- Revision
- 163586
- Author
- [email protected]
- Date
- 2014-02-06 17:29:33 -0800 (Thu, 06 Feb 2014)
Log Message
AX: Crash in WebCore::AXObjectCache::computedObjectAttributeCache
https://bugs.webkit.org/show_bug.cgi?id=128310
Reviewed by Alexey Proskuryakov.
Be more careful about using axObjectCache() directly since it can return null.
I audited the usage cases of this method and ensured the ptr was not null in cases
where I thought we might get hit by this.
* accessibility/AccessibilityNodeObject.cpp:
(WebCore::AccessibilityNodeObject::parentObject):
(WebCore::AccessibilityNodeObject::menuForMenuButton):
(WebCore::AccessibilityNodeObject::menuButtonForMenu):
* accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::firstAccessibleObjectFromNode):
(WebCore::AccessibilityObject::findMatchingObjects):
(WebCore::AccessibilityObject::elementAccessibilityHitTest):
(WebCore::AccessibilityObject::axObjectCache):
(WebCore::AccessibilityObject::notifyIfIgnoredValueChanged):
(WebCore::AccessibilityObject::accessibilityIsIgnored):
* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::parentObjectIfExists):
(WebCore::AccessibilityRenderObject::parentObject):
(WebCore::AccessibilityRenderObject::anchorElement):
(WebCore::AccessibilityRenderObject::isTabItemSelected):
(WebCore::AccessibilityRenderObject::accessibilityParentForImageMap):
(WebCore::AccessibilityRenderObject::nodeIsTextControl):
(WebCore::AccessibilityRenderObject::activeDescendant):
(WebCore::AccessibilityRenderObject::handleAriaExpandedChanged):
(WebCore::AccessibilityRenderObject::observableObject):
(WebCore::AccessibilityRenderObject::textChanged):
* accessibility/AccessibilityScrollView.cpp:
(WebCore::AccessibilityScrollView::addChildScrollbar):
(WebCore::AccessibilityScrollView::webAreaObject):
(WebCore::AccessibilityScrollView::parentObject):
(WebCore::AccessibilityScrollView::parentObjectIfExists):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (163585 => 163586)
--- trunk/Source/WebCore/ChangeLog 2014-02-07 01:21:07 UTC (rev 163585)
+++ trunk/Source/WebCore/ChangeLog 2014-02-07 01:29:33 UTC (rev 163586)
@@ -1,3 +1,42 @@
+2014-02-06 Chris Fleizach <[email protected]>
+
+ AX: Crash in WebCore::AXObjectCache::computedObjectAttributeCache
+ https://bugs.webkit.org/show_bug.cgi?id=128310
+
+ Reviewed by Alexey Proskuryakov.
+
+ Be more careful about using axObjectCache() directly since it can return null.
+ I audited the usage cases of this method and ensured the ptr was not null in cases
+ where I thought we might get hit by this.
+
+ * accessibility/AccessibilityNodeObject.cpp:
+ (WebCore::AccessibilityNodeObject::parentObject):
+ (WebCore::AccessibilityNodeObject::menuForMenuButton):
+ (WebCore::AccessibilityNodeObject::menuButtonForMenu):
+ * accessibility/AccessibilityObject.cpp:
+ (WebCore::AccessibilityObject::firstAccessibleObjectFromNode):
+ (WebCore::AccessibilityObject::findMatchingObjects):
+ (WebCore::AccessibilityObject::elementAccessibilityHitTest):
+ (WebCore::AccessibilityObject::axObjectCache):
+ (WebCore::AccessibilityObject::notifyIfIgnoredValueChanged):
+ (WebCore::AccessibilityObject::accessibilityIsIgnored):
+ * accessibility/AccessibilityRenderObject.cpp:
+ (WebCore::AccessibilityRenderObject::parentObjectIfExists):
+ (WebCore::AccessibilityRenderObject::parentObject):
+ (WebCore::AccessibilityRenderObject::anchorElement):
+ (WebCore::AccessibilityRenderObject::isTabItemSelected):
+ (WebCore::AccessibilityRenderObject::accessibilityParentForImageMap):
+ (WebCore::AccessibilityRenderObject::nodeIsTextControl):
+ (WebCore::AccessibilityRenderObject::activeDescendant):
+ (WebCore::AccessibilityRenderObject::handleAriaExpandedChanged):
+ (WebCore::AccessibilityRenderObject::observableObject):
+ (WebCore::AccessibilityRenderObject::textChanged):
+ * accessibility/AccessibilityScrollView.cpp:
+ (WebCore::AccessibilityScrollView::addChildScrollbar):
+ (WebCore::AccessibilityScrollView::webAreaObject):
+ (WebCore::AccessibilityScrollView::parentObject):
+ (WebCore::AccessibilityScrollView::parentObjectIfExists):
+
2014-02-06 Zoltan Horvath <[email protected]>
[CSS Shapes] Rounded Insets Let Content Overlap Shape
Modified: trunk/Source/WebCore/accessibility/AccessibilityNodeObject.cpp (163585 => 163586)
--- trunk/Source/WebCore/accessibility/AccessibilityNodeObject.cpp 2014-02-07 01:21:07 UTC (rev 163585)
+++ trunk/Source/WebCore/accessibility/AccessibilityNodeObject.cpp 2014-02-07 01:29:33 UTC (rev 163586)
@@ -228,9 +228,12 @@
return 0;
Node* parentObj = node()->parentNode();
- if (parentObj)
- return axObjectCache()->getOrCreate(parentObj);
+ if (!parentObj)
+ return nullptr;
+ if (AXObjectCache* cache = axObjectCache())
+ return cache->getOrCreate(parentObj);
+
return 0;
}
@@ -1204,7 +1207,9 @@
AccessibilityObject* AccessibilityNodeObject::menuForMenuButton() const
{
- return axObjectCache()->getOrCreate(menuElementForMenuButton());
+ if (AXObjectCache* cache = axObjectCache())
+ return cache->getOrCreate(menuElementForMenuButton());
+ return nullptr;
}
Element* AccessibilityNodeObject::menuItemElementForMenu() const
@@ -1217,11 +1222,15 @@
AccessibilityObject* AccessibilityNodeObject::menuButtonForMenu() const
{
+ AXObjectCache* cache = axObjectCache();
+ if (!cache)
+ return nullptr;
+
Element* menuItem = menuItemElementForMenu();
if (menuItem) {
// ARIA just has generic menu items. AppKit needs to know if this is a top level items like MenuBarButton or MenuBarItem
- AccessibilityObject* menuItemAX = axObjectCache()->getOrCreate(menuItem);
+ AccessibilityObject* menuItemAX = cache->getOrCreate(menuItem);
if (menuItemAX && menuItemAX->isMenuButton())
return menuItemAX;
}
Modified: trunk/Source/WebCore/accessibility/AccessibilityObject.cpp (163585 => 163586)
--- trunk/Source/WebCore/accessibility/AccessibilityObject.cpp 2014-02-07 01:21:07 UTC (rev 163585)
+++ trunk/Source/WebCore/accessibility/AccessibilityObject.cpp 2014-02-07 01:29:33 UTC (rev 163586)
@@ -377,7 +377,9 @@
return 0;
AXObjectCache* cache = node->document().axObjectCache();
-
+ if (!cache)
+ return nullptr;
+
AccessibilityObject* accessibleObject = cache->getOrCreate(node->renderer());
while (accessibleObject && accessibleObject->accessibilityIsIgnored()) {
node = NodeTraversal::next(node);
@@ -463,7 +465,8 @@
if (!criteria)
return;
- axObjectCache()->startCachingComputedObjectAttributesUntilTreeMutates();
+ if (AXObjectCache* cache = axObjectCache())
+ cache->startCachingComputedObjectAttributesUntilTreeMutates();
// This search mechanism only searches the elements before/after the starting object.
// It does this by stepping up the parent chain and at each level doing a DFS.
@@ -1660,8 +1663,10 @@
if (isAttachment()) {
Widget* widget = widgetForAttachmentView();
// Normalize the point for the widget's bounds.
- if (widget && widget->isFrameView())
- return axObjectCache()->getOrCreate(widget)->accessibilityHitTest(IntPoint(point - widget->frameRect().location()));
+ if (widget && widget->isFrameView()) {
+ if (AXObjectCache* cache = axObjectCache())
+ return cache->getOrCreate(widget)->accessibilityHitTest(IntPoint(point - widget->frameRect().location()));
+ }
}
// Check if there are any mock elements that need to be handled.
@@ -1678,7 +1683,7 @@
Document* doc = document();
if (doc)
return doc->axObjectCache();
- return 0;
+ return nullptr;
}
AccessibilityObject* AccessibilityObject::focusedUIElement() const
@@ -2017,7 +2022,8 @@
{
bool isIgnored = accessibilityIsIgnored();
if (lastKnownIsIgnoredValue() != isIgnored) {
- axObjectCache()->childrenChanged(parentObject());
+ if (AXObjectCache* cache = axObjectCache())
+ cache->childrenChanged(parentObject());
setLastKnownIsIgnoredValue(isIgnored);
}
}
@@ -2102,7 +2108,10 @@
bool AccessibilityObject::accessibilityIsIgnored() const
{
- AXComputedObjectAttributeCache* attributeCache = axObjectCache()->computedObjectAttributeCache();
+ AXComputedObjectAttributeCache* attributeCache = nullptr;
+ if (AXObjectCache* cache = axObjectCache())
+ attributeCache = cache->computedObjectAttributeCache();
+
if (attributeCache) {
AccessibilityObjectInclusion ignored = attributeCache->getIgnored(axObjectID());
switch (ignored) {
Modified: trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (163585 => 163586)
--- trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp 2014-02-07 01:21:07 UTC (rev 163585)
+++ trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp 2014-02-07 01:29:33 UTC (rev 163586)
@@ -476,11 +476,15 @@
AccessibilityObject* AccessibilityRenderObject::parentObjectIfExists() const
{
+ AXObjectCache* cache = axObjectCache();
+ if (!cache)
+ return nullptr;
+
// WebArea's parent should be the scroll view containing it.
if (isWebArea())
- return axObjectCache()->get(&m_renderer->view().frameView());
+ return cache->get(&m_renderer->view().frameView());
- return axObjectCache()->get(renderParentObject());
+ return cache->get(renderParentObject());
}
AccessibilityObject* AccessibilityRenderObject::parentObject() const
@@ -498,13 +502,17 @@
return parent;
}
+ AXObjectCache* cache = axObjectCache();
+ if (!cache)
+ return nullptr;
+
RenderObject* parentObj = renderParentObject();
if (parentObj)
- return axObjectCache()->getOrCreate(parentObj);
+ return cache->getOrCreate(parentObj);
// WebArea's parent should be the scroll view containing it.
if (isWebArea())
- return axObjectCache()->getOrCreate(&m_renderer->view().frameView());
+ return cache->getOrCreate(&m_renderer->view().frameView());
return 0;
}
@@ -562,6 +570,9 @@
return 0;
AXObjectCache* cache = axObjectCache();
+ if (!cache)
+ return nullptr;
+
RenderObject* currRenderer;
// Search up the render tree for a RenderObject with a DOM node. Defer to an earlier continuation, though.
@@ -1587,8 +1598,12 @@
Vector<Element*> elements;
elementsFromAttribute(elements, aria_controlsAttr);
+ AXObjectCache* cache = axObjectCache();
+ if (!cache)
+ return false;
+
for (const auto& element : elements) {
- AccessibilityObject* tabPanel = axObjectCache()->getOrCreate(element);
+ AccessibilityObject* tabPanel = cache->getOrCreate(element);
// A tab item should only control tab panels.
if (!tabPanel || tabPanel->roleValue() != TabPanelRole)
@@ -1731,7 +1746,10 @@
if (!imageElement)
return 0;
- return axObjectCache()->getOrCreate(imageElement);
+ if (AXObjectCache* cache = axObjectCache())
+ return cache->getOrCreate(imageElement);
+
+ return nullptr;
}
void AccessibilityRenderObject::getDocumentLinks(AccessibilityChildrenVector& result)
@@ -1902,11 +1920,12 @@
if (!node)
return false;
- const AccessibilityObject* axObjectForNode = axObjectCache()->getOrCreate(const_cast<Node*>(node));
- if (!axObjectForNode)
- return false;
+ if (AXObjectCache* cache = axObjectCache()) {
+ if (AccessibilityObject* axObjectForNode = cache->getOrCreate(const_cast<Node*>(node)))
+ return axObjectForNode->isTextControl();
+ }
- return axObjectForNode->isTextControl();
+ return false;
}
IntRect AccessibilityRenderObject::boundsForVisiblePositionRange(const VisiblePositionRange& visiblePositionRange) const
@@ -2276,10 +2295,13 @@
if (!target)
return 0;
- AccessibilityObject* obj = axObjectCache()->getOrCreate(target);
- if (obj && obj->isAccessibilityRenderObject())
- // an activedescendant is only useful if it has a renderer, because that's what's needed to post the notification
- return obj;
+ if (AXObjectCache* cache = axObjectCache()) {
+ AccessibilityObject* obj = cache->getOrCreate(target);
+ if (obj && obj->isAccessibilityRenderObject())
+ // an activedescendant is only useful if it has a renderer, because that's what's needed to post the notification
+ return obj;
+ }
+
return 0;
}
@@ -2309,12 +2331,16 @@
}
// Post that the row count changed.
+ AXObjectCache* cache = axObjectCache();
+ if (!cache)
+ return;
+
if (containerParent)
- axObjectCache()->postNotification(containerParent, document(), AXObjectCache::AXRowCountChanged);
+ cache->postNotification(containerParent, document(), AXObjectCache::AXRowCountChanged);
// Post that the specific row either collapsed or expanded.
if (roleValue() == RowRole || roleValue() == TreeItemRole)
- axObjectCache()->postNotification(this, document(), isExpanded() ? AXObjectCache::AXRowExpanded : AXObjectCache::AXRowCollapsed);
+ cache->postNotification(this, document(), isExpanded() ? AXObjectCache::AXRowExpanded : AXObjectCache::AXRowCollapsed);
}
void AccessibilityRenderObject::handleActiveDescendantChanged()
@@ -2388,8 +2414,10 @@
{
// Find the object going up the parent chain that is used in accessibility to monitor certain notifications.
for (RenderObject* renderer = m_renderer; renderer && renderer->node(); renderer = renderer->parent()) {
- if (renderObjectIsObservable(renderer))
- return axObjectCache()->getOrCreate(renderer);
+ if (renderObjectIsObservable(renderer)) {
+ if (AXObjectCache* cache = axObjectCache())
+ return cache->getOrCreate(renderer);
+ }
}
return 0;
@@ -2714,6 +2742,9 @@
// If this element supports ARIA live regions, or is part of a region with an ARIA editable role,
// then notify the AT of changes.
AXObjectCache* cache = axObjectCache();
+ if (!cache)
+ return;
+
for (RenderObject* renderParent = m_renderer; renderParent; renderParent = renderParent->parent()) {
AccessibilityObject* parent = cache->get(renderParent);
if (!parent)
Modified: trunk/Source/WebCore/accessibility/AccessibilityScrollView.cpp (163585 => 163586)
--- trunk/Source/WebCore/accessibility/AccessibilityScrollView.cpp 2014-02-07 01:21:07 UTC (rev 163585)
+++ trunk/Source/WebCore/accessibility/AccessibilityScrollView.cpp 2014-02-07 01:29:33 UTC (rev 163586)
@@ -149,7 +149,11 @@
if (!scrollbar)
return 0;
- AccessibilityScrollbar* scrollBarObject = toAccessibilityScrollbar(axObjectCache()->getOrCreate(scrollbar));
+ AXObjectCache* cache = axObjectCache();
+ if (!cache)
+ return nullptr;
+
+ AccessibilityScrollbar* scrollBarObject = toAccessibilityScrollbar(cache->getOrCreate(scrollbar));
scrollBarObject->setParent(this);
m_children.append(scrollBarObject);
return scrollBarObject;
@@ -192,7 +196,10 @@
if (!doc || !doc->hasLivingRenderTree())
return 0;
- return axObjectCache()->getOrCreate(doc);
+ if (AXObjectCache* cache = axObjectCache())
+ return cache->getOrCreate(doc);
+
+ return nullptr;
}
AccessibilityObject* AccessibilityScrollView::accessibilityHitTest(const IntPoint& point) const
@@ -229,10 +236,14 @@
{
if (!m_scrollView || !m_scrollView->isFrameView())
return 0;
-
+
+ AXObjectCache* cache = axObjectCache();
+ if (!cache)
+ return nullptr;
+
HTMLFrameOwnerElement* owner = toFrameView(m_scrollView)->frame().ownerElement();
if (owner && owner->renderer())
- return axObjectCache()->getOrCreate(owner);
+ return cache->getOrCreate(owner);
return 0;
}
@@ -242,9 +253,13 @@
if (!m_scrollView || !m_scrollView->isFrameView())
return 0;
+ AXObjectCache* cache = axObjectCache();
+ if (!cache)
+ return nullptr;
+
HTMLFrameOwnerElement* owner = toFrameView(m_scrollView)->frame().ownerElement();
if (owner && owner->renderer())
- return axObjectCache()->get(owner);
+ return cache->get(owner);
return 0;
}
