Changeset 140658 in webkit

Timestamp:

Jan 24, 2013 12:16:00 AM (11 years ago)

Author:

dmazzoni@google.com

Message:

AX: should init an AXObject only after AXObjectCache has added it
​https://bugs.webkit.org/show_bug.cgi?id=107533

Reviewed by Chris Fleizach.

Source/WebCore:

Initialize each AXObject after the AXObjectCache has
finished adding it to its hash maps, so that it's
impossible for initialization of an AXObject to result in
exploring the tree and creating another AXObject instance
that points to the same renderer / node.

Test: accessibility/duplicate-axrenderobject-crash.html

• accessibility/AXObjectCache.cpp:

(WebCore::AXObjectCache::getOrCreate):

• accessibility/AccessibilityARIAGrid.cpp:

(WebCore::AccessibilityARIAGrid::create):

• accessibility/AccessibilityARIAGridCell.cpp:

(WebCore::AccessibilityARIAGridCell::create):

• accessibility/AccessibilityARIAGridRow.cpp:

(WebCore::AccessibilityARIAGridRow::create):

• accessibility/AccessibilityList.cpp:

(WebCore::AccessibilityList::create):

• accessibility/AccessibilityListBox.cpp:

(WebCore::AccessibilityListBox::create):

• accessibility/AccessibilityMediaControls.cpp:

(WebCore::AccessibilityMediaControl::create):
(WebCore::AccessibilityMediaControlsContainer::create):
(WebCore::AccessibilityMediaTimeline::create):
(WebCore::AccessibilityMediaTimeDisplay::create):

• accessibility/AccessibilityMenuList.cpp:

(WebCore::AccessibilityMenuList::create):

• accessibility/AccessibilityNodeObject.cpp:

(WebCore::AccessibilityNodeObject::create):

• accessibility/AccessibilityObject.h:

(WebCore::AccessibilityObject::init):
(AccessibilityObject):

• accessibility/AccessibilityProgressIndicator.cpp:

(WebCore::AccessibilityProgressIndicator::create):

• accessibility/AccessibilityRenderObject.cpp:

(WebCore::AccessibilityRenderObject::create):
(WebCore::AccessibilityRenderObject::accessibilityIsIgnored):

assert that the object has been initialized

• accessibility/AccessibilitySVGRoot.cpp:

(WebCore::AccessibilitySVGRoot::create):

• accessibility/AccessibilitySlider.cpp:

(WebCore::AccessibilitySlider::create):

• accessibility/AccessibilityTable.cpp:

(WebCore::AccessibilityTable::create):

• accessibility/AccessibilityTableCell.cpp:

(WebCore::AccessibilityTableCell::create):

• accessibility/AccessibilityTableRow.cpp:

(WebCore::AccessibilityTableRow::create):

LayoutTests:

Adds a new test that demonstrates a crash if an AXObject
initializes itself before the AXObjectCache has added it to
the cache.

• accessibility/duplicate-axrenderobject-crash-expected.txt: Added.
• accessibility/duplicate-axrenderobject-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/accessibility/duplicate-axrenderobject-crash-expected.txt (added)
• LayoutTests/accessibility/duplicate-axrenderobject-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/accessibility/AXObjectCache.cpp (modified) (4 diffs)
• Source/WebCore/accessibility/AccessibilityARIAGrid.cpp (modified) (1 diff)
• Source/WebCore/accessibility/AccessibilityARIAGridCell.cpp (modified) (1 diff)
• Source/WebCore/accessibility/AccessibilityARIAGridRow.cpp (modified) (1 diff)
• Source/WebCore/accessibility/AccessibilityList.cpp (modified) (1 diff)
• Source/WebCore/accessibility/AccessibilityListBox.cpp (modified) (1 diff)
• Source/WebCore/accessibility/AccessibilityMediaControls.cpp (modified) (4 diffs)
• Source/WebCore/accessibility/AccessibilityMenuList.cpp (modified) (1 diff)
• Source/WebCore/accessibility/AccessibilityNodeObject.cpp (modified) (4 diffs)
• Source/WebCore/accessibility/AccessibilityNodeObject.h (modified) (1 diff)
• Source/WebCore/accessibility/AccessibilityObject.h (modified) (2 diffs)
• Source/WebCore/accessibility/AccessibilityProgressIndicator.cpp (modified) (1 diff)
• Source/WebCore/accessibility/AccessibilityRenderObject.cpp (modified) (2 diffs)
• Source/WebCore/accessibility/AccessibilitySVGRoot.cpp (modified) (1 diff)
• Source/WebCore/accessibility/AccessibilitySlider.cpp (modified) (1 diff)
• Source/WebCore/accessibility/AccessibilityTable.cpp (modified) (1 diff)
• Source/WebCore/accessibility/AccessibilityTableCell.cpp (modified) (1 diff)
• Source/WebCore/accessibility/AccessibilityTableRow.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-01-24  Dominic Mazzoni  <dmazzoni@google.com>
+
+        AX: should init an AXObject only after AXObjectCache has added it
+        https://bugs.webkit.org/show_bug.cgi?id=107533
+
+        Reviewed by Chris Fleizach.
+
+        Adds a new test that demonstrates a crash if an AXObject
+        initializes itself before the AXObjectCache has added it to
+        the cache.
+
+        * accessibility/duplicate-axrenderobject-crash-expected.txt: Added.
+        * accessibility/duplicate-axrenderobject-crash.html: Added.
+
 2013-01-23  Kentaro Hara  <haraken@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-01-24  Dominic Mazzoni  <dmazzoni@google.com>
+
+        AX: should init an AXObject only after AXObjectCache has added it
+        https://bugs.webkit.org/show_bug.cgi?id=107533
+
+        Reviewed by Chris Fleizach.
+
+        Initialize each AXObject after the AXObjectCache has
+        finished adding it to its hash maps, so that it's
+        impossible for initialization of an AXObject to result in
+        exploring the tree and creating another AXObject instance
+        that points to the same renderer / node.
+
+        Test: accessibility/duplicate-axrenderobject-crash.html
+
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::getOrCreate):
+        * accessibility/AccessibilityARIAGrid.cpp:
+        (WebCore::AccessibilityARIAGrid::create):
+        * accessibility/AccessibilityARIAGridCell.cpp:
+        (WebCore::AccessibilityARIAGridCell::create):
+        * accessibility/AccessibilityARIAGridRow.cpp:
+        (WebCore::AccessibilityARIAGridRow::create):
+        * accessibility/AccessibilityList.cpp:
+        (WebCore::AccessibilityList::create):
+        * accessibility/AccessibilityListBox.cpp:
+        (WebCore::AccessibilityListBox::create):
+        * accessibility/AccessibilityMediaControls.cpp:
+        (WebCore::AccessibilityMediaControl::create):
+        (WebCore::AccessibilityMediaControlsContainer::create):
+        (WebCore::AccessibilityMediaTimeline::create):
+        (WebCore::AccessibilityMediaTimeDisplay::create):
+        * accessibility/AccessibilityMenuList.cpp:
+        (WebCore::AccessibilityMenuList::create):
+        * accessibility/AccessibilityNodeObject.cpp:
+        (WebCore::AccessibilityNodeObject::create):
+        * accessibility/AccessibilityObject.h:
+        (WebCore::AccessibilityObject::init):
+        (AccessibilityObject):
+        * accessibility/AccessibilityProgressIndicator.cpp:
+        (WebCore::AccessibilityProgressIndicator::create):
+        * accessibility/AccessibilityRenderObject.cpp:
+        (WebCore::AccessibilityRenderObject::create):
+        (WebCore::AccessibilityRenderObject::accessibilityIsIgnored):
+            assert that the object has been initialized
+        * accessibility/AccessibilitySVGRoot.cpp:
+        (WebCore::AccessibilitySVGRoot::create):
+        * accessibility/AccessibilitySlider.cpp:
+        (WebCore::AccessibilitySlider::create):
+        * accessibility/AccessibilityTable.cpp:
+        (WebCore::AccessibilityTable::create):
+        * accessibility/AccessibilityTableCell.cpp:
+        (WebCore::AccessibilityTableCell::create):
+        * accessibility/AccessibilityTableRow.cpp:
+        (WebCore::AccessibilityTableRow::create):
+
 2013-01-23  Kentaro Hara  <haraken@chromium.org>
 

trunk/Source/WebCore/accessibility/AXObjectCache.cpp

@@ -315 +315 @@
     m_objects.set(newObj->axObjectID(), newObj);    
     attachWrapper(newObj.get());
+    newObj->init();
     return newObj.get();
 }
@@ -350 +351 @@
     attachWrapper(newObj.get());
 
+    newObj->init();
     newObj->setCachedIsIgnoredValue(newObj->accessibilityIsIgnored());
 
@@ -374 +376 @@
     attachWrapper(newObj.get());
 
+    newObj->init();
     newObj->setCachedIsIgnoredValue(newObj->accessibilityIsIgnored());
 
@@ -441 +444 @@
     m_objects.set(obj->axObjectID(), obj);    
     attachWrapper(obj.get());
+    obj->init();
     return obj.get();
 }

trunk/Source/WebCore/accessibility/AccessibilityARIAGrid.cpp

@@ -62 +62 @@
 PassRefPtr<AccessibilityARIAGrid> AccessibilityARIAGrid::create(RenderObject* renderer)
 {
-    AccessibilityARIAGrid* obj = new AccessibilityARIAGrid(renderer);
-    obj->init();
-    return adoptRef(obj);
+    return adoptRef(new AccessibilityARIAGrid(renderer));
 }
 

trunk/Source/WebCore/accessibility/AccessibilityARIAGridCell.cpp

@@ -49 +49 @@
 PassRefPtr<AccessibilityARIAGridCell> AccessibilityARIAGridCell::create(RenderObject* renderer)
 {
-    AccessibilityARIAGridCell* obj = new AccessibilityARIAGridCell(renderer);
-    obj->init();
-    return adoptRef(obj);
+    return adoptRef(new AccessibilityARIAGridCell(renderer));
 }
 

trunk/Source/WebCore/accessibility/AccessibilityARIAGridRow.cpp

@@ -49 +49 @@
 PassRefPtr<AccessibilityARIAGridRow> AccessibilityARIAGridRow::create(RenderObject* renderer)
 {
-    AccessibilityARIAGridRow* obj = new AccessibilityARIAGridRow(renderer);
-    obj->init();
-    return adoptRef(obj);
+    return adoptRef(new AccessibilityARIAGridRow(renderer));
 }
 

trunk/Source/WebCore/accessibility/AccessibilityList.cpp

@@ -51 +51 @@
 PassRefPtr<AccessibilityList> AccessibilityList::create(RenderObject* renderer)
 {
-    AccessibilityList* obj = new AccessibilityList(renderer);
-    obj->init();
-    return adoptRef(obj);
+    return adoptRef(new AccessibilityList(renderer));
 }
 

trunk/Source/WebCore/accessibility/AccessibilityListBox.cpp

@@ -55 +55 @@
 PassRefPtr<AccessibilityListBox> AccessibilityListBox::create(RenderObject* renderer)
 {
-    AccessibilityListBox* obj = new AccessibilityListBox(renderer);
-    obj->init();
-    return adoptRef(obj);
+    return adoptRef(new AccessibilityListBox(renderer));
 }
     

trunk/Source/WebCore/accessibility/AccessibilityMediaControls.cpp

@@ -68 +68 @@
         return AccessibilityMediaControlsContainer::create(renderer);
 
-    default: {
-        AccessibilityMediaControl* obj = new AccessibilityMediaControl(renderer);
-        obj->init();
-        return adoptRef(obj);
-        }
+    default:
+        return adoptRef(new AccessibilityMediaControl(renderer));
     }
 }
@@ -227 +224 @@
 PassRefPtr<AccessibilityObject> AccessibilityMediaControlsContainer::create(RenderObject* renderer)
 {
-    AccessibilityMediaControlsContainer* obj = new AccessibilityMediaControlsContainer(renderer);
-    obj->init();
-    return adoptRef(obj);
+    return adoptRef(new AccessibilityMediaControlsContainer(renderer));
 }
 
@@ -273 +268 @@
 PassRefPtr<AccessibilityObject> AccessibilityMediaTimeline::create(RenderObject* renderer)
 {
-    AccessibilityMediaTimeline* obj = new AccessibilityMediaTimeline(renderer);
-    obj->init();
-    return adoptRef(obj);
+    return adoptRef(new AccessibilityMediaTimeline(renderer));
 }
 
@@ -305 +298 @@
 PassRefPtr<AccessibilityObject> AccessibilityMediaTimeDisplay::create(RenderObject* renderer)
 {
-    AccessibilityMediaTimeDisplay* obj = new AccessibilityMediaTimeDisplay(renderer);
-    obj->init();
-    return adoptRef(obj);
+    return adoptRef(new AccessibilityMediaTimeDisplay(renderer));
 }
 

trunk/Source/WebCore/accessibility/AccessibilityMenuList.cpp

@@ -40 +40 @@
 PassRefPtr<AccessibilityMenuList> AccessibilityMenuList::create(RenderMenuList* renderer)
 {
-    AccessibilityMenuList* obj = new AccessibilityMenuList(renderer);
-    obj->init();
-    return adoptRef(obj);
+    return adoptRef(new AccessibilityMenuList(renderer));
 }
 

trunk/Source/WebCore/accessibility/AccessibilityNodeObject.cpp

@@ -90 +90 @@
     , m_roleForMSAA(UnknownRole)
     , m_node(node)
+#ifndef NDEBUG
+    , m_initialized(false)
+#endif
 {
 }
@@ -100 +103 @@
 void AccessibilityNodeObject::init()
 {
+#ifndef NDEBUG
+    ASSERT(!m_initialized);
+    m_initialized = true;
+#endif
     m_role = determineAccessibilityRole();
 }
@@ -105 +112 @@
 PassRefPtr<AccessibilityNodeObject> AccessibilityNodeObject::create(Node* node)
 {
-    AccessibilityNodeObject* obj = new AccessibilityNodeObject(node);
-    obj->init();
-    return adoptRef(obj);
+    return adoptRef(new AccessibilityNodeObject(node));
 }
 
@@ -387 +392 @@
 bool AccessibilityNodeObject::accessibilityIsIgnored() const
 {
+#ifndef NDEBUG
+    // Double-check that an AccessibilityObject is never accessed before
+    // it's been initialized.
+    ASSERT(m_initialized);
+#endif
+
     // If this element is within a parent that cannot have children, it should not be exposed.
     if (isDescendantOfBarrenParent())

trunk/Source/WebCore/accessibility/AccessibilityNodeObject.h

@@ -154 +154 @@
     bool m_childrenDirty;
     mutable AccessibilityRole m_roleForMSAA;
+#ifndef NDEBUG
+    bool m_initialized;
+#endif
 
     virtual bool isDetached() const { return !m_node; }

trunk/Source/WebCore/accessibility/AccessibilityObject.h

@@ -356 +356 @@
 public:
     virtual ~AccessibilityObject();
+
+    // After constructing an AccessibilityObject, it must be given a
+    // unique ID, then added to AXObjectCache, and finally init() must
+    // be called last.
+    void setAXObjectID(AXID axObjectID) { m_id = axObjectID; }
+    virtual void init() { }
+
+    // When the corresponding WebCore object that this AccessibilityObject
+    // wraps is deleted, it must be detached.
     virtual void detach();
     virtual bool isDetached() const;
@@ -570 +579 @@
     virtual AXObjectCache* axObjectCache() const;
     AXID axObjectID() const { return m_id; }
-    void setAXObjectID(AXID axObjectID) { m_id = axObjectID; }
     
     static AccessibilityObject* anchorElementForNode(Node*);

trunk/Source/WebCore/accessibility/AccessibilityProgressIndicator.cpp

@@ -40 +40 @@
 PassRefPtr<AccessibilityProgressIndicator> AccessibilityProgressIndicator::create(RenderProgress* renderer)
 {
-    AccessibilityProgressIndicator* obj = new AccessibilityProgressIndicator(renderer);
-    obj->init();
-    return adoptRef(obj);
+    return adoptRef(new AccessibilityProgressIndicator(renderer));
 }
 

trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp

@@ -124 +124 @@
 PassRefPtr<AccessibilityRenderObject> AccessibilityRenderObject::create(RenderObject* renderer)
 {
-    AccessibilityRenderObject* obj = new AccessibilityRenderObject(renderer);
-    obj->init();
-    return adoptRef(obj);
+    return adoptRef(new AccessibilityRenderObject(renderer));
 }
 
@@ -1127 +1125 @@
 bool AccessibilityRenderObject::accessibilityIsIgnored() const
 {
+#ifndef NDEBUG
+    ASSERT(m_initialized);
+#endif
+
     // Check first if any of the common reasons cause this element to be ignored.
     // Then process other use cases that need to be applied to all the various roles

trunk/Source/WebCore/accessibility/AccessibilitySVGRoot.cpp

@@ -46 +46 @@
 PassRefPtr<AccessibilitySVGRoot> AccessibilitySVGRoot::create(RenderObject* renderer)
 {
-    AccessibilitySVGRoot* obj = new AccessibilitySVGRoot(renderer);
-    obj->init();
-    return adoptRef(obj);
+    return adoptRef(new AccessibilitySVGRoot(renderer));
 }
     

trunk/Source/WebCore/accessibility/AccessibilitySlider.cpp

@@ -48 +48 @@
 PassRefPtr<AccessibilitySlider> AccessibilitySlider::create(RenderObject* renderer)
 {
-    AccessibilitySlider* obj = new AccessibilitySlider(renderer);
-    obj->init();
-    return adoptRef(obj);
+    return adoptRef(new AccessibilitySlider(renderer));
 }
 

trunk/Source/WebCore/accessibility/AccessibilityTable.cpp

@@ -70 +70 @@
 PassRefPtr<AccessibilityTable> AccessibilityTable::create(RenderObject* renderer)
 {
-    AccessibilityTable* obj = new AccessibilityTable(renderer);
-    obj->init();
-    return adoptRef(obj);
+    return adoptRef(new AccessibilityTable(renderer));
 }
 

trunk/Source/WebCore/accessibility/AccessibilityTableCell.cpp

@@ -52 +52 @@
 PassRefPtr<AccessibilityTableCell> AccessibilityTableCell::create(RenderObject* renderer)
 {
-    AccessibilityTableCell* obj = new AccessibilityTableCell(renderer);
-    obj->init();
-    return adoptRef(obj);
+    return adoptRef(new AccessibilityTableCell(renderer));
 }
 

trunk/Source/WebCore/accessibility/AccessibilityTableRow.cpp

@@ -55 +55 @@
 PassRefPtr<AccessibilityTableRow> AccessibilityTableRow::create(RenderObject* renderer)
 {
-    AccessibilityTableRow* obj = new AccessibilityTableRow(renderer);
-    obj->init();
-    return adoptRef(obj);
+    return adoptRef(new AccessibilityTableRow(renderer));
 }