AX: Crash in WebCore::AXObjectCache::computedObjectAttributeCache
authorcfleizach@apple.com <cfleizach@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 7 Feb 2014 01:29:33 +0000 (01:29 +0000)
committercfleizach@apple.com <cfleizach@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 7 Feb 2014 01:29:33 +0000 (01:29 +0000)
https://bugs.webkit.org/show_bug.cgi?id=128310

Reviewed by Alexey Proskuryakov.

Be more careful about using axObjectCache() directly since it can return null.
I audited the usage cases of this method and ensured the ptr was not null in cases
where I thought we might get hit by this.

* accessibility/AccessibilityNodeObject.cpp:
(WebCore::AccessibilityNodeObject::parentObject):
(WebCore::AccessibilityNodeObject::menuForMenuButton):
(WebCore::AccessibilityNodeObject::menuButtonForMenu):
* accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::firstAccessibleObjectFromNode):
(WebCore::AccessibilityObject::findMatchingObjects):
(WebCore::AccessibilityObject::elementAccessibilityHitTest):
(WebCore::AccessibilityObject::axObjectCache):
(WebCore::AccessibilityObject::notifyIfIgnoredValueChanged):
(WebCore::AccessibilityObject::accessibilityIsIgnored):
* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::parentObjectIfExists):
(WebCore::AccessibilityRenderObject::parentObject):
(WebCore::AccessibilityRenderObject::anchorElement):
(WebCore::AccessibilityRenderObject::isTabItemSelected):
(WebCore::AccessibilityRenderObject::accessibilityParentForImageMap):
(WebCore::AccessibilityRenderObject::nodeIsTextControl):
(WebCore::AccessibilityRenderObject::activeDescendant):
(WebCore::AccessibilityRenderObject::handleAriaExpandedChanged):
(WebCore::AccessibilityRenderObject::observableObject):
(WebCore::AccessibilityRenderObject::textChanged):
* accessibility/AccessibilityScrollView.cpp:
(WebCore::AccessibilityScrollView::addChildScrollbar):
(WebCore::AccessibilityScrollView::webAreaObject):
(WebCore::AccessibilityScrollView::parentObject):
(WebCore::AccessibilityScrollView::parentObjectIfExists):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@163586 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/accessibility/AccessibilityNodeObject.cpp
Source/WebCore/accessibility/AccessibilityObject.cpp
Source/WebCore/accessibility/AccessibilityRenderObject.cpp
Source/WebCore/accessibility/AccessibilityScrollView.cpp

index 7f24c29..5dfffb0 100644 (file)
@@ -1,3 +1,42 @@
+2014-02-06  Chris Fleizach  <cfleizach@apple.com>
+
+        AX: Crash in WebCore::AXObjectCache::computedObjectAttributeCache
+        https://bugs.webkit.org/show_bug.cgi?id=128310
+
+        Reviewed by Alexey Proskuryakov.
+
+        Be more careful about using axObjectCache() directly since it can return null.
+        I audited the usage cases of this method and ensured the ptr was not null in cases
+        where I thought we might get hit by this.
+
+        * accessibility/AccessibilityNodeObject.cpp:
+        (WebCore::AccessibilityNodeObject::parentObject):
+        (WebCore::AccessibilityNodeObject::menuForMenuButton):
+        (WebCore::AccessibilityNodeObject::menuButtonForMenu):
+        * accessibility/AccessibilityObject.cpp:
+        (WebCore::AccessibilityObject::firstAccessibleObjectFromNode):
+        (WebCore::AccessibilityObject::findMatchingObjects):
+        (WebCore::AccessibilityObject::elementAccessibilityHitTest):
+        (WebCore::AccessibilityObject::axObjectCache):
+        (WebCore::AccessibilityObject::notifyIfIgnoredValueChanged):
+        (WebCore::AccessibilityObject::accessibilityIsIgnored):
+        * accessibility/AccessibilityRenderObject.cpp:
+        (WebCore::AccessibilityRenderObject::parentObjectIfExists):
+        (WebCore::AccessibilityRenderObject::parentObject):
+        (WebCore::AccessibilityRenderObject::anchorElement):
+        (WebCore::AccessibilityRenderObject::isTabItemSelected):
+        (WebCore::AccessibilityRenderObject::accessibilityParentForImageMap):
+        (WebCore::AccessibilityRenderObject::nodeIsTextControl):
+        (WebCore::AccessibilityRenderObject::activeDescendant):
+        (WebCore::AccessibilityRenderObject::handleAriaExpandedChanged):
+        (WebCore::AccessibilityRenderObject::observableObject):
+        (WebCore::AccessibilityRenderObject::textChanged):
+        * accessibility/AccessibilityScrollView.cpp:
+        (WebCore::AccessibilityScrollView::addChildScrollbar):
+        (WebCore::AccessibilityScrollView::webAreaObject):
+        (WebCore::AccessibilityScrollView::parentObject):
+        (WebCore::AccessibilityScrollView::parentObjectIfExists):
+
 2014-02-06  Zoltan Horvath  <zoltan@webkit.org>
 
         [CSS Shapes] Rounded Insets Let Content Overlap Shape
index 0751251..0cc9e65 100644 (file)
@@ -228,8 +228,11 @@ AccessibilityObject* AccessibilityNodeObject::parentObject() const
         return 0;
 
     Node* parentObj = node()->parentNode();
-    if (parentObj)
-        return axObjectCache()->getOrCreate(parentObj);
+    if (!parentObj)
+        return nullptr;
+    
+    if (AXObjectCache* cache = axObjectCache())
+        return cache->getOrCreate(parentObj);
     
     return 0;
 }
@@ -1204,7 +1207,9 @@ Element* AccessibilityNodeObject::menuElementForMenuButton() const
 
 AccessibilityObject* AccessibilityNodeObject::menuForMenuButton() const
 {
-    return axObjectCache()->getOrCreate(menuElementForMenuButton());
+    if (AXObjectCache* cache = axObjectCache())
+        return cache->getOrCreate(menuElementForMenuButton());
+    return nullptr;
 }
 
 Element* AccessibilityNodeObject::menuItemElementForMenu() const
@@ -1217,11 +1222,15 @@ Element* AccessibilityNodeObject::menuItemElementForMenu() const
 
 AccessibilityObject* AccessibilityNodeObject::menuButtonForMenu() const
 {
+    AXObjectCache* cache = axObjectCache();
+    if (!cache)
+        return nullptr;
+
     Element* menuItem = menuItemElementForMenu();
 
     if (menuItem) {
         // ARIA just has generic menu items. AppKit needs to know if this is a top level items like MenuBarButton or MenuBarItem
-        AccessibilityObject* menuItemAX = axObjectCache()->getOrCreate(menuItem);
+        AccessibilityObject* menuItemAX = cache->getOrCreate(menuItem);
         if (menuItemAX && menuItemAX->isMenuButton())
             return menuItemAX;
     }
index 2fdd417..4994fad 100644 (file)
@@ -377,7 +377,9 @@ AccessibilityObject* AccessibilityObject::firstAccessibleObjectFromNode(const No
         return 0;
 
     AXObjectCache* cache = node->document().axObjectCache();
-
+    if (!cache)
+        return nullptr;
+    
     AccessibilityObject* accessibleObject = cache->getOrCreate(node->renderer());
     while (accessibleObject && accessibleObject->accessibilityIsIgnored()) {
         node = NodeTraversal::next(node);
@@ -463,7 +465,8 @@ void AccessibilityObject::findMatchingObjects(AccessibilitySearchCriteria* crite
     if (!criteria)
         return;
 
-    axObjectCache()->startCachingComputedObjectAttributesUntilTreeMutates();
+    if (AXObjectCache* cache = axObjectCache())
+        cache->startCachingComputedObjectAttributesUntilTreeMutates();
 
     // This search mechanism only searches the elements before/after the starting object.
     // It does this by stepping up the parent chain and at each level doing a DFS.
@@ -1660,8 +1663,10 @@ AccessibilityObject* AccessibilityObject::elementAccessibilityHitTest(const IntP
     if (isAttachment()) {
         Widget* widget = widgetForAttachmentView();
         // Normalize the point for the widget's bounds.
-        if (widget && widget->isFrameView())
-            return axObjectCache()->getOrCreate(widget)->accessibilityHitTest(IntPoint(point - widget->frameRect().location()));
+        if (widget && widget->isFrameView()) {
+            if (AXObjectCache* cache = axObjectCache())
+                return cache->getOrCreate(widget)->accessibilityHitTest(IntPoint(point - widget->frameRect().location()));
+        }
     }
     
     // Check if there are any mock elements that need to be handled.
@@ -1678,7 +1683,7 @@ AXObjectCache* AccessibilityObject::axObjectCache() const
     Document* doc = document();
     if (doc)
         return doc->axObjectCache();
-    return 0;
+    return nullptr;
 }
     
 AccessibilityObject* AccessibilityObject::focusedUIElement() const
@@ -2017,7 +2022,8 @@ void AccessibilityObject::notifyIfIgnoredValueChanged()
 {
     bool isIgnored = accessibilityIsIgnored();
     if (lastKnownIsIgnoredValue() != isIgnored) {
-        axObjectCache()->childrenChanged(parentObject());
+        if (AXObjectCache* cache = axObjectCache())
+            cache->childrenChanged(parentObject());
         setLastKnownIsIgnoredValue(isIgnored);
     }
 }
@@ -2102,7 +2108,10 @@ AccessibilityObjectInclusion AccessibilityObject::defaultObjectInclusion() const
     
 bool AccessibilityObject::accessibilityIsIgnored() const
 {
-    AXComputedObjectAttributeCache* attributeCache = axObjectCache()->computedObjectAttributeCache();
+    AXComputedObjectAttributeCache* attributeCache = nullptr;
+    if (AXObjectCache* cache = axObjectCache())
+        attributeCache = cache->computedObjectAttributeCache();
+    
     if (attributeCache) {
         AccessibilityObjectInclusion ignored = attributeCache->getIgnored(axObjectID());
         switch (ignored) {
index 8895e5d..0ce1671 100644 (file)
@@ -476,11 +476,15 @@ RenderObject* AccessibilityRenderObject::renderParentObject() const
     
 AccessibilityObject* AccessibilityRenderObject::parentObjectIfExists() const
 {
+    AXObjectCache* cache = axObjectCache();
+    if (!cache)
+        return nullptr;
+    
     // WebArea's parent should be the scroll view containing it.
     if (isWebArea())
-        return axObjectCache()->get(&m_renderer->view().frameView());
+        return cache->get(&m_renderer->view().frameView());
 
-    return axObjectCache()->get(renderParentObject());
+    return cache->get(renderParentObject());
 }
     
 AccessibilityObject* AccessibilityRenderObject::parentObject() const
@@ -498,13 +502,17 @@ AccessibilityObject* AccessibilityRenderObject::parentObject() const
             return parent;
     }
     
+    AXObjectCache* cache = axObjectCache();
+    if (!cache)
+        return nullptr;
+    
     RenderObject* parentObj = renderParentObject();
     if (parentObj)
-        return axObjectCache()->getOrCreate(parentObj);
+        return cache->getOrCreate(parentObj);
     
     // WebArea's parent should be the scroll view containing it.
     if (isWebArea())
-        return axObjectCache()->getOrCreate(&m_renderer->view().frameView());
+        return cache->getOrCreate(&m_renderer->view().frameView());
     
     return 0;
 }
@@ -562,6 +570,9 @@ Element* AccessibilityRenderObject::anchorElement() const
         return 0;
     
     AXObjectCache* cache = axObjectCache();
+    if (!cache)
+        return nullptr;
+    
     RenderObject* currRenderer;
     
     // Search up the render tree for a RenderObject with a DOM node.  Defer to an earlier continuation, though.
@@ -1587,8 +1598,12 @@ bool AccessibilityRenderObject::isTabItemSelected() const
     Vector<Element*> elements;
     elementsFromAttribute(elements, aria_controlsAttr);
     
+    AXObjectCache* cache = axObjectCache();
+    if (!cache)
+        return false;
+    
     for (const auto& element : elements) {
-        AccessibilityObject* tabPanel = axObjectCache()->getOrCreate(element);
+        AccessibilityObject* tabPanel = cache->getOrCreate(element);
 
         // A tab item should only control tab panels.
         if (!tabPanel || tabPanel->roleValue() != TabPanelRole)
@@ -1731,7 +1746,10 @@ AccessibilityObject* AccessibilityRenderObject::accessibilityParentForImageMap(H
     if (!imageElement)
         return 0;
     
-    return axObjectCache()->getOrCreate(imageElement);
+    if (AXObjectCache* cache = axObjectCache())
+        return cache->getOrCreate(imageElement);
+    
+    return nullptr;
 }
     
 void AccessibilityRenderObject::getDocumentLinks(AccessibilityChildrenVector& result)
@@ -1902,11 +1920,12 @@ bool AccessibilityRenderObject::nodeIsTextControl(const Node* node) const
     if (!node)
         return false;
 
-    const AccessibilityObject* axObjectForNode = axObjectCache()->getOrCreate(const_cast<Node*>(node));
-    if (!axObjectForNode)
-        return false;
+    if (AXObjectCache* cache = axObjectCache()) {
+        if (AccessibilityObject* axObjectForNode = cache->getOrCreate(const_cast<Node*>(node)))
+            return axObjectForNode->isTextControl();
+    }
 
-    return axObjectForNode->isTextControl();
+    return false;
 }
 
 IntRect AccessibilityRenderObject::boundsForVisiblePositionRange(const VisiblePositionRange& visiblePositionRange) const
@@ -2276,10 +2295,13 @@ AccessibilityObject* AccessibilityRenderObject::activeDescendant() const
     if (!target)
         return 0;
     
-    AccessibilityObject* obj = axObjectCache()->getOrCreate(target);
-    if (obj && obj->isAccessibilityRenderObject())
-    // an activedescendant is only useful if it has a renderer, because that's what's needed to post the notification
-        return obj;
+    if (AXObjectCache* cache = axObjectCache()) {
+        AccessibilityObject* obj = cache->getOrCreate(target);
+        if (obj && obj->isAccessibilityRenderObject())
+            // an activedescendant is only useful if it has a renderer, because that's what's needed to post the notification
+            return obj;
+    }
+    
     return 0;
 }
 
@@ -2309,12 +2331,16 @@ void AccessibilityRenderObject::handleAriaExpandedChanged()
     }
     
     // Post that the row count changed.
+    AXObjectCache* cache = axObjectCache();
+    if (!cache)
+        return;
+    
     if (containerParent)
-        axObjectCache()->postNotification(containerParent, document(), AXObjectCache::AXRowCountChanged);
+        cache->postNotification(containerParent, document(), AXObjectCache::AXRowCountChanged);
 
     // Post that the specific row either collapsed or expanded.
     if (roleValue() == RowRole || roleValue() == TreeItemRole)
-        axObjectCache()->postNotification(this, document(), isExpanded() ? AXObjectCache::AXRowExpanded : AXObjectCache::AXRowCollapsed);
+        cache->postNotification(this, document(), isExpanded() ? AXObjectCache::AXRowExpanded : AXObjectCache::AXRowCollapsed);
 }
 
 void AccessibilityRenderObject::handleActiveDescendantChanged()
@@ -2388,8 +2414,10 @@ AccessibilityObject* AccessibilityRenderObject::observableObject() const
 {
     // Find the object going up the parent chain that is used in accessibility to monitor certain notifications.
     for (RenderObject* renderer = m_renderer; renderer && renderer->node(); renderer = renderer->parent()) {
-        if (renderObjectIsObservable(renderer))
-            return axObjectCache()->getOrCreate(renderer);
+        if (renderObjectIsObservable(renderer)) {
+            if (AXObjectCache* cache = axObjectCache())
+                return cache->getOrCreate(renderer);
+        }
     }
     
     return 0;
@@ -2714,6 +2742,9 @@ void AccessibilityRenderObject::textChanged()
     // If this element supports ARIA live regions, or is part of a region with an ARIA editable role,
     // then notify the AT of changes.
     AXObjectCache* cache = axObjectCache();
+    if (!cache)
+        return;
+    
     for (RenderObject* renderParent = m_renderer; renderParent; renderParent = renderParent->parent()) {
         AccessibilityObject* parent = cache->get(renderParent);
         if (!parent)
index f158506..03c9373 100644 (file)
@@ -149,7 +149,11 @@ AccessibilityScrollbar* AccessibilityScrollView::addChildScrollbar(Scrollbar* sc
     if (!scrollbar)
         return 0;
     
-    AccessibilityScrollbar* scrollBarObject = toAccessibilityScrollbar(axObjectCache()->getOrCreate(scrollbar));
+    AXObjectCache* cache = axObjectCache();
+    if (!cache)
+        return nullptr;
+
+    AccessibilityScrollbar* scrollBarObject = toAccessibilityScrollbar(cache->getOrCreate(scrollbar));
     scrollBarObject->setParent(this);
     m_children.append(scrollBarObject);
     return scrollBarObject;
@@ -192,7 +196,10 @@ AccessibilityObject* AccessibilityScrollView::webAreaObject() const
     if (!doc || !doc->hasLivingRenderTree())
         return 0;
 
-    return axObjectCache()->getOrCreate(doc);
+    if (AXObjectCache* cache = axObjectCache())
+        return cache->getOrCreate(doc);
+    
+    return nullptr;
 }
 
 AccessibilityObject* AccessibilityScrollView::accessibilityHitTest(const IntPoint& point) const
@@ -229,10 +236,14 @@ AccessibilityObject* AccessibilityScrollView::parentObject() const
 {
     if (!m_scrollView || !m_scrollView->isFrameView())
         return 0;
-    
+
+    AXObjectCache* cache = axObjectCache();
+    if (!cache)
+        return nullptr;
+
     HTMLFrameOwnerElement* owner = toFrameView(m_scrollView)->frame().ownerElement();
     if (owner && owner->renderer())
-        return axObjectCache()->getOrCreate(owner);
+        return cache->getOrCreate(owner);
 
     return 0;
 }
@@ -242,9 +253,13 @@ AccessibilityObject* AccessibilityScrollView::parentObjectIfExists() const
     if (!m_scrollView || !m_scrollView->isFrameView())
         return 0;
     
+    AXObjectCache* cache = axObjectCache();
+    if (!cache)
+        return nullptr;
+
     HTMLFrameOwnerElement* owner = toFrameView(m_scrollView)->frame().ownerElement();
     if (owner && owner->renderer())
-        return axObjectCache()->get(owner);
+        return cache->get(owner);
     
     return 0;
 }