Commit a09b3cd4 authored by dmazzoni@google.com's avatar dmazzoni@google.com
Browse files

AX: Heap-use-after-free when deleting a ContainerNode with an AX object

https://bugs.webkit.org/show_bug.cgi?id=98073

Reviewed by Hajime Morita.

Source/WebCore:

Calls axObjectCache()->remove(this) in ~ContainerNode so that the AX tree
doesn't try to access the container node while walking up the parent chain
from one of the container node's children.

Test: accessibility/container-node-delete-causes-crash.html

* dom/ContainerNode.cpp:
(WebCore::ContainerNode::~ContainerNode):
* dom/Node.cpp:
(WebCore::Node::~Node):
* dom/Node.h:
(WebCore::Node::document):
(WebCore::Node::documentInternal):

LayoutTests:

Adds test for heap-use-after-free when container node with AX object is deleted.

* accessibility/container-node-delete-causes-crash-expected.txt: Added.
* accessibility/container-node-delete-causes-crash.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@130266 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 1c0d37d7
2012-10-03 Dominic Mazzoni <dmazzoni@google.com>
AX: Heap-use-after-free when deleting a ContainerNode with an AX object
https://bugs.webkit.org/show_bug.cgi?id=98073
Reviewed by Hajime Morita.
Adds test for heap-use-after-free when container node with AX object is deleted.
* accessibility/container-node-delete-causes-crash-expected.txt: Added.
* accessibility/container-node-delete-causes-crash.html: Added.
2012-10-03 Vsevolod Vlasov <vsevik@chromium.org>
Web Inspector: SourceURL should be taken from debugger agent when possible.
......
Checks to make sure a heap-use-after-free crash doesn't occur when a container node with an associated accessibility object is deleted from the tree. The heap-use-after free was occuring when the AccessibilityObject corresponding to the child of the text node walked up its parent chain in AccessibilityObject::supportsARIALiveRegion but its parent was already deleted.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS successfullyParsed is true
TEST COMPLETE
Text
<!DOCTYPE HTML>
<html>
<body>
<script src="../fast/js/resources/js-test-pre.js"></script>
<div id="console"></div>
<svg xmlns:xlink="http://www.w3.org/1999/xlink">
<text id="a">Text</text>
<use xlink:href="#a"></use>
</svg>
<script>
description("Checks to make sure a heap-use-after-free crash doesn't occur when a container node with an associated accessibility object is deleted from the tree. The heap-use-after free was occuring when the AccessibilityObject corresponding to the child of the text node walked up its parent chain in AccessibilityObject::supportsARIALiveRegion but its parent was already deleted.");
// This creates an accessibility object for every node in the tree.
if (window.accessibilityController)
accessibilityController.accessibleElementById("foo");
// An SVG "use" element is like a clone, so the "use" element contains a
// clone of the "text" element. This statement clears the reference, which
// causes the cloned "text" element to be destroyed.
document.getElementsByTagName('use')[0].setAttribute('xlink:href', '');
</script>
<script src="../fast/js/resources/js-test-post.js"></script>
</body>
</html>
2012-10-03 Dominic Mazzoni <dmazzoni@google.com>
AX: Heap-use-after-free when deleting a ContainerNode with an AX object
https://bugs.webkit.org/show_bug.cgi?id=98073
Reviewed by Hajime Morita.
Calls axObjectCache()->remove(this) in ~ContainerNode so that the AX tree
doesn't try to access the container node while walking up the parent chain
from one of the container node's children.
Test: accessibility/container-node-delete-causes-crash.html
* dom/ContainerNode.cpp:
(WebCore::ContainerNode::~ContainerNode):
* dom/Node.cpp:
(WebCore::Node::~Node):
* dom/Node.h:
(WebCore::Node::document):
(WebCore::Node::documentInternal):
2012-10-03 Vsevolod Vlasov <vsevik@chromium.org>
Web Inspector: SourceURL should be taken from debugger agent when possible.
......
......@@ -23,6 +23,7 @@
#include "config.h"
#include "ContainerNode.h"
#include "AXObjectCache.h"
#include "ChildListMutationScope.h"
#include "ContainerNodeAlgorithms.h"
#include "DeleteButtonController.h"
......@@ -119,6 +120,9 @@ void ContainerNode::takeAllChildrenFrom(ContainerNode* oldParent)
ContainerNode::~ContainerNode()
{
if (AXObjectCache::accessibilityEnabled() && documentInternal() && documentInternal()->axObjectCacheExists())
documentInternal()->axObjectCache()->remove(this);
removeAllChildren();
}
......
......@@ -417,7 +417,7 @@ Node::~Node()
detach();
Document* doc = m_document;
if (AXObjectCache::accessibilityEnabled() && doc && doc->axObjectCacheExists())
if (AXObjectCache::accessibilityEnabled() && doc && doc->axObjectCacheExists() && !isContainerNode())
doc->axObjectCache()->remove(this);
if (m_previous)
......
......@@ -429,8 +429,8 @@ public:
ASSERT(this);
// FIXME: below ASSERT is useful, but prevents the use of document() in the constructor or destructor
// due to the virtual function call to nodeType().
ASSERT(m_document || (nodeType() == DOCUMENT_TYPE_NODE && !inDocument()));
return m_document;
ASSERT(documentInternal() || (nodeType() == DOCUMENT_TYPE_NODE && !inDocument()));
return documentInternal();
}
TreeScope* treeScope() const;
......@@ -755,6 +755,8 @@ protected:
void setHasCustomCallbacks() { setFlag(true, HasCustomCallbacksFlag); }
Document* documentInternal() const { return m_document; }
private:
friend class TreeShared<Node, ContainerNode>;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment