Bug 65174

Summary: Accessibility stack exhaustion using role attribute
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: AccessibilityAssignee: chris fleizach <cfleizach>
Status: RESOLVED FIXED    
Severity: Normal CC: bdakin, cfleizach, eric, webkit.review.bot
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
Attachments:
Description Flags
Repro
none
patch darin: review+

Berend-Jan Wever
Reported 2011-07-26 04:50:35 PDT
Created attachment 101987 [details] Repro Repro: <label><q role=x><input> This causes a loop where AccessibilityRenderObjects create more AccessibilityRenderObjects until all stack space has been used and the thread is terminated. This requires you to enable accessibility to reproduce.
Attachments
Repro (25 bytes, text/html)
2011-07-26 04:50 PDT, Berend-Jan Wever 		no flags
Details
patch (7.88 KB, patch)
2011-08-09 11:56 PDT, chris fleizach 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Berend-Jan Wever
Comment 1 2011-07-26 04:50:59 PDT
Chromium: https://code.google.com/p/chromium/issues/detail?id=90497
chris fleizach
Comment 2 2011-08-09 09:37:04 PDT
#16568 0x00000001028226ef in WebCore::AXObjectCache::getOrCreate (this=0x130276230, renderer=0x12a494dc8) at AXObjectCache.cpp:285 #16569 0x0000000102835d22 in WebCore::AccessibilityRenderObject::parentObject (this=0x1001cbe80) at AccessibilityRenderObject.cpp:443 #16570 0x000000010283bf26 in WebCore::AccessibilityRenderObject::ariaIsHidden (this=0x1001cbe80) at AccessibilityRenderObject.cpp:1702 #16571 0x0000000102828d97 in WebCore::AccessibilityRenderObject::accessibilityIsIgnoredBase (this=0x1001cbe80) at AccessibilityRenderObject.cpp:1753 #16572 0x000000010283c12f in WebCore::AccessibilityRenderObject::accessibilityIsIgnored (this=0x1001cbe80) at AccessibilityRenderObject.cpp:1775 #16573 0x000000010283bcde in WebCore::AccessibilityRenderObject::exposesTitleUIElement (this=0x1001cbe80) at AccessibilityRenderObject.cpp:1663 #16574 0x000000010283c2f9 in WebCore::AccessibilityRenderObject::accessibilityIsIgnored (this=0x1001cbb40) at AccessibilityRenderObject.cpp:1808 #16575 0x000000010282da10 in WebCore::AccessibilityObject::parentObjectUnignored (this=0x13391aab0) at AccessibilityObject.cpp:316 #16576 0x0000000102842cd6 in WebCore::AccessibilityRenderObject::determineAriaRoleAttribute (this=0x13391aab0) at AccessibilityRenderObject.cpp:3005 #16577 0x0000000102834517 in WebCore::AccessibilityRenderObject::determineAccessibilityRole (this=0x13391aab0) at AccessibilityRenderObject.cpp:3049 #16578 0x0000000102828a6d in WebCore::AccessibilityRenderObject::AccessibilityRenderObject (this=0x13391aab0, renderer=0x12a494dc8) at AccessibilityRenderObject.cpp:98 #16579 0x00000001028344cd in WebCore::AccessibilityRenderObject::AccessibilityRenderObject (this=0x13391aab0, renderer=0x12a494dc8) at AccessibilityRenderObject.cpp:97 #16580 0x0000000102834bce in WebCore::AccessibilityRenderObject::create (renderer=0x12a494dc8) at AccessibilityRenderObject.cpp:112 #16581 0x0000000102823ffd in createFromRenderer (renderer=0x12a494dc8) at AXObjectCache.cpp:250 #16582 0x00000001028226ef in WebCore::AXObjectCache::getOrCreate (this=0x130276230, renderer=0x12a494dc8) at AXObjectCache.cpp:285
chris fleizach
Comment 3 2011-08-09 11:54:33 PDT
rdar://9923054
chris fleizach
Comment 4 2011-08-09 11:56:42 PDT
Created attachment 103381 [details] patch
WebKit Review Bot
Comment 5 2011-08-09 12:03:19 PDT
Attachment 103381 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/acce..." exit_code: 1 Source/WebCore/accessibility/AccessibilityRenderObject.cpp:3003: An else if statement should be written as an if statement when the prior "if" concludes with a return, break, continue or goto statement. [readability/control_flow] [4] Total errors found: 1 in 7 files If any of these errors are false positives, please file a bug against check-webkit-style.
chris fleizach
Comment 6 2011-08-09 14:55:08 PDT
FYI i will fix the style error on commit
Darin Adler
Comment 7 2011-08-17 10:34:41 PDT
Comment on attachment 103381 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=103381&action=review > Source/WebCore/accessibility/AccessibilityRenderObject.cpp:2999 > + AccessibilityObject* parent; > + for (parent = parentObject(); parent && !parent->accessibilityIsIgnored(); parent = parent->parentObject()) { I’d suggest defining this inside the for statement. > Source/WebCore/accessibility/AccessibilityRenderObject.cpp:3006 > + if (role == ListBoxOptionRole && parentAriaRole == MenuRole) > + return MenuItemRole; > + // An aria "menuitem" may map to MenuButton or MenuItem depending on its parent. > + else if (role == MenuItemRole && parentAriaRole == GroupRole) Yes, no need for else.
chris fleizach
Comment 8 2011-08-17 14:26:53 PDT
http://trac.webkit.org/changeset/93243
chris fleizach
Comment 9 2011-08-17 14:35:08 PDT
http://trac.webkit.org/changeset/93246
Note You need to log in before you can comment on or make changes to this bug.