Bug 376924. Traversing the accessible tree after changes to CSS display property can crash Firefox. r=mats.palmgren
authoraaronleventhal@moonset.net
Thu, 12 Apr 2007 08:04:24 -0700
changeset 490 447aec98009ef3bee05cbe7e003a79fd40b3eae9
parent 489 aa08dd83d94463310a585555f91a3e97be71c9b4
child 491 8a8b2b060529548be7b16e9b2924089594eabba8
push idunknown
push userunknown
push dateunknown
reviewersmats.palmgren
bugs376924
milestone1.9a4pre
Bug 376924. Traversing the accessible tree after changes to CSS display property can crash Firefox. r=mats.palmgren
accessible/src/html/nsHTMLLinkAccessible.cpp
accessible/src/html/nsHTMLLinkAccessible.h
accessible/src/html/nsHTMLTextAccessible.cpp
accessible/src/html/nsHTMLTextAccessible.h
--- a/accessible/src/html/nsHTMLLinkAccessible.cpp
+++ b/accessible/src/html/nsHTMLLinkAccessible.cpp
@@ -39,17 +39,17 @@
 #include "nsHTMLLinkAccessible.h"
 #include "nsAccessibilityAtoms.h"
 #include "nsIAccessibleEvent.h"
 #include "nsINameSpaceManager.h"
 
 NS_IMPL_ISUPPORTS_INHERITED0(nsHTMLLinkAccessible, nsLinkableAccessible)
 
 nsHTMLLinkAccessible::nsHTMLLinkAccessible(nsIDOMNode* aDomNode, nsIWeakReference* aShell, nsIFrame *aFrame):
-nsLinkableAccessible(aDomNode, aShell), mFrame(aFrame)
+nsLinkableAccessible(aDomNode, aShell)
 { 
 }
 
 /* wstring getName (); */
 NS_IMETHODIMP nsHTMLLinkAccessible::GetName(nsAString& aName)
 { 
   if (!mActionContent)
     return NS_ERROR_FAILURE;
@@ -79,29 +79,8 @@ nsHTMLLinkAccessible::GetState(PRUint32 
     // This is how we indicate it is a named anchor
     // In other words, this anchor can be selected as a location :)
     // There is no other better state to use to indicate this.
     *aState |= nsIAccessibleStates::STATE_SELECTABLE;
   }
 
   return NS_OK;
 }
-
-nsIFrame* nsHTMLLinkAccessible::GetFrame()
-{
-  if (mWeakShell) {
-    if (!mFrame) {
-      mFrame = nsLinkableAccessible::GetFrame();
-    }
-    return mFrame;
-  }
-  return nsnull;
-}
-
-NS_IMETHODIMP nsHTMLLinkAccessible::FireToolkitEvent(PRUint32 aEvent,
-                                                     nsIAccessible *aTarget,
-                                                     void *aData)
-{
-  if (aEvent == nsIAccessibleEvent::EVENT_HIDE) {
-    mFrame = nsnull;  // Invalidate cached frame
-  }
-  return nsLinkableAccessible::FireToolkitEvent(aEvent, aTarget, aData);
-}
--- a/accessible/src/html/nsHTMLLinkAccessible.h
+++ b/accessible/src/html/nsHTMLLinkAccessible.h
@@ -47,22 +47,11 @@ class nsHTMLLinkAccessible : public nsLi
 
 public:
   nsHTMLLinkAccessible(nsIDOMNode* aDomNode, nsIWeakReference* aShell, nsIFrame *aFrame);
   
   // nsIAccessible
   NS_IMETHOD GetName(nsAString& _retval); 
   NS_IMETHOD GetRole(PRUint32 *_retval); 
   NS_IMETHOD GetState(PRUint32 *aState, PRUint32 *aExtraState);
-  NS_IMETHOD Shutdown() { mFrame = nsnull; return nsLinkableAccessible::Shutdown(); }
-  
-  // nsPIAccessNode
-  NS_IMETHOD_(nsIFrame *) GetFrame(void);
-
-  // nsPIAccessible
-  NS_IMETHOD FireToolkitEvent(PRUint32 aEvent, nsIAccessible *aTarget,
-                              void *aData);
-
-private:
-  nsIFrame *mFrame;  // XXX What's special about links that we cache frames for them?
 };
 
 #endif  
--- a/accessible/src/html/nsHTMLTextAccessible.cpp
+++ b/accessible/src/html/nsHTMLTextAccessible.cpp
@@ -45,17 +45,17 @@
 #include "nsIFrame.h"
 #include "nsPresContext.h"
 #include "nsIPresShell.h"
 #include "nsISelection.h"
 #include "nsISelectionController.h"
 #include "nsComponentManagerUtils.h"
 
 nsHTMLTextAccessible::nsHTMLTextAccessible(nsIDOMNode* aDomNode, nsIWeakReference* aShell, nsIFrame *aFrame):
-nsTextAccessibleWrap(aDomNode, aShell), mFrame(aFrame)
+nsTextAccessibleWrap(aDomNode, aShell)
 { 
 }
 
 NS_IMETHODIMP nsHTMLTextAccessible::GetName(nsAString& aName)
 {
   aName.Truncate();
   if (!mDOMNode) {
     return NS_ERROR_FAILURE;
@@ -72,37 +72,16 @@ NS_IMETHODIMP nsHTMLTextAccessible::GetN
     // Replace \r\n\t in markup with space unless in this is preformatted text
     // where those characters are significant
     name.ReplaceChar("\r\n\t", ' ');
   }
   aName = name;
   return rv;
 }
 
-nsIFrame* nsHTMLTextAccessible::GetFrame()
-{
-  if (!mWeakShell) {
-    return nsnull;
-  }
-  if (!mFrame) {
-    mFrame = nsTextAccessible::GetFrame();
-  }
-  return mFrame;
-}
-
-NS_IMETHODIMP nsHTMLTextAccessible::FireToolkitEvent(PRUint32 aEvent,
-                                                     nsIAccessible *aTarget,
-                                                     void *aData)
-{
-  if (aEvent == nsIAccessibleEvent::EVENT_HIDE) {
-    mFrame = nsnull;  // Invalidate cached frame
-  }
-  return nsTextAccessibleWrap::FireToolkitEvent(aEvent, aTarget, aData);
-}
-
 NS_IMETHODIMP nsHTMLTextAccessible::GetRole(PRUint32 *aRole)
 {
   nsIFrame *frame = GetFrame();
   NS_ENSURE_TRUE(frame, NS_ERROR_NULL_POINTER);
 
   if (frame->IsGeneratedContentFrame()) {
     *aRole = nsIAccessibleRole::ROLE_STATICTEXT;
     return NS_OK;
@@ -310,17 +289,17 @@ void nsHTMLLIAccessible::CacheChildren()
   }
 }
 
 
 // nsHTMLListBulletAccessible
 nsHTMLListBulletAccessible::
   nsHTMLListBulletAccessible(nsIDOMNode* aDomNode, nsIWeakReference* aShell,
                              nsIFrame *aFrame, const nsAString& aBulletText) :
-    nsLeafAccessible(aDomNode, aShell), mFrame(aFrame), mWeakParent(nsnull),
+    nsLeafAccessible(aDomNode, aShell), mWeakParent(nsnull),
     mBulletText(aBulletText)
 {
   mBulletText += ' '; // Otherwise bullets are jammed up against list text
 }
 
 NS_IMETHODIMP
 nsHTMLListBulletAccessible::GetUniqueID(void **aUniqueID)
 {
@@ -329,32 +308,20 @@ nsHTMLListBulletAccessible::GetUniqueID(
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsHTMLListBulletAccessible::Shutdown()
 {
   mBulletText.Truncate();
   mWeakParent = nsnull;
-  mFrame = nsnull;
 
   return nsLeafAccessible::Shutdown();
 }
 
-nsIFrame*
-nsHTMLListBulletAccessible::GetFrame()
-{
-  if (!mWeakShell)
-    return nsnull;
-
-  if (!mFrame)
-    mFrame = nsLeafAccessible::GetFrame();
-  return mFrame;
-}
-
 NS_IMETHODIMP
 nsHTMLListBulletAccessible::GetName(nsAString &aName)
 {
   aName = mBulletText;
   return NS_OK;
 }
 
 NS_IMETHODIMP
@@ -386,33 +353,22 @@ nsHTMLListBulletAccessible::SetParent(ns
 NS_IMETHODIMP
 nsHTMLListBulletAccessible::GetParent(nsIAccessible **aParentAccessible)
 {
   NS_IF_ADDREF(*aParentAccessible = mWeakParent);
   return NS_OK;
 }
 
 NS_IMETHODIMP
-nsHTMLListBulletAccessible::FireToolkitEvent(PRUint32 aEvent,
-                                             nsIAccessible *aTarget,
-                                             void *aData)
-{
-  if (aEvent == nsIAccessibleEvent::EVENT_HIDE)
-    mFrame = nsnull;  // Invalidate cached frame
-  return nsLeafAccessible::FireToolkitEvent(aEvent, aTarget, aData);
-}
-
-NS_IMETHODIMP
 nsHTMLListBulletAccessible::GetContentText(nsAString& aText)
 {
   aText = mBulletText;
   return NS_OK;
 }
 
-
 // nsHTMLListAccessible
 
 NS_IMETHODIMP
 nsHTMLListAccessible::GetState(PRUint32 *aState, PRUint32 *aExtraState)
 {
   nsresult rv = nsHyperTextAccessible::GetState(aState, aExtraState);
   NS_ENSURE_SUCCESS(rv, rv);
 
--- a/accessible/src/html/nsHTMLTextAccessible.h
+++ b/accessible/src/html/nsHTMLTextAccessible.h
@@ -50,30 +50,16 @@ class nsHTMLTextAccessible : public nsTe
 public:
   nsHTMLTextAccessible(nsIDOMNode* aDomNode, nsIWeakReference* aShell, nsIFrame *aFrame);
   
   // nsIAccessible
   NS_IMETHOD GetName(nsAString& _retval);
   NS_IMETHOD GetState(PRUint32 *aState, PRUint32 *aExtraState);
   NS_IMETHOD GetRole(PRUint32 *aRole);
   virtual nsresult GetAttributesInternal(nsIPersistentProperties *aAttributes);
-  NS_IMETHOD Shutdown() { mFrame = nsnull; return nsTextAccessibleWrap::Shutdown(); }
-  
-  // nsPIAccessNode
-  NS_IMETHOD_(nsIFrame *) GetFrame(void);
-
-  // nsPIAccessible
-  NS_IMETHOD FireToolkitEvent(PRUint32 aEvent, nsIAccessible *aTarget,
-                              void *aData);
-
-private:
-  // We cache frames for text accessibles so that the primary frame map isn't
-  // increased in size just due to accessibility. Normally the primary frame map,
-  // which is used by nsIPresShell::GetPrimaryFrameFor(), does not include text frames
-  nsIFrame *mFrame; // Only valid if node is not shut down (mWeakShell != null)
 };
 
 class nsHTMLHRAccessible : public nsLeafAccessible
 {
 public:
   nsHTMLHRAccessible(nsIDOMNode* aDomNode, nsIWeakReference* aShell);
   NS_IMETHOD GetRole(PRUint32 *aRole); 
   NS_IMETHOD GetState(PRUint32 *aState, PRUint32 *aExtraState);
@@ -106,43 +92,39 @@ public:
   nsHTMLListBulletAccessible(nsIDOMNode *aDOMNode, nsIWeakReference* aShell,
                              nsIFrame *aFrame, const nsAString& aBulletText);
 
   // nsIAccessNode
   NS_IMETHOD GetUniqueID(void **aUniqueID);
 
   // nsPIAccessNode
   NS_IMETHOD Shutdown();
-  NS_IMETHOD_(nsIFrame *) GetFrame(void);
 
   // nsIAccessible
   NS_IMETHOD GetName(nsAString& aName);
   NS_IMETHOD GetRole(PRUint32 *aRole);
   NS_IMETHOD GetState(PRUint32 *aState, PRUint32 *aExtraState);
 
   // Don't cache via unique ID -- bullet accessible shares the same dom node as
   // this LI accessible. Also, don't cache via mParent/SetParent(), prevent
   // circular reference since li holds onto us.
   NS_IMETHOD SetParent(nsIAccessible *aParentAccessible);
   NS_IMETHOD GetParent(nsIAccessible **aParentAccessible);
 
   // nsPIAccessible
-  NS_IMETHOD FireToolkitEvent(PRUint32 aEvent, nsIAccessible *aTarget,
-                              void *aData);
   NS_IMETHOD GetContentText(nsAString& aText);
 
 protected:
   // XXX: Ideally we'd get the bullet text directly from the bullet frame via
   // nsBulletFrame::GetListItemText(), but we'd need an interface for getting
   // text from contentless anonymous frames. Perhaps something like
   // nsIAnonymousFrame::GetText() ? However, in practice storing the bullet text
   // here should not be a problem if we invalidate the right parts of
   // the accessibility cache when mutation events occur.
   nsIAccessible *mWeakParent;
-  nsIFrame *mFrame;
   nsString mBulletText;
 };
 
 class nsHTMLListAccessible : public nsHyperTextAccessible
 {
 public:
   nsHTMLListAccessible(nsIDOMNode *aDOMNode, nsIWeakReference* aShell):
     nsHyperTextAccessible(aDOMNode, aShell) { }