Changeset 171347 in webkit


Ignore:
Timestamp:
Jul 22, 2014 10:50:31 AM (10 years ago)
Author:
mmaxfield@apple.com
Message:

Source/WebCore: Clicking on links while accessibility is enabled sometimes crashes
https://bugs.webkit.org/show_bug.cgi?id=135074

Reviewed by Chris Fleizach.

When an accessibility request comes in from the system, we call updateBackingStore() on the
relevant AccessibilityObject, which triggers a relayout of the entire document. This relayout
might delete that accessibility node and its parent, which would cause the node to be deleted.
After the stack unwinds, we then call a member function on the node without checking for this
condition.

Test: accessibility/parent-delete.html

  • accessibility/AccessibilityObject.cpp:

(WebCore::AccessibilityObject::updateBackingStore): Retain the node for the duration of the
function.

LayoutTests: Clicking on links while accessibility is enabled does not render as expected
https://bugs.webkit.org/show_bug.cgi?id=135074

Reviewed by Chris Fleizach.

Delete a node and its parent, then call allAttributes() on the accessibility representation of
the deleted child and make sure there is no crash.

  • accessibility/parent-delete-expected.txt: Added
  • accessibility/parent-delete.html: Added
Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r171344 r171347  
     12014-07-21  Myles C. Maxfield  <mmaxfield@apple.com>
     2
     3        Clicking on links while accessibility is enabled does not render as expected
     4        https://bugs.webkit.org/show_bug.cgi?id=135074
     5
     6        Reviewed by Chris Fleizach.
     7
     8        Delete a node and its parent, then call allAttributes() on the accessibility representation of
     9        the deleted child and make sure there is no crash.
     10
     11        * accessibility/parent-delete-expected.txt: Added
     12        * accessibility/parent-delete.html: Added
     13
    1142014-07-22  Alexey Proskuryakov  <ap@apple.com>
    215
  • trunk/Source/WebCore/ChangeLog

    r171345 r171347  
     12014-07-21  Myles C. Maxfield  <mmaxfield@apple.com>
     2
     3        Clicking on links while accessibility is enabled sometimes crashes
     4        https://bugs.webkit.org/show_bug.cgi?id=135074
     5
     6        Reviewed by Chris Fleizach.
     7
     8        When an accessibility request comes in from the system, we call updateBackingStore() on the
     9        relevant AccessibilityObject, which triggers a relayout of the entire document. This relayout
     10        might delete that accessibility node and its parent, which would cause the node to be deleted.
     11        After the stack unwinds, we then call a member function on the node without checking for this
     12        condition.
     13
     14        Test: accessibility/parent-delete.html
     15
     16        * accessibility/AccessibilityObject.cpp:
     17        (WebCore::AccessibilityObject::updateBackingStore): Retain the node for the duration of the
     18        function.
     19
    1202014-07-22  Jeremy Jones  <jeremyj@apple.com>
    221
  • trunk/Source/WebCore/accessibility/AccessibilityObject.cpp

    r170661 r171347  
    14301430{
    14311431    // Updating the layout may delete this object.
     1432    RefPtr<AccessibilityObject> protector(this);
     1433
    14321434    if (Document* document = this->document()) {
    14331435        if (!document->view()->isInLayout())
Note: See TracChangeset for help on using the changeset viewer.