[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-10851-g50815da

inferno at chromium.org inferno at chromium.org
Wed Dec 22 17:49:23 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 22417bfa11cad41b5d1381b0ec1cf45b9b795f2e
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Nov 30 23:21:15 2010 +0000

    2010-11-30  Chris Guillory  <chris.guillory at google.com>
    
            Reviewed by Chris Fleizach.
    
            Computing style on a stale node while sending pending accessibility notification.
            https://bugs.webkit.org/show_bug.cgi?id=50162
    
            Retain node pointer members of AccessibilityImageMapLink.
    
            Test: accessibility/image-map-title-causes-crash.html
    
            * accessibility/AccessibilityImageMapLink.cpp:
            (WebCore::AccessibilityImageMapLink::parentObject):
            (WebCore::AccessibilityImageMapLink::anchorElement):
            (WebCore::AccessibilityImageMapLink::url):
            (WebCore::AccessibilityImageMapLink::elementRect):
            * accessibility/AccessibilityImageMapLink.h:
            (WebCore::AccessibilityImageMapLink::areaElement):
            (WebCore::AccessibilityImageMapLink::mapElement):
            (WebCore::AccessibilityImageMapLink::node):
            * dom/Document.cpp:
            (WebCore::Document::clearAXObjectCache):
    2010-11-30  Chris Guillory  <chris.guillory at google.com>
    
            Reviewed by Chris Fleizach.
    
            Computing style on a stale node while sending pending accessibility notification.
            https://bugs.webkit.org/show_bug.cgi?id=50162
    
            * accessibility/image-map-title-causes-crash-expected.txt: Added.
            * accessibility/image-map-title-causes-crash.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@72969 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index b01459b..98363d3 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-11-30  Chris Guillory  <chris.guillory at google.com>
+
+        Reviewed by Chris Fleizach.
+
+        Computing style on a stale node while sending pending accessibility notification.
+        https://bugs.webkit.org/show_bug.cgi?id=50162
+
+        * accessibility/image-map-title-causes-crash-expected.txt: Added.
+        * accessibility/image-map-title-causes-crash.html: Added.
+
 2010-11-30  Ojan Vafai  <ojan at chromium.org>
 
         [chromium] Add new expected result after http://trac.webkit.org/changeset/72689
diff --git a/LayoutTests/accessibility/image-map-title-causes-crash-expected.txt b/LayoutTests/accessibility/image-map-title-causes-crash-expected.txt
new file mode 100644
index 0000000..b8255f9
--- /dev/null
+++ b/LayoutTests/accessibility/image-map-title-causes-crash-expected.txt
@@ -0,0 +1,10 @@
+ 1
+Requesting the title of an AccessibilityImageMapLink can cause a crash when the map's area element has been removed.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/accessibility/image-map-title-causes-crash.html b/LayoutTests/accessibility/image-map-title-causes-crash.html
new file mode 100644
index 0000000..610af26
--- /dev/null
+++ b/LayoutTests/accessibility/image-map-title-causes-crash.html
@@ -0,0 +1,50 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="../fast/js/resources/js-test-style.css">
+<script>
+    var successfullyParsed = false;
+
+    function removeAreaElement() {
+        document.getElementById("test").innerHTML=1
+    }
+
+    function queryTitleOnDecendants(accessibilityObject) {
+        accessibilityObject.title
+
+        var count = accessibilityObject.childrenCount;
+        for (var i = 0; i < count; ++i)
+            queryTitleOnDecendants(accessibilityObject.childAtIndex(i));
+    }
+</script>
+<script src="../fast/js/resources/js-test-pre.js"></script>
+</head>
+<body>
+
+<img usemap="#map">
+<map name="map" id="test"><area href="javascript:document.getElementById('result').innerHTML='area clicked'" /></map>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+    description("Requesting the title of an AccessibilityImageMapLink can cause a crash when the map's area element has been removed.");
+
+    if (window.accessibilityController) {
+        // First build up full accessibility tree.
+        document.body.focus();
+        queryTitleOnDecendants(accessibilityController.focusedElement);
+        
+        removeAreaElement()
+        
+        // Now call request the title for each accessibility object.
+        document.body.focus();
+        queryTitleOnDecendants(accessibilityController.focusedElement);
+    }
+
+    successfullyParsed = true;
+</script>
+
+<script src="../fast/js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 894910a..239da88 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,26 @@
+2010-11-30  Chris Guillory  <chris.guillory at google.com>
+
+        Reviewed by Chris Fleizach.
+
+        Computing style on a stale node while sending pending accessibility notification.
+        https://bugs.webkit.org/show_bug.cgi?id=50162
+
+        Retain node pointer members of AccessibilityImageMapLink.
+
+        Test: accessibility/image-map-title-causes-crash.html
+
+        * accessibility/AccessibilityImageMapLink.cpp:
+        (WebCore::AccessibilityImageMapLink::parentObject):
+        (WebCore::AccessibilityImageMapLink::anchorElement):
+        (WebCore::AccessibilityImageMapLink::url):
+        (WebCore::AccessibilityImageMapLink::elementRect):
+        * accessibility/AccessibilityImageMapLink.h:
+        (WebCore::AccessibilityImageMapLink::areaElement):
+        (WebCore::AccessibilityImageMapLink::mapElement):
+        (WebCore::AccessibilityImageMapLink::node):
+        * dom/Document.cpp:
+        (WebCore::Document::clearAXObjectCache):
+
 2010-11-30  James Robinson  <jamesr at chromium.org>
 
         Reviewed by Tony Chang.
diff --git a/WebCore/accessibility/AccessibilityImageMapLink.cpp b/WebCore/accessibility/AccessibilityImageMapLink.cpp
index 9b77400..870efe3 100644
--- a/WebCore/accessibility/AccessibilityImageMapLink.cpp
+++ b/WebCore/accessibility/AccessibilityImageMapLink.cpp
@@ -59,7 +59,7 @@ AccessibilityObject* AccessibilityImageMapLink::parentObject() const
     if (m_parent)
         return m_parent;
     
-    if (!m_mapElement || !m_mapElement->renderer())
+    if (!m_mapElement.get() || !m_mapElement->renderer())
         return 0;
     
     return m_mapElement->document()->axObjectCache()->getOrCreate(m_mapElement->renderer());
@@ -84,12 +84,12 @@ Element* AccessibilityImageMapLink::actionElement() const
     
 Element* AccessibilityImageMapLink::anchorElement() const
 {
-    return m_areaElement;
+    return m_areaElement.get();
 }
 
 KURL AccessibilityImageMapLink::url() const
 {
-    if (!m_areaElement)
+    if (!m_areaElement.get())
         return KURL();
     
     return m_areaElement->href();
@@ -121,7 +121,7 @@ String AccessibilityImageMapLink::title() const
     
 IntRect AccessibilityImageMapLink::elementRect() const
 {
-    if (!m_mapElement || !m_areaElement)
+    if (!m_mapElement.get() || !m_areaElement.get())
         return IntRect();
 
     RenderObject* renderer;
diff --git a/WebCore/accessibility/AccessibilityImageMapLink.h b/WebCore/accessibility/AccessibilityImageMapLink.h
index e2e1544..011d5de 100644
--- a/WebCore/accessibility/AccessibilityImageMapLink.h
+++ b/WebCore/accessibility/AccessibilityImageMapLink.h
@@ -44,12 +44,12 @@ public:
     virtual ~AccessibilityImageMapLink();
     
     void setHTMLAreaElement(HTMLAreaElement* element) { m_areaElement = element; }
-    HTMLAreaElement* areaElement() const { return m_areaElement; }
+    HTMLAreaElement* areaElement() const { return m_areaElement.get(); }
     
     void setHTMLMapElement(HTMLMapElement* element) { m_mapElement = element; }    
-    HTMLMapElement* mapElement() const { return m_mapElement; }
+    HTMLMapElement* mapElement() const { return m_mapElement.get(); }
     
-    virtual Node* node() const { return m_areaElement; }
+    virtual Node* node() const { return m_areaElement.get(); }
     void setParent(AccessibilityObject* parent) { m_parent = parent; }
         
     virtual AccessibilityRole roleValue() const;
@@ -72,8 +72,8 @@ public:
     virtual IntRect elementRect() const;
 
 private:    
-    HTMLAreaElement* m_areaElement;
-    HTMLMapElement* m_mapElement;
+    RefPtr<HTMLAreaElement> m_areaElement;
+    RefPtr<HTMLMapElement> m_mapElement;
     AccessibilityObject* m_parent;
     
     virtual bool isImageMapLink() const { return true; }
diff --git a/WebCore/dom/Document.cpp b/WebCore/dom/Document.cpp
index 1694a37..c088e4e 100644
--- a/WebCore/dom/Document.cpp
+++ b/WebCore/dom/Document.cpp
@@ -1853,8 +1853,11 @@ void Document::clearAXObjectCache()
 {
     // clear cache in top document
     if (m_axObjectCache) {
-        delete m_axObjectCache;
+        // Clear the cache member variable before calling delete because attempts
+        // are made to access it during destruction.
+        AXObjectCache* axObjectCache = m_axObjectCache;
         m_axObjectCache = 0;
+        delete axObjectCache;
         return;
     }
     

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list