[webkit-changes] [215971] trunk

Fri, 28 Apr 2017 23:17:47 -0700

Title: [215971] trunk
Revision
215971
Author
pvol...@apple.com
Date
2017-04-28 23:17:10 -0700 (Fri, 28 Apr 2017)

Log Message

Crash under WebCore::AccessibilityRenderObject::handleAriaExpandedChanged().
https://bugs.webkit.org/show_bug.cgi?id=171427
Source/WebCore:

rdar://problem/31863417

Reviewed by Brent Fulgham.

The AccessibilityRenderObject object might delete itself in handleAriaExpandedChanged() under the call
to the parentObject() method. This will cause a crash when accessing the object later in this method.
Protect the current object while executing arbitrary event code.

Test: accessibility/accessibility-crash-setattribute.html

* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::handleAriaExpandedChanged):

LayoutTests:


Reviewed by Brent Fulgham.

* accessibility/accessibility-crash-setattribute-expected.txt: Added.
* accessibility/accessibility-crash-setattribute.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (215970 => 215971)


--- trunk/LayoutTests/ChangeLog	2017-04-29 04:57:06 UTC (rev 215970)
+++ trunk/LayoutTests/ChangeLog	2017-04-29 06:17:10 UTC (rev 215971)
@@ -1,3 +1,13 @@
+2017-04-28  Per Arne Vollan  <pvol...@apple.com>
+
+        Crash under WebCore::AccessibilityRenderObject::handleAriaExpandedChanged().
+        https://bugs.webkit.org/show_bug.cgi?id=171427
+
+        Reviewed by Brent Fulgham.
+
+        * accessibility/accessibility-crash-setattribute-expected.txt: Added.
+        * accessibility/accessibility-crash-setattribute.html: Added.
+
 2017-04-28  Wenson Hsieh  <wenson_hs...@apple.com>
 
         Unreviewed test gardening (Mac WK1)

Added: trunk/LayoutTests/accessibility/accessibility-crash-setattribute-expected.txt (0 => 215971)


--- trunk/LayoutTests/accessibility/accessibility-crash-setattribute-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/accessibility/accessibility-crash-setattribute-expected.txt	2017-04-29 06:17:10 UTC (rev 215971)
@@ -0,0 +1,2 @@
+PASS if no crash.  
+

Added: trunk/LayoutTests/accessibility/accessibility-crash-setattribute.html (0 => 215971)


--- trunk/LayoutTests/accessibility/accessibility-crash-setattribute.html	                        (rev 0)
+++ trunk/LayoutTests/accessibility/accessibility-crash-setattribute.html	2017-04-29 06:17:10 UTC (rev 215971)
@@ -0,0 +1,28 @@
+<!DOCTYPE HTML>
+<html>
+<style>
+    #div { visibility: collapse }
+</style>
+<body>
+PASS if no crash.
+<script>
+    if (window.accessibilityController) {
+        var largeRange = accessibilityController.accessibleElementById("largeRange");
+    }
+    if (window.testRunner) {
+        testRunner.dumpAsText();
+    }
+    function eventhandler() {
+        document.execCommand("bold", false);
+        img.style.removeProperty("-webkit-appearance");
+        img.setAttribute("aria-expanded", "false");
+    }
+</script>
+<input id="largeRange" max="100" min="0" type="range" value="50">
+<div id="div">
+    <dl>
+        <canvas>aaa</canvas>
+        <img id="img" src="" style="-webkit-appearance: relevancy-level-indicator;" _onerror_="eventhandler()"></img>
+    </dl>
+</div>
+</body>

Modified: trunk/Source/WebCore/ChangeLog (215970 => 215971)


--- trunk/Source/WebCore/ChangeLog	2017-04-29 04:57:06 UTC (rev 215970)
+++ trunk/Source/WebCore/ChangeLog	2017-04-29 06:17:10 UTC (rev 215971)
@@ -1,3 +1,20 @@
+2017-04-28  Per Arne Vollan  <pvol...@apple.com>
+
+        Crash under WebCore::AccessibilityRenderObject::handleAriaExpandedChanged().
+        https://bugs.webkit.org/show_bug.cgi?id=171427
+        rdar://problem/31863417
+
+        Reviewed by Brent Fulgham.
+
+        The AccessibilityRenderObject object might delete itself in handleAriaExpandedChanged() under the call
+        to the parentObject() method. This will cause a crash when accessing the object later in this method.
+        Protect the current object while executing arbitrary event code.
+
+        Test: accessibility/accessibility-crash-setattribute.html
+
+        * accessibility/AccessibilityRenderObject.cpp:
+        (WebCore::AccessibilityRenderObject::handleAriaExpandedChanged):
+
 2017-04-28  Chris Dumez  <cdu...@apple.com>
 
         Diagnostic logging of navigations is too verbose

Modified: trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (215970 => 215971)


--- trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2017-04-29 04:57:06 UTC (rev 215970)
+++ trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2017-04-29 06:17:10 UTC (rev 215971)
@@ -2439,6 +2439,9 @@
 
 void AccessibilityRenderObject::handleAriaExpandedChanged()
 {
+    // This object might be deleted under the call to the parentObject() method.
+    auto protectedThis = makeRef(*this);
+    
     // Find if a parent of this object should handle aria-expanded changes.
     AccessibilityObject* containerParent = this->parentObject();
     while (containerParent) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to