[webkitgtk3] Backport a fix for a crash in AccessibilityTableCell::parentTable()
Kalev Lember
kalev at fedoraproject.org
Fri Jan 25 09:59:59 UTC 2013
commit 2a30073f0f4832950d300ab3cc9eec34481061df
Author: Kalev Lember <kalevlember at gmail.com>
Date: Fri Jan 25 10:57:37 2013 +0100
Backport a fix for a crash in AccessibilityTableCell::parentTable()
Thanks to yaneti for pointing this out on IRC.
...itgtk-1.11.4-AccessibilityTableCell-crash.patch | 96 ++++++++++++++++++++
webkitgtk3.spec | 8 ++-
2 files changed, 103 insertions(+), 1 deletions(-)
---
diff --git a/webkitgtk-1.11.4-AccessibilityTableCell-crash.patch b/webkitgtk-1.11.4-AccessibilityTableCell-crash.patch
new file mode 100644
index 0000000..fd9f05c
--- /dev/null
+++ b/webkitgtk-1.11.4-AccessibilityTableCell-crash.patch
@@ -0,0 +1,96 @@
+From 57621d76f5d522fe9460f2fbdcfa041c59960524 Mon Sep 17 00:00:00 2001
+From: "commit-queue at webkit.org"
+ <commit-queue at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
+Date: Mon, 21 Jan 2013 16:57:38 +0000
+Subject: [PATCH] Crash in AccessibilityTableCell::parentTable()
+ https://bugs.webkit.org/show_bug.cgi?id=107261
+
+Patch by Joanmarie Diggs <jdiggs at igalia.com> on 2013-01-21
+Reviewed by Chris Fleizach.
+
+Source/WebCore:
+
+Test: accessibility/table-destroyed-crash.html
+
+Getting the parent table in order to get the role value should not be
+done when objects are being destroyed. Also, it does not seem safe to
+assume we have an AXObjectCache.
+
+Moving the logic from roleValue() to determineAccessibilityRole() has
+the side effect of not being able to verify the cell is in an AXTable
+when that AXTable has not yet been created. Therefore isTableCell()
+should look to see if it is the descendant of an AXRow.
+
+* accessibility/AccessibilityTableCell.cpp:
+(WebCore::AccessibilityTableCell::parentTable):
+(WebCore::AccessibilityTableCell::isTableCell):
+(WebCore::AccessibilityTableCell::determineAccessibilityRole):
+* accessibility/AccessibilityTableCell.h:
+(AccessibilityTableCell):
+
+git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140340 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+---
+ .../accessibility/AccessibilityTableCell.cpp | 12 +++++---
+ .../WebCore/accessibility/AccessibilityTableCell.h | 2 +-
+ 6 files changed, 93 insertions(+), 5 deletions(-)
+
+diff --git a/Source/WebCore/accessibility/AccessibilityTableCell.cpp b/Source/WebCore/accessibility/AccessibilityTableCell.cpp
+index f2b1c95..b30409b 100644
+--- a/Source/WebCore/accessibility/AccessibilityTableCell.cpp
++++ b/Source/WebCore/accessibility/AccessibilityTableCell.cpp
+@@ -74,6 +74,10 @@ AccessibilityObject* AccessibilityTableCell::parentTable() const
+ {
+ if (!m_renderer || !m_renderer->isTableCell())
+ return 0;
++
++ // If the document no longer exists, we might not have an axObjectCache.
++ if (!axObjectCache())
++ return 0;
+
+ // Do not use getOrCreate. parentTable() can be called while the render tree is being modified
+ // by javascript, and creating a table element may try to access the render tree while in a bad state.
+@@ -85,17 +89,17 @@ AccessibilityObject* AccessibilityTableCell::parentTable() const
+
+ bool AccessibilityTableCell::isTableCell() const
+ {
+- AccessibilityObject* table = parentTable();
+- if (!table || !table->isAccessibilityTable())
++ AccessibilityObject* parent = parentObjectUnignored();
++ if (!parent || !parent->isTableRow())
+ return false;
+
+ return true;
+ }
+
+-AccessibilityRole AccessibilityTableCell::roleValue() const
++AccessibilityRole AccessibilityTableCell::determineAccessibilityRole()
+ {
+ if (!isTableCell())
+- return AccessibilityRenderObject::roleValue();
++ return AccessibilityRenderObject::determineAccessibilityRole();
+
+ return CellRole;
+ }
+diff --git a/Source/WebCore/accessibility/AccessibilityTableCell.h b/Source/WebCore/accessibility/AccessibilityTableCell.h
+index 0430715..9341634 100644
+--- a/Source/WebCore/accessibility/AccessibilityTableCell.h
++++ b/Source/WebCore/accessibility/AccessibilityTableCell.h
+@@ -42,7 +42,6 @@ public:
+ virtual ~AccessibilityTableCell();
+
+ virtual bool isTableCell() const;
+- virtual AccessibilityRole roleValue() const;
+
+ virtual bool accessibilityIsIgnored() const;
+
+@@ -54,6 +53,7 @@ public:
+ protected:
+ virtual AccessibilityObject* parentTable() const;
+ int m_rowIndex;
++ virtual AccessibilityRole determineAccessibilityRole();
+
+ private:
+ // If a table cell is not exposed as a table cell, a TH element can serve as its title UI element.
+--
+1.8.1
+
diff --git a/webkitgtk3.spec b/webkitgtk3.spec
index 258b304..37807e7 100644
--- a/webkitgtk3.spec
+++ b/webkitgtk3.spec
@@ -7,7 +7,7 @@
Name: webkitgtk3
Version: 1.11.4
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: GTK+ Web content engine library
Group: Development/Libraries
@@ -25,6 +25,8 @@ Patch4: webkit-1.11.2-yarr.patch
Patch5: webkit-1.11.2-includes.patch
# https://bugs.webkit.org/show_bug.cgi?id=103128
Patch6: webkit-1.11.2-Double2Ints.patch
+# https://bugs.webkit.org/show_bug.cgi?id=107261
+Patch7: webkitgtk-1.11.4-AccessibilityTableCell-crash.patch
BuildRequires: bison
BuildRequires: cairo-devel
@@ -91,6 +93,7 @@ This package contains developer documentation for %{name}.
%patch4 -p1 -b .yarr
%patch5 -p1 -b .includes
%patch6 -p1 -b .double2ints
+%patch7 -p1 -b .AccessibilityTableCell
%build
%ifarch s390 %{arm} ppc
@@ -208,6 +211,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &>/dev/null || :
%changelog
+* Fri Jan 25 2013 Kalev Lember <kalevlember at gmail.com> - 1.11.4-3
+- Backport a fix for a crash in AccessibilityTableCell::parentTable()
+
* Mon Jan 21 2013 Adam Tkac <atkac redhat com> - 1.11.4-2
- rebuild due to "jpeg8-ABI" feature drop
More information about the scm-commits
mailing list