Google Git
Sign in
chromium / chromium / src / 00f72818eedab4ccdf83a1da185401545968b6cd
commit00f72818eedab4ccdf83a1da185401545968b6cd[log] [tgz]
authorDominic Mazzoni <dmazzoni@chromium.org>Wed Apr 24 05:51:25 2019
committerCommit Bot <commit-bot@chromium.org>Wed Apr 24 05:51:25 2019
treeea406bc71c55a71241cbf9b8c33949b0270e7ab1
parentf7775ebb7ce368333cb6350d16262bda6932f9af [diff]
Fix bug in LayoutTreeBuilder accessibility patch

This change changed the accessibility tree to be built
using LayoutTreeBuilder: crrev.com/c/1547617

This caused crbug.com/951503 - a crash in
blink::AXNodeObject::AddChildren, due to a node
being deleted while it was in the process of
iterating over its children.

I can reliably reproduce this crash by loading
https://www.komputerswiat.pl/gamezilla when
accessibility is enabled.

I discovered that the root cause was due to the
change in AXObjectCacheImpl::GetOrCreate(LayoutObject*) -
specifically code that identifies an old entry in the
node mapping that needs to be updated.

The problem with the code is that it assumes there's a
1:1 mapping between nodes and layout objects - but this
isn't always true. When there's a continuation, you
could have two layout objects that correspond to the
same Node.

The fix is easy - just check node->GetLayoutObject
and skip checking the node mapping if it's not the
same.

Bug: 951503, 835455
Tbr: nektar@chromium.org, aboxhall@chromium.org
Change-Id: Ie5bc4fa5766f00bc8fe882454a5d15a1467f198c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1580140
Reviewed-by: Dominic Mazzoni <dmazzoni@chromium.org>
Commit-Queue: Dominic Mazzoni <dmazzoni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#653498}
1 file changed
tree: ea406bc71c55a71241cbf9b8c33949b0270e7ab1
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. build/
  6. build_overrides/
  7. buildtools/
  8. cc/
  9. chrome/
  10. chrome_elf/
  11. chromecast/
  12. chromeos/
  13. cloud_print/
  14. components/
  15. content/
  16. courgette/
  17. crypto/
  18. dbus/
  19. device/
  20. docs/
  21. extensions/
  22. fuchsia/
  23. gin/
  24. google_apis/
  25. google_update/
  26. gpu/
  27. headless/
  28. infra/
  29. ios/
  30. ipc/
  31. jingle/
  32. media/
  33. mojo/
  34. native_client_sdk/
  35. net/
  36. pdf/
  37. ppapi/
  38. printing/
  39. remoting/
  40. rlz/
  41. sandbox/
  42. services/
  43. skia/
  44. sql/
  45. storage/
  46. styleguide/
  47. testing/
  48. third_party/
  49. tools/
  50. ui/
  51. url/
  52. .clang-format
  53. .eslintrc.js
  54. .git-blame-ignore-revs
  55. .gitattributes
  56. .gitignore
  57. .gn
  58. .vpython
  59. AUTHORS
  60. BUILD.gn
  61. CODE_OF_CONDUCT.md
  62. codereview.settings
  63. DEPS
  64. ENG_REVIEW_OWNERS
  65. LICENSE
  66. LICENSE.chromium_os
  67. OWNERS
  68. PRESUBMIT.py
  69. PRESUBMIT_test.py
  70. PRESUBMIT_test_mocks.py
  71. README.md
  72. WATCHLISTS
README.md

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is https://www.chromium.org.

Documentation in the source is rooted in docs/README.md.

Learn how to Get Around the Chromium Source Code Directory Structure .