65174 – Accessibility stack exhaustion using role attribute

Bug 65174 - Accessibility stack exhaustion using role attribute

Summary: Accessibility stack exhaustion using role attribute

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Accessibility (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC Windows Vista

Importance:	P1 Normal
Assignee:	chris fleizach

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2011-07-26 04:50 PDT by Berend-Jan Wever
Modified:	2011-08-17 14:35 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Repro (25 bytes, text/html) 2011-07-26 04:50 PDT, Berend-Jan Wever	no flags	Details
patch (7.88 KB, patch) 2011-08-09 11:56 PDT, chris fleizach	darin: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Berend-Jan Wever 2011-07-26 04:50:35 PDT

Created attachment 101987 [details]
Repro

Repro:
<label><q role=x><input>

This causes a loop where AccessibilityRenderObjects create more AccessibilityRenderObjects until all stack space has been used and the thread is terminated.

This requires you to enable accessibility to reproduce.

Comment 1 Berend-Jan Wever 2011-07-26 04:50:59 PDT

Chromium: https://code.google.com/p/chromium/issues/detail?id=90497

Comment 2 chris fleizach 2011-08-09 09:37:04 PDT

#16568 0x00000001028226ef in WebCore::AXObjectCache::getOrCreate (this=0x130276230, renderer=0x12a494dc8) at AXObjectCache.cpp:285
#16569 0x0000000102835d22 in WebCore::AccessibilityRenderObject::parentObject (this=0x1001cbe80) at AccessibilityRenderObject.cpp:443
#16570 0x000000010283bf26 in WebCore::AccessibilityRenderObject::ariaIsHidden (this=0x1001cbe80) at AccessibilityRenderObject.cpp:1702
#16571 0x0000000102828d97 in WebCore::AccessibilityRenderObject::accessibilityIsIgnoredBase (this=0x1001cbe80) at AccessibilityRenderObject.cpp:1753
#16572 0x000000010283c12f in WebCore::AccessibilityRenderObject::accessibilityIsIgnored (this=0x1001cbe80) at AccessibilityRenderObject.cpp:1775
#16573 0x000000010283bcde in WebCore::AccessibilityRenderObject::exposesTitleUIElement (this=0x1001cbe80) at AccessibilityRenderObject.cpp:1663
#16574 0x000000010283c2f9 in WebCore::AccessibilityRenderObject::accessibilityIsIgnored (this=0x1001cbb40) at AccessibilityRenderObject.cpp:1808
#16575 0x000000010282da10 in WebCore::AccessibilityObject::parentObjectUnignored (this=0x13391aab0) at AccessibilityObject.cpp:316
#16576 0x0000000102842cd6 in WebCore::AccessibilityRenderObject::determineAriaRoleAttribute (this=0x13391aab0) at AccessibilityRenderObject.cpp:3005
#16577 0x0000000102834517 in WebCore::AccessibilityRenderObject::determineAccessibilityRole (this=0x13391aab0) at AccessibilityRenderObject.cpp:3049
#16578 0x0000000102828a6d in WebCore::AccessibilityRenderObject::AccessibilityRenderObject (this=0x13391aab0, renderer=0x12a494dc8) at AccessibilityRenderObject.cpp:98
#16579 0x00000001028344cd in WebCore::AccessibilityRenderObject::AccessibilityRenderObject (this=0x13391aab0, renderer=0x12a494dc8) at AccessibilityRenderObject.cpp:97
#16580 0x0000000102834bce in WebCore::AccessibilityRenderObject::create (renderer=0x12a494dc8) at AccessibilityRenderObject.cpp:112
#16581 0x0000000102823ffd in createFromRenderer (renderer=0x12a494dc8) at AXObjectCache.cpp:250
#16582 0x00000001028226ef in WebCore::AXObjectCache::getOrCreate (this=0x130276230, renderer=0x12a494dc8) at AXObjectCache.cpp:285

Comment 3 chris fleizach 2011-08-09 11:54:33 PDT

rdar://9923054

Comment 4 chris fleizach 2011-08-09 11:56:42 PDT

Created attachment 103381 [details]
patch

Comment 5 WebKit Review Bot 2011-08-09 12:03:19 PDT

Attachment 103381 [details] did not pass style-queue:

Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/acce..." exit_code: 1

Source/WebCore/accessibility/AccessibilityRenderObject.cpp:3003:  An else if statement should be written as an if statement when the prior "if" concludes with a return, break, continue or goto statement.  [readability/control_flow] [4]
Total errors found: 1 in 7 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 6 chris fleizach 2011-08-09 14:55:08 PDT

FYI i will fix the style error on commit

Comment 7 Darin Adler 2011-08-17 10:34:41 PDT

Comment on attachment 103381 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=103381&action=review

> Source/WebCore/accessibility/AccessibilityRenderObject.cpp:2999
> +    AccessibilityObject* parent;
> +    for (parent = parentObject(); parent && !parent->accessibilityIsIgnored(); parent = parent->parentObject()) {

I’d suggest defining this inside the for statement.

> Source/WebCore/accessibility/AccessibilityRenderObject.cpp:3006
> +        if (role == ListBoxOptionRole && parentAriaRole == MenuRole)
> +            return MenuItemRole;
> +        // An aria "menuitem" may map to MenuButton or MenuItem depending on its parent.
> +        else if (role == MenuItemRole && parentAriaRole == GroupRole)

Yes, no need for else.

Comment 8 chris fleizach 2011-08-17 14:26:53 PDT

http://trac.webkit.org/changeset/93243

Comment 9 chris fleizach 2011-08-17 14:35:08 PDT

http://trac.webkit.org/changeset/93246