Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(421)

Side by Side Diff: Source/WebCore/dom/ContainerNode.cpp

Issue 11196044: Merge 130266 - AX: Heap-use-after-free when deleting a ContainerNode with an AX object (Closed) Base URL: http://svn.webkit.org/repository/webkit/branches/chromium/1271/
Patch Set: Created 8 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2001 Dirk Mueller (mueller@kde.org) 4 * (C) 2001 Dirk Mueller (mueller@kde.org)
5 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserv ed. 5 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserv ed.
6 * 6 *
7 * This library is free software; you can redistribute it and/or 7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Library General Public 8 * modify it under the terms of the GNU Library General Public
9 * License as published by the Free Software Foundation; either 9 * License as published by the Free Software Foundation; either
10 * version 2 of the License, or (at your option) any later version. 10 * version 2 of the License, or (at your option) any later version.
11 * 11 *
12 * This library is distributed in the hope that it will be useful, 12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Library General Public License for more details. 15 * Library General Public License for more details.
16 * 16 *
17 * You should have received a copy of the GNU Library General Public License 17 * You should have received a copy of the GNU Library General Public License
18 * along with this library; see the file COPYING.LIB. If not, write to 18 * along with this library; see the file COPYING.LIB. If not, write to
19 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, 19 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
20 * Boston, MA 02110-1301, USA. 20 * Boston, MA 02110-1301, USA.
21 */ 21 */
22 22
23 #include "config.h" 23 #include "config.h"
24 #include "ContainerNode.h" 24 #include "ContainerNode.h"
25 25
26 #include "AXObjectCache.h"
26 #include "ChildListMutationScope.h" 27 #include "ChildListMutationScope.h"
27 #include "ContainerNodeAlgorithms.h" 28 #include "ContainerNodeAlgorithms.h"
28 #include "DeleteButtonController.h" 29 #include "DeleteButtonController.h"
29 #include "EventNames.h" 30 #include "EventNames.h"
30 #include "ExceptionCode.h" 31 #include "ExceptionCode.h"
31 #include "FloatRect.h" 32 #include "FloatRect.h"
32 #include "Frame.h" 33 #include "Frame.h"
33 #include "FrameView.h" 34 #include "FrameView.h"
34 #include "InlineTextBox.h" 35 #include "InlineTextBox.h"
35 #include "InspectorInstrumentation.h" 36 #include "InspectorInstrumentation.h"
(...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after
108 // (if the document changed or oldParent was in a shadow tree, AND *this is in a shadow tree). 109 // (if the document changed or oldParent was in a shadow tree, AND *this is in a shadow tree).
109 // Can we do better? 110 // Can we do better?
110 treeScope()->adoptIfNeeded(child.get()); 111 treeScope()->adoptIfNeeded(child.get());
111 if (attached() && !child->attached()) 112 if (attached() && !child->attached())
112 child->attach(); 113 child->attach();
113 } 114 }
114 } 115 }
115 116
116 ContainerNode::~ContainerNode() 117 ContainerNode::~ContainerNode()
117 { 118 {
119 if (AXObjectCache::accessibilityEnabled() && documentInternal() && documentI nternal()->axObjectCacheExists())
120 documentInternal()->axObjectCache()->remove(this);
121
118 removeAllChildren(); 122 removeAllChildren();
119 } 123 }
120 124
121 bool ContainerNode::insertBefore(PassRefPtr<Node> newChild, Node* refChild, Exce ptionCode& ec, bool shouldLazyAttach) 125 bool ContainerNode::insertBefore(PassRefPtr<Node> newChild, Node* refChild, Exce ptionCode& ec, bool shouldLazyAttach)
122 { 126 {
123 // Check that this node is not "floating". 127 // Check that this node is not "floating".
124 // If it is, it can be deleted as a side effect of sending mutation events. 128 // If it is, it can be deleted as a side effect of sending mutation events.
125 ASSERT(refCount() || parentOrHostNode()); 129 ASSERT(refCount() || parentOrHostNode());
126 130
127 RefPtr<Node> protect(this); 131 RefPtr<Node> protect(this);
(...skipping 882 matching lines...) Expand 10 before | Expand all | Expand 10 after
1010 if (shouldLazyAttach) 1014 if (shouldLazyAttach)
1011 child->lazyAttach(); 1015 child->lazyAttach();
1012 else 1016 else
1013 child->attach(); 1017 child->attach();
1014 } 1018 }
1015 1019
1016 dispatchChildInsertionEvents(child); 1020 dispatchChildInsertionEvents(child);
1017 } 1021 }
1018 1022
1019 } // namespace WebCore 1023 } // namespace WebCore
OLDNEW
« no previous file with comments | « LayoutTests/accessibility/container-node-delete-causes-crash-expected.txt ('k') | Source/WebCore/dom/Node.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698