diff options
| author | dtseng@chromium.org <dtseng@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-12-02 19:08:46 +0000 |
|---|---|---|
| committer | dtseng@chromium.org <dtseng@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-12-02 19:08:46 +0000 |
| commit | eca9b5185b5f8d52aa18229c2729c6bb5591f8f2 (patch) | |
| tree | b0910c0f973e8bd602c379a1e37244a2782c725f /content/renderer/renderer_accessibility.cc | |
| parent | 51678ad73ad231bd77862f53e18e629420a26042 (diff) | |
| download | chromium_src-eca9b5185b5f8d52aa18229c2729c6bb5591f8f2.zip chromium_src-eca9b5185b5f8d52aa18229c2729c6bb5591f8f2.tar.gz chromium_src-eca9b5185b5f8d52aa18229c2729c6bb5591f8f2.tar.bz2 | |
Fix a possible renderer hang due to an WebAccessibilityObject becoming invalid.
BUG=106016
TEST=manual
Review URL: http://codereview.chromium.org/8772006
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@112749 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'content/renderer/renderer_accessibility.cc')
| -rw-r--r-- | content/renderer/renderer_accessibility.cc | 27 |
1 files changed, 17 insertions, 10 deletions
diff --git a/content/renderer/renderer_accessibility.cc b/content/renderer/renderer_accessibility.cc index 5f81af8..6b78d54 100644 --- a/content/renderer/renderer_accessibility.cc +++ b/content/renderer/renderer_accessibility.cc @@ -227,14 +227,6 @@ void RendererAccessibility::SendPendingAccessibilityNotifications() { WebAccessibilityObject obj = document.accessibilityObjectFromID( notification.id); - if (!obj.isValid()) { -#ifndef NDEBUG - if (logging_) - LOG(WARNING) << "Got notification on invalid object id " << obj.axID(); -#endif - continue; - } - // The browser may not have this object yet, for example if we get a // notification on an object that was recently added, or if we get a // notification on a node before the page has loaded. Work our way @@ -242,6 +234,7 @@ void RendererAccessibility::SendPendingAccessibilityNotifications() { // we reach the root. int root_id = document.accessibilityObject().axID(); while (browser_id_map_.find(obj.axID()) == browser_id_map_.end() && + obj.isValid() && obj.axID() != root_id) { obj = obj.parentObject(); includes_children = true; @@ -251,6 +244,15 @@ void RendererAccessibility::SendPendingAccessibilityNotifications() { } } + if (!obj.isValid()) { +#ifndef NDEBUG + if (logging_) + LOG(WARNING) << "Got notification on object that is invalid or has" + << " invalid ancestor. Id: " << obj.axID(); +#endif + continue; + } + // Another potential problem is that this notification may be on an // object that is detached from the tree. Determine if this node is not a // child of its parent, and if so move the notification to the parent. @@ -258,10 +260,15 @@ void RendererAccessibility::SendPendingAccessibilityNotifications() { // https://bugs.webkit.org/show_bug.cgi?id=68466 is fixed. if (obj.axID() != root_id) { WebAccessibilityObject parent = obj.parentObject(); - while (!parent.isNull() && parent.accessibilityIsIgnored()) + while (!parent.isNull() && + parent.isValid() && + parent.accessibilityIsIgnored()) { parent = parent.parentObject(); - if (parent.isNull()) { + } + + if (parent.isNull() || !parent.isValid()) { NOTREACHED(); + continue; } bool is_child_of_parent = false; for (unsigned int i = 0; i < parent.childCount(); ++i) { |