[webkit-changes] [131771] branches/chromium/1271

Thu, 18 Oct 2012 10:18:54 -0700

Title: [131771] branches/chromium/1271
Revision
131771
Author
infe...@chromium.org
Date
2012-10-18 10:20:11 -0700 (Thu, 18 Oct 2012)

Log Message

Merge 130266 - AX: Heap-use-after-free when deleting a ContainerNode with an AX object
BUG=129158
Review URL: https://codereview.chromium.org/11196044


Modified Paths




Added Paths

Diff

Copied: branches/chromium/1271/LayoutTests/accessibility/container-node-delete-causes-crash-expected.txt (from rev 130266, trunk/LayoutTests/accessibility/container-node-delete-causes-crash-expected.txt) (0 => 131771)


--- branches/chromium/1271/LayoutTests/accessibility/container-node-delete-causes-crash-expected.txt	                        (rev 0)
+++ branches/chromium/1271/LayoutTests/accessibility/container-node-delete-causes-crash-expected.txt	2012-10-18 17:20:11 UTC (rev 131771)
@@ -0,0 +1,10 @@
+Checks to make sure a heap-use-after-free crash doesn't occur when a container node with an associated accessibility object is deleted from the tree. The heap-use-after free was occuring when the AccessibilityObject corresponding to the child of the text node walked up its parent chain in AccessibilityObject::supportsARIALiveRegion but its parent was already deleted.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+Text
+

Copied: branches/chromium/1271/LayoutTests/accessibility/container-node-delete-causes-crash.html (from rev 130266, trunk/LayoutTests/accessibility/container-node-delete-causes-crash.html) (0 => 131771)


--- branches/chromium/1271/LayoutTests/accessibility/container-node-delete-causes-crash.html	                        (rev 0)
+++ branches/chromium/1271/LayoutTests/accessibility/container-node-delete-causes-crash.html	2012-10-18 17:20:11 UTC (rev 131771)
@@ -0,0 +1,28 @@
+<!DOCTYPE HTML>
+<html>
+<body>
+<script src=""
+
+<div id="console"></div>
+
+<svg xmlns:xlink="http://www.w3.org/1999/xlink">
+  <text id="a">Text</text>
+  <use xlink:href=""
+</svg>
+
+<script>
+description("Checks to make sure a heap-use-after-free crash doesn't occur when a container node with an associated accessibility object is deleted from the tree. The heap-use-after free was occuring when the AccessibilityObject corresponding to the child of the text node walked up its parent chain in AccessibilityObject::supportsARIALiveRegion but its parent was already deleted.");
+
+// This creates an accessibility object for every node in the tree.
+if (window.accessibilityController)
+    accessibilityController.accessibleElementById("foo");
+
+// An SVG "use" element is like a clone, so the "use" element contains a
+// clone of the "text" element. This statement clears the reference, which
+// causes the cloned "text" element to be destroyed.
+document.getElementsByTagName('use')[0].setAttribute('xlink:href', '');
+</script>
+
+<script src=""
+</body>
+</html>

Modified: branches/chromium/1271/Source/WebCore/dom/ContainerNode.cpp (131770 => 131771)


--- branches/chromium/1271/Source/WebCore/dom/ContainerNode.cpp	2012-10-18 17:18:08 UTC (rev 131770)
+++ branches/chromium/1271/Source/WebCore/dom/ContainerNode.cpp	2012-10-18 17:20:11 UTC (rev 131771)
@@ -23,6 +23,7 @@
 #include "config.h"
 #include "ContainerNode.h"
 
+#include "AXObjectCache.h"
 #include "ChildListMutationScope.h"
 #include "ContainerNodeAlgorithms.h"
 #include "DeleteButtonController.h"
@@ -115,6 +116,9 @@
 
 ContainerNode::~ContainerNode()
 {
+    if (AXObjectCache::accessibilityEnabled() && documentInternal() && documentInternal()->axObjectCacheExists())
+        documentInternal()->axObjectCache()->remove(this);
+
     removeAllChildren();
 }

Modified: branches/chromium/1271/Source/WebCore/dom/Node.cpp (131770 => 131771)


--- branches/chromium/1271/Source/WebCore/dom/Node.cpp	2012-10-18 17:18:08 UTC (rev 131770)
+++ branches/chromium/1271/Source/WebCore/dom/Node.cpp	2012-10-18 17:20:11 UTC (rev 131771)
@@ -414,7 +414,7 @@
         detach();
 
     Document* doc = m_document;
-    if (AXObjectCache::accessibilityEnabled() && doc && doc->axObjectCacheExists())
+    if (AXObjectCache::accessibilityEnabled() && doc && doc->axObjectCacheExists() && !isContainerNode())
         doc->axObjectCache()->remove(this);
     
     if (m_previous)

Modified: branches/chromium/1271/Source/WebCore/dom/Node.h (131770 => 131771)


--- branches/chromium/1271/Source/WebCore/dom/Node.h	2012-10-18 17:18:08 UTC (rev 131770)
+++ branches/chromium/1271/Source/WebCore/dom/Node.h	2012-10-18 17:20:11 UTC (rev 131771)
@@ -426,8 +426,8 @@
         ASSERT(this);
         // FIXME: below ASSERT is useful, but prevents the use of document() in the constructor or destructor
         // due to the virtual function call to nodeType().
-        ASSERT(m_document || (nodeType() == DOCUMENT_TYPE_NODE && !inDocument()));
-        return m_document;
+        ASSERT(documentInternal() || (nodeType() == DOCUMENT_TYPE_NODE && !inDocument()));
+        return documentInternal();
     }
 
     TreeScope* treeScope() const;
@@ -749,6 +749,8 @@
 
     void setHasCustomCallbacks() { setFlag(true, HasCustomCallbacksFlag); }
 
+    Document* documentInternal() const { return m_document; }
+
 private:
     friend class TreeShared<Node, ContainerNode>;
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to