Bug 1279984 - avoid invalid proxy OuterDocAccessibles. r=davidb, a=al
authorTrevor Saunders <tbsaunde@tbsaunde.org>
Tue, 21 Jun 2016 09:30:08 -0400
changeset 340010 2a0945d032b12dd57f8e599b35a4d76f3557350e
parent 340009 b7a11b31c1988b40ccbda9c97a23f0104a339f92
child 340011 f4dec7fdae867d02e5ae92a70bca4804e3ca6636
push id6249
push userjlund@mozilla.com
push dateMon, 01 Aug 2016 13:59:36 +0000
treeherdermozilla-beta@bad9d4f5bf7e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdavidb, al
bugs1279984
milestone49.0a2
Bug 1279984 - avoid invalid proxy OuterDocAccessibles. r=davidb, a=al Before binding a child document to an outer doc proxy we need to make sure its Outer doc proxies are only allowed to have one child which is the document they own. So before we bind a proxied document to a proxied outer doc we need to make sure the outer doc either doesn't have children or has a document we can unbind.
accessible/ipc/DocAccessibleParent.cpp
--- a/accessible/ipc/DocAccessibleParent.cpp
+++ b/accessible/ipc/DocAccessibleParent.cpp
@@ -353,16 +353,24 @@ DocAccessibleParent::AddChildDoc(DocAcce
   // document it self.
   ProxyEntry* e = mAccessibles.GetEntry(aParentID);
   if (!e)
     return false;
 
   ProxyAccessible* outerDoc = e->mProxy;
   MOZ_ASSERT(outerDoc);
 
+  // OuterDocAccessibles are expected to only have a document as a child.
+  // However for compatibility we tolerate replacing one document with another
+  // here.
+  if (outerDoc->ChildrenCount() > 1 ||
+      (outerDoc->ChildrenCount() == 1 && !outerDoc->ChildAt(0)->IsDoc())) {
+    return false;
+  }
+
   aChildDoc->mParent = outerDoc;
   outerDoc->SetChildDoc(aChildDoc);
   mChildDocs.AppendElement(aChildDoc);
   aChildDoc->mParentDoc = this;
 
   if (aCreating) {
     ProxyCreated(aChildDoc, Interfaces::DOCUMENT | Interfaces::HYPERTEXT);
   }