From 3c0b8b9b58ee50a5b7853543fd358ecd541a168b Mon Sep 17 00:00:00 2001
From: "cfleizach@apple.com"
 <cfleizach@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon, 11 May 2015 15:08:00 +0000
Subject: [PATCH 1/1] AX: Crash at
 WebCore::AccessibilityMenuList::addChildren()
 https://bugs.webkit.org/show_bug.cgi?id=144860

Reviewed by Mario Sanchez Prada.

Source/WebCore:

There were some unsafe pointer accesses in AccessibilityMenuList code that needed to be cleaned up.

Test: accessibility/menu-list-crash2.html

* accessibility/AccessibilityMenuList.cpp:
(WebCore::AccessibilityMenuList::addChildren):

LayoutTests:

* accessibility/menu-list-crash2-expected.txt: Added.
* accessibility/menu-list-crash2.html: Added.


git-svn-id: https://svn.webkit.org/repository/webkit/trunk@184097 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 LayoutTests/ChangeLog                         | 10 ++++
 .../menu-list-crash2-expected.txt             | 13 +++++
 .../accessibility/menu-list-crash2.html       | 48 +++++++++++++++++++
 Source/WebCore/ChangeLog                      | 14 ++++++
 .../accessibility/AccessibilityMenuList.cpp   | 12 +++--
 5 files changed, 93 insertions(+), 4 deletions(-)
 create mode 100644 LayoutTests/accessibility/menu-list-crash2-expected.txt
 create mode 100644 LayoutTests/accessibility/menu-list-crash2.html

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 6adc772fb2c7..c1075fd4df3f 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2015-05-11  Chris Fleizach  <cfleizach@apple.com>
+
+        AX: Crash at WebCore::AccessibilityMenuList::addChildren()
+        https://bugs.webkit.org/show_bug.cgi?id=144860
+
+        Reviewed by Mario Sanchez Prada.
+
+        * accessibility/menu-list-crash2-expected.txt: Added.
+        * accessibility/menu-list-crash2.html: Added.
+
 2015-05-11  Marcos Chavarría Teijeiro  <chavarria1991@gmail.com>
 
         [GTK] Gardening 7th May.
diff --git a/LayoutTests/accessibility/menu-list-crash2-expected.txt b/LayoutTests/accessibility/menu-list-crash2-expected.txt
new file mode 100644
index 000000000000..4a4fc4404677
--- /dev/null
+++ b/LayoutTests/accessibility/menu-list-crash2-expected.txt
@@ -0,0 +1,13 @@
+TEST
+TEST
+This tests that there's no crash if we hide menu list and then try to access accessibility information.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Role before removal: AXRole: AXPopUpButton
+Role after removal: AXRole: 
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/accessibility/menu-list-crash2.html b/LayoutTests/accessibility/menu-list-crash2.html
new file mode 100644
index 000000000000..0a4cb0f216fc
--- /dev/null
+++ b/LayoutTests/accessibility/menu-list-crash2.html
@@ -0,0 +1,48 @@
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+
+TEST
+<div id="content">
+
+<select id="menulist">
+  <option selected>One</option>
+  <option>Two</option>
+  <option>Three</option>
+</select>
+
+</div>
+TEST
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+
+function runTest() {
+    description("This tests that there's no crash if we hide menu list and then try to access accessibility information.");
+
+    if (window.accessibilityController) {
+        var menulist = document.getElementById("menulist");
+        menulist.focus();
+        menulist.selectedIndex = 1;
+
+        var accessibleMenulist = accessibilityController.focusedElement;
+        debug("Role before removal: " + accessibleMenulist.role);
+
+        menulist.style.display = "none";
+        gc();
+
+        // Don't crash!
+        debug("Role after removal: " + accessibleMenulist.role);
+    }
+}
+
+runTest();
+</script>
+
+</body>
+<script src="../resources/js-test-post.js"></script>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 5a6f900b23be..cbe965669d6d 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2015-05-11  Chris Fleizach  <cfleizach@apple.com>
+
+        AX: Crash at WebCore::AccessibilityMenuList::addChildren()
+        https://bugs.webkit.org/show_bug.cgi?id=144860
+
+        Reviewed by Mario Sanchez Prada.
+
+        There were some unsafe pointer accesses in AccessibilityMenuList code that needed to be cleaned up.
+
+        Test: accessibility/menu-list-crash2.html
+
+        * accessibility/AccessibilityMenuList.cpp:
+        (WebCore::AccessibilityMenuList::addChildren):
+
 2015-05-11  Przemyslaw Szymanski  <p.szymanski3@samsung.com>
 
         [WebGL] Unnecessary condition check in the while loop
diff --git a/Source/WebCore/accessibility/AccessibilityMenuList.cpp b/Source/WebCore/accessibility/AccessibilityMenuList.cpp
index 147acf135ded..c0e5cf00ed58 100644
--- a/Source/WebCore/accessibility/AccessibilityMenuList.cpp
+++ b/Source/WebCore/accessibility/AccessibilityMenuList.cpp
@@ -58,10 +58,13 @@ bool AccessibilityMenuList::press()
 
 void AccessibilityMenuList::addChildren()
 {
-    m_haveChildren = true;
-
-    AXObjectCache* cache = m_renderer->document().axObjectCache();
-
+    if (!m_renderer)
+        return;
+    
+    AXObjectCache* cache = axObjectCache();
+    if (!cache)
+        return;
+    
     AccessibilityObject* list = cache->getOrCreate(MenuListPopupRole);
     if (!list)
         return;
@@ -72,6 +75,7 @@ void AccessibilityMenuList::addChildren()
         return;
     }
 
+    m_haveChildren = true;
     m_children.append(list);
 
     list->addChildren();
-- 
2.36.0