Changeset 163586 in webkit
- Timestamp:
- Feb 6, 2014 5:29:33 PM (10 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 5 edited
-
ChangeLog (modified) (1 diff)
-
accessibility/AccessibilityNodeObject.cpp (modified) (3 diffs)
-
accessibility/AccessibilityObject.cpp (modified) (6 diffs)
-
accessibility/AccessibilityRenderObject.cpp (modified) (10 diffs)
-
accessibility/AccessibilityScrollView.cpp (modified) (4 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r163585 r163586 1 2014-02-06 Chris Fleizach <cfleizach@apple.com> 2 3 AX: Crash in WebCore::AXObjectCache::computedObjectAttributeCache 4 https://bugs.webkit.org/show_bug.cgi?id=128310 5 6 Reviewed by Alexey Proskuryakov. 7 8 Be more careful about using axObjectCache() directly since it can return null. 9 I audited the usage cases of this method and ensured the ptr was not null in cases 10 where I thought we might get hit by this. 11 12 * accessibility/AccessibilityNodeObject.cpp: 13 (WebCore::AccessibilityNodeObject::parentObject): 14 (WebCore::AccessibilityNodeObject::menuForMenuButton): 15 (WebCore::AccessibilityNodeObject::menuButtonForMenu): 16 * accessibility/AccessibilityObject.cpp: 17 (WebCore::AccessibilityObject::firstAccessibleObjectFromNode): 18 (WebCore::AccessibilityObject::findMatchingObjects): 19 (WebCore::AccessibilityObject::elementAccessibilityHitTest): 20 (WebCore::AccessibilityObject::axObjectCache): 21 (WebCore::AccessibilityObject::notifyIfIgnoredValueChanged): 22 (WebCore::AccessibilityObject::accessibilityIsIgnored): 23 * accessibility/AccessibilityRenderObject.cpp: 24 (WebCore::AccessibilityRenderObject::parentObjectIfExists): 25 (WebCore::AccessibilityRenderObject::parentObject): 26 (WebCore::AccessibilityRenderObject::anchorElement): 27 (WebCore::AccessibilityRenderObject::isTabItemSelected): 28 (WebCore::AccessibilityRenderObject::accessibilityParentForImageMap): 29 (WebCore::AccessibilityRenderObject::nodeIsTextControl): 30 (WebCore::AccessibilityRenderObject::activeDescendant): 31 (WebCore::AccessibilityRenderObject::handleAriaExpandedChanged): 32 (WebCore::AccessibilityRenderObject::observableObject): 33 (WebCore::AccessibilityRenderObject::textChanged): 34 * accessibility/AccessibilityScrollView.cpp: 35 (WebCore::AccessibilityScrollView::addChildScrollbar): 36 (WebCore::AccessibilityScrollView::webAreaObject): 37 (WebCore::AccessibilityScrollView::parentObject): 38 (WebCore::AccessibilityScrollView::parentObjectIfExists): 39 1 40 2014-02-06 Zoltan Horvath <zoltan@webkit.org> 2 41 -
trunk/Source/WebCore/accessibility/AccessibilityNodeObject.cpp
r163440 r163586 229 229 230 230 Node* parentObj = node()->parentNode(); 231 if (parentObj) 232 return axObjectCache()->getOrCreate(parentObj); 231 if (!parentObj) 232 return nullptr; 233 234 if (AXObjectCache* cache = axObjectCache()) 235 return cache->getOrCreate(parentObj); 233 236 234 237 return 0; … … 1205 1208 AccessibilityObject* AccessibilityNodeObject::menuForMenuButton() const 1206 1209 { 1207 return axObjectCache()->getOrCreate(menuElementForMenuButton()); 1210 if (AXObjectCache* cache = axObjectCache()) 1211 return cache->getOrCreate(menuElementForMenuButton()); 1212 return nullptr; 1208 1213 } 1209 1214 … … 1218 1223 AccessibilityObject* AccessibilityNodeObject::menuButtonForMenu() const 1219 1224 { 1225 AXObjectCache* cache = axObjectCache(); 1226 if (!cache) 1227 return nullptr; 1228 1220 1229 Element* menuItem = menuItemElementForMenu(); 1221 1230 1222 1231 if (menuItem) { 1223 1232 // ARIA just has generic menu items. AppKit needs to know if this is a top level items like MenuBarButton or MenuBarItem 1224 AccessibilityObject* menuItemAX = axObjectCache()->getOrCreate(menuItem);1233 AccessibilityObject* menuItemAX = cache->getOrCreate(menuItem); 1225 1234 if (menuItemAX && menuItemAX->isMenuButton()) 1226 1235 return menuItemAX; -
trunk/Source/WebCore/accessibility/AccessibilityObject.cpp
r163014 r163586 378 378 379 379 AXObjectCache* cache = node->document().axObjectCache(); 380 380 if (!cache) 381 return nullptr; 382 381 383 AccessibilityObject* accessibleObject = cache->getOrCreate(node->renderer()); 382 384 while (accessibleObject && accessibleObject->accessibilityIsIgnored()) { … … 464 466 return; 465 467 466 axObjectCache()->startCachingComputedObjectAttributesUntilTreeMutates(); 468 if (AXObjectCache* cache = axObjectCache()) 469 cache->startCachingComputedObjectAttributesUntilTreeMutates(); 467 470 468 471 // This search mechanism only searches the elements before/after the starting object. … … 1661 1664 Widget* widget = widgetForAttachmentView(); 1662 1665 // Normalize the point for the widget's bounds. 1663 if (widget && widget->isFrameView()) 1664 return axObjectCache()->getOrCreate(widget)->accessibilityHitTest(IntPoint(point - widget->frameRect().location())); 1666 if (widget && widget->isFrameView()) { 1667 if (AXObjectCache* cache = axObjectCache()) 1668 return cache->getOrCreate(widget)->accessibilityHitTest(IntPoint(point - widget->frameRect().location())); 1669 } 1665 1670 } 1666 1671 … … 1679 1684 if (doc) 1680 1685 return doc->axObjectCache(); 1681 return 0;1686 return nullptr; 1682 1687 } 1683 1688 … … 2018 2023 bool isIgnored = accessibilityIsIgnored(); 2019 2024 if (lastKnownIsIgnoredValue() != isIgnored) { 2020 axObjectCache()->childrenChanged(parentObject()); 2025 if (AXObjectCache* cache = axObjectCache()) 2026 cache->childrenChanged(parentObject()); 2021 2027 setLastKnownIsIgnoredValue(isIgnored); 2022 2028 } … … 2103 2109 bool AccessibilityObject::accessibilityIsIgnored() const 2104 2110 { 2105 AXComputedObjectAttributeCache* attributeCache = axObjectCache()->computedObjectAttributeCache(); 2111 AXComputedObjectAttributeCache* attributeCache = nullptr; 2112 if (AXObjectCache* cache = axObjectCache()) 2113 attributeCache = cache->computedObjectAttributeCache(); 2114 2106 2115 if (attributeCache) { 2107 2116 AccessibilityObjectInclusion ignored = attributeCache->getIgnored(axObjectID()); -
trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp
r163440 r163586 477 477 AccessibilityObject* AccessibilityRenderObject::parentObjectIfExists() const 478 478 { 479 AXObjectCache* cache = axObjectCache(); 480 if (!cache) 481 return nullptr; 482 479 483 // WebArea's parent should be the scroll view containing it. 480 484 if (isWebArea()) 481 return axObjectCache()->get(&m_renderer->view().frameView());482 483 return axObjectCache()->get(renderParentObject());485 return cache->get(&m_renderer->view().frameView()); 486 487 return cache->get(renderParentObject()); 484 488 } 485 489 … … 499 503 } 500 504 505 AXObjectCache* cache = axObjectCache(); 506 if (!cache) 507 return nullptr; 508 501 509 RenderObject* parentObj = renderParentObject(); 502 510 if (parentObj) 503 return axObjectCache()->getOrCreate(parentObj);511 return cache->getOrCreate(parentObj); 504 512 505 513 // WebArea's parent should be the scroll view containing it. 506 514 if (isWebArea()) 507 return axObjectCache()->getOrCreate(&m_renderer->view().frameView());515 return cache->getOrCreate(&m_renderer->view().frameView()); 508 516 509 517 return 0; … … 563 571 564 572 AXObjectCache* cache = axObjectCache(); 573 if (!cache) 574 return nullptr; 575 565 576 RenderObject* currRenderer; 566 577 … … 1588 1599 elementsFromAttribute(elements, aria_controlsAttr); 1589 1600 1601 AXObjectCache* cache = axObjectCache(); 1602 if (!cache) 1603 return false; 1604 1590 1605 for (const auto& element : elements) { 1591 AccessibilityObject* tabPanel = axObjectCache()->getOrCreate(element);1606 AccessibilityObject* tabPanel = cache->getOrCreate(element); 1592 1607 1593 1608 // A tab item should only control tab panels. … … 1732 1747 return 0; 1733 1748 1734 return axObjectCache()->getOrCreate(imageElement); 1749 if (AXObjectCache* cache = axObjectCache()) 1750 return cache->getOrCreate(imageElement); 1751 1752 return nullptr; 1735 1753 } 1736 1754 … … 1903 1921 return false; 1904 1922 1905 const AccessibilityObject* axObjectForNode = axObjectCache()->getOrCreate(const_cast<Node*>(node)); 1906 if (!axObjectForNode) 1907 return false; 1908 1909 return axObjectForNode->isTextControl(); 1923 if (AXObjectCache* cache = axObjectCache()) { 1924 if (AccessibilityObject* axObjectForNode = cache->getOrCreate(const_cast<Node*>(node))) 1925 return axObjectForNode->isTextControl(); 1926 } 1927 1928 return false; 1910 1929 } 1911 1930 … … 2277 2296 return 0; 2278 2297 2279 AccessibilityObject* obj = axObjectCache()->getOrCreate(target); 2280 if (obj && obj->isAccessibilityRenderObject()) 2281 // an activedescendant is only useful if it has a renderer, because that's what's needed to post the notification 2282 return obj; 2298 if (AXObjectCache* cache = axObjectCache()) { 2299 AccessibilityObject* obj = cache->getOrCreate(target); 2300 if (obj && obj->isAccessibilityRenderObject()) 2301 // an activedescendant is only useful if it has a renderer, because that's what's needed to post the notification 2302 return obj; 2303 } 2304 2283 2305 return 0; 2284 2306 } … … 2310 2332 2311 2333 // Post that the row count changed. 2334 AXObjectCache* cache = axObjectCache(); 2335 if (!cache) 2336 return; 2337 2312 2338 if (containerParent) 2313 axObjectCache()->postNotification(containerParent, document(), AXObjectCache::AXRowCountChanged);2339 cache->postNotification(containerParent, document(), AXObjectCache::AXRowCountChanged); 2314 2340 2315 2341 // Post that the specific row either collapsed or expanded. 2316 2342 if (roleValue() == RowRole || roleValue() == TreeItemRole) 2317 axObjectCache()->postNotification(this, document(), isExpanded() ? AXObjectCache::AXRowExpanded : AXObjectCache::AXRowCollapsed);2343 cache->postNotification(this, document(), isExpanded() ? AXObjectCache::AXRowExpanded : AXObjectCache::AXRowCollapsed); 2318 2344 } 2319 2345 … … 2389 2415 // Find the object going up the parent chain that is used in accessibility to monitor certain notifications. 2390 2416 for (RenderObject* renderer = m_renderer; renderer && renderer->node(); renderer = renderer->parent()) { 2391 if (renderObjectIsObservable(renderer)) 2392 return axObjectCache()->getOrCreate(renderer); 2417 if (renderObjectIsObservable(renderer)) { 2418 if (AXObjectCache* cache = axObjectCache()) 2419 return cache->getOrCreate(renderer); 2420 } 2393 2421 } 2394 2422 … … 2715 2743 // then notify the AT of changes. 2716 2744 AXObjectCache* cache = axObjectCache(); 2745 if (!cache) 2746 return; 2747 2717 2748 for (RenderObject* renderParent = m_renderer; renderParent; renderParent = renderParent->parent()) { 2718 2749 AccessibilityObject* parent = cache->get(renderParent); -
trunk/Source/WebCore/accessibility/AccessibilityScrollView.cpp
r160778 r163586 150 150 return 0; 151 151 152 AccessibilityScrollbar* scrollBarObject = toAccessibilityScrollbar(axObjectCache()->getOrCreate(scrollbar)); 152 AXObjectCache* cache = axObjectCache(); 153 if (!cache) 154 return nullptr; 155 156 AccessibilityScrollbar* scrollBarObject = toAccessibilityScrollbar(cache->getOrCreate(scrollbar)); 153 157 scrollBarObject->setParent(this); 154 158 m_children.append(scrollBarObject); … … 193 197 return 0; 194 198 195 return axObjectCache()->getOrCreate(doc); 199 if (AXObjectCache* cache = axObjectCache()) 200 return cache->getOrCreate(doc); 201 202 return nullptr; 196 203 } 197 204 … … 230 237 if (!m_scrollView || !m_scrollView->isFrameView()) 231 238 return 0; 232 239 240 AXObjectCache* cache = axObjectCache(); 241 if (!cache) 242 return nullptr; 243 233 244 HTMLFrameOwnerElement* owner = toFrameView(m_scrollView)->frame().ownerElement(); 234 245 if (owner && owner->renderer()) 235 return axObjectCache()->getOrCreate(owner);246 return cache->getOrCreate(owner); 236 247 237 248 return 0; … … 243 254 return 0; 244 255 256 AXObjectCache* cache = axObjectCache(); 257 if (!cache) 258 return nullptr; 259 245 260 HTMLFrameOwnerElement* owner = toFrameView(m_scrollView)->frame().ownerElement(); 246 261 if (owner && owner->renderer()) 247 return axObjectCache()->get(owner);262 return cache->get(owner); 248 263 249 264 return 0;
Note: See TracChangeset
for help on using the changeset viewer.
