RESOLVED FIXED 45572
WebAccessibilityCacheImpl needs to handle invalid accessibility object ids 
https://bugs.webkit.org/show_bug.cgi?id=45572
Summary WebAccessibilityCacheImpl needs to handle invalid accessibility object ids
Chris Guillory
Reported 2010-09-10 16:18:31 PDT
The Chromium renderer crashes when it accesses objects that have been removed from the webkit accessibility tree. http://code.google.com/p/chromium/issues/detail?id=54973 WebAccessibilityCacheImpl::addOrGetId should know that AccessibilityObject's with an id of 0 are invalid - they've been removed from the webkit accessibility tree.
Attachments
Return invalidObjectID in WebAccessibilityCacheImpl when an AccessibilityObject's id is 0 (1.15 KB, patch)
2010-09-10 16:24 PDT, Chris Guillory 		no flags
DetailsFormatted DiffDiff
Need to ensure updateBackingStore is called (2.48 KB, patch)
2010-09-10 18:31 PDT, Chris Guillory 		no flags
DetailsFormatted DiffDiff
Compiles now (2.49 KB, patch)
2010-09-10 18:33 PDT, Chris Guillory 		no flags
DetailsFormatted DiffDiff
Logic is correct now (2.49 KB, patch)
2010-09-10 18:52 PDT, Chris Guillory 		no flags
DetailsFormatted DiffDiff
Passes style check now (2.49 KB, patch)
2010-09-10 19:07 PDT, Chris Guillory 		cfleizach: review-
cfleizach: commit-queue-
DetailsFormatted DiffDiff
Naming new method isValid (2.88 KB, patch)
2010-09-12 23:06 PDT, Chris Guillory 		no flags
DetailsFormatted DiffDiff
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.
Chris Guillory
Comment 1 2010-09-10 16:24:25 PDT
Created attachment 67258 [details] Return invalidObjectID in WebAccessibilityCacheImpl when an AccessibilityObject's id is 0
Chris Guillory
Comment 2 2010-09-10 18:31:19 PDT
Created attachment 67280 [details] Need to ensure updateBackingStore is called Looks like updateBackingStore is where the accessibility object can become invalid.
Chris Guillory
Comment 3 2010-09-10 18:33:03 PDT
Created attachment 67281 [details] Compiles now
Chris Guillory
Comment 4 2010-09-10 18:52:06 PDT
Created attachment 67283 [details] Logic is correct now
WebKit Review Bot
Comment 5 2010-09-10 18:58:09 PDT
Attachment 67283 [details] did not pass style-queue: Failed to run "['WebKitTools/Scripts/check-webkit-style']" exit_code: 1 WebKit/chromium/src/WebAccessibilityObject.cpp:110: Tests for true/false, null/non-null, and zero/non-zero should all be done without equality comparisons. [readability/comparison_to_zero] [5] Total errors found: 1 in 4 files If any of these errors are false positives, please file a bug against check-webkit-style.
Chris Guillory
Comment 6 2010-09-10 19:07:17 PDT
Created attachment 67285 [details] Passes style check now
chris fleizach
Comment 7 2010-09-12 20:03:13 PDT
Comment on attachment 67285 [details] Passes style check now > Index: WebKit/chromium/ChangeLog > =================================================================== > --- WebKit/chromium/ChangeLog (revision 67263) > +++ WebKit/chromium/ChangeLog (working copy) > @@ -1,3 +1,16 @@ > +2010-09-10 Chris Guillory <chris.guillory@google.com> > + > + Reviewed by NOBODY (OOPS!). > + > + WebAccessibilityCacheImpl needs to handle invalid accessibility object ids period at end of sentence > + WEBKIT_API bool isAxObjectIdValid() const; since this is inside of an ax object, the method name should probably just be "isIdValid()" > > WEBKIT_API unsigned childCount() const; > > +bool WebAccessibilityObject::isAxObjectIdValid() const > +{ > + if (!m_private) > + return false; > + > + m_private->updateBackingStore(); after calling updateBackingStore() it's possible that m_private will be invalidated (on the WebCore side at least, where it's called m_object). you should probably confirm that the object is still valid after calling this method > + return m_private->axObjectID(); > +} > +
Chris Guillory
Comment 8 2010-09-12 23:02:25 PDT
> after calling updateBackingStore() it's possible that m_private will be invalidated (on the WebCore side at least, where it's called m_object). > you should probably confirm that the object is still valid after calling this method I'm adding this method to determine if the WebAccessibilityObject is valid. Perhaps I should just name this method isValid(). An invalid WebCore::AccessibilityObject has an ID of 0.
chris fleizach
Comment 9 2010-09-12 23:03:48 PDT
(In reply to comment #8) > > after calling updateBackingStore() it's possible that m_private will be invalidated (on the WebCore side at least, where it's called m_object). > > you should probably confirm that the object is still valid after calling this method > I'm adding this method to determine if the WebAccessibilityObject is valid. Perhaps I should just name this method isValid(). An invalid WebCore::AccessibilityObject has an ID of 0. yea, if updateBackingStore is just checking validity, it should be renamed.
Chris Guillory
Comment 10 2010-09-12 23:06:38 PDT
Created attachment 67360 [details] Naming new method isValid
chris fleizach
Comment 11 2010-09-13 12:15:52 PDT
Comment on attachment 67360 [details] Naming new method isValid r=me
WebKit Commit Bot
Comment 12 2010-09-13 16:00:40 PDT
Comment on attachment 67360 [details] Naming new method isValid Clearing flags on attachment: 67360 Committed r67418: <http://trac.webkit.org/changeset/67418>
WebKit Commit Bot
Comment 13 2010-09-13 16:00:45 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.