p.szymanski3@samsung.com>
 
         [WebGL] Unnecessary condition check in the while loop
index 147acf135ded4000c8adb9aed7bb6b92ac8db599..c0e5cf00ed5839da0b076c30899f138b6a7ddd56 100644 (file)
@@ -58,10 +58,13 @@ bool AccessibilityMenuList::press()
 
 void AccessibilityMenuList::addChildren()
 {
-    m_haveChildren = true;
-
-    AXObjectCache* cache = m_renderer->document().axObjectCache();
-
+    if (!m_renderer)
+        return;
+    
+    AXObjectCache* cache = axObjectCache();
+    if (!cache)
+        return;
+    
     AccessibilityObject* list = cache->getOrCreate(MenuListPopupRole);
     if (!list)
         return;
@@ -72,6 +75,7 @@ void AccessibilityMenuList::addChildren()
         return;
     }
 
+    m_haveChildren = true;
     m_children.append(list);
 
     list->addChildren();