Skip to site navigation (Press enter)

[webkit-changes] [139806] trunk

dmazzoni Tue, 15 Jan 2013 16:11:39 -0800

Title: [139806] trunk

Revision: 139806
Author: dmazz...@google.com
Date: 2013-01-15 16:13:15 -0800 (Tue, 15 Jan 2013)

Log Message

Use-after-free in AXObjectCache::notificationPostTimerFired
https://bugs.webkit.org/show_bug.cgi?id=106106


Reviewed by Ryosuke Niwa.

Source/WebCore:

Fixes a crash that occurs when a Node is adopted by another document,
in particular one that isn't part of the page, and then deleted,
which wasn't triggering the code that removed the Node from
AXObjectCache. Now, a Node is removed from the AXObjectCache whenever
its Document changes.

Test: accessibility/crash-adopt-node-from-new-document.html

* dom/Node.cpp:
(WebCore::Node::didMoveToNewDocument):

LayoutTests:

Test that demonstrates the crash when a Node with an
AccessibilityObject changes its document and then isn't removed from
the AXObjectCache when it's deleted.

* accessibility/crash-adopt-node-from-new-document-expected.txt: Added.
* accessibility/crash-adopt-node-from-new-document.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/dom/Node.cpp

Added Paths

trunk/LayoutTests/accessibility/crash-adopt-node-from-new-document-expected.txt
trunk/LayoutTests/accessibility/crash-adopt-node-from-new-document.html

Diff

Modified: trunk/LayoutTests/ChangeLog (139805 => 139806)


--- trunk/LayoutTests/ChangeLog	2013-01-16 00:02:22 UTC (rev 139805)
+++ trunk/LayoutTests/ChangeLog	2013-01-16 00:13:15 UTC (rev 139806)
@@ -1,3 +1,17 @@
+2013-01-15  Dominic Mazzoni  <dmazz...@google.com>
+
+        Use-after-free in AXObjectCache::notificationPostTimerFired
+        https://bugs.webkit.org/show_bug.cgi?id=106106
+
+        Reviewed by Ryosuke Niwa.
+
+        Test that demonstrates the crash when a Node with an
+        AccessibilityObject changes its document and then isn't removed from
+        the AXObjectCache when it's deleted.
+
+        * accessibility/crash-adopt-node-from-new-document-expected.txt: Added.
+        * accessibility/crash-adopt-node-from-new-document.html: Added.
+
 2013-01-15  Arnaud Renevier  <a.renev...@sisa.samsung.com>
 
         Add Canvas blend modes to Cairo

Added: trunk/LayoutTests/accessibility/crash-adopt-node-from-new-document-expected.txt (0 => 139806)


--- trunk/LayoutTests/accessibility/crash-adopt-node-from-new-document-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/accessibility/crash-adopt-node-from-new-document-expected.txt	2013-01-16 00:13:15 UTC (rev 139806)
@@ -0,0 +1,2 @@
+ALERT: This test makes sure that adopting a node with an AccessibilityObject into a new document doesn't crash. Test passed.
+

Added: trunk/LayoutTests/accessibility/crash-adopt-node-from-new-document.html (0 => 139806)


--- trunk/LayoutTests/accessibility/crash-adopt-node-from-new-document.html	                        (rev 0)
+++ trunk/LayoutTests/accessibility/crash-adopt-node-from-new-document.html	2013-01-16 00:13:15 UTC (rev 139806)
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+
+<canvas>
+<div id="node1">
+<div id="node2">
+</canvas>
+
+<script>
+document.getElementById("node2").setAttribute("aria-label", "Label");
+document.implementation.createDocument("", "", null).adoptNode(node1);
+
+gc();
+
+alert("This test makes sure that adopting a node with an AccessibilityObject into a new document doesn't crash. Test passed.");
+
+</script>
+<script src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (139805 => 139806)


--- trunk/Source/WebCore/ChangeLog	2013-01-16 00:02:22 UTC (rev 139805)
+++ trunk/Source/WebCore/ChangeLog	2013-01-16 00:13:15 UTC (rev 139806)
@@ -1,3 +1,21 @@
+2013-01-15  Dominic Mazzoni  <dmazz...@google.com>
+
+        Use-after-free in AXObjectCache::notificationPostTimerFired
+        https://bugs.webkit.org/show_bug.cgi?id=106106
+
+        Reviewed by Ryosuke Niwa.
+
+        Fixes a crash that occurs when a Node is adopted by another document,
+        in particular one that isn't part of the page, and then deleted,
+        which wasn't triggering the code that removed the Node from
+        AXObjectCache. Now, a Node is removed from the AXObjectCache whenever
+        its Document changes.
+
+        Test: accessibility/crash-adopt-node-from-new-document.html
+
+        * dom/Node.cpp:
+        (WebCore::Node::didMoveToNewDocument):
+
 2013-01-15  Arnaud Renevier  <a.renev...@sisa.samsung.com>
 
         Add Canvas blend modes to Cairo

Modified: trunk/Source/WebCore/dom/Node.cpp (139805 => 139806)


--- trunk/Source/WebCore/dom/Node.cpp	2013-01-16 00:02:22 UTC (rev 139805)
+++ trunk/Source/WebCore/dom/Node.cpp	2013-01-16 00:13:15 UTC (rev 139806)
@@ -2079,6 +2079,9 @@
 {
     TreeScopeAdopter::ensureDidMoveToNewDocumentWasCalled(oldDocument);
 
+    if (AXObjectCache::accessibilityEnabled() && oldDocument && oldDocument->axObjectCacheExists())
+        oldDocument->axObjectCache()->remove(this);
+
     // FIXME: Event listener types for this node should be set on the new owner document here.
 
     const EventListenerVector& wheelListeners = getEventListeners(eventNames().mousewheelEvent);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes