From 036387cad530ca8b7f891aef25b5f73c295235aa Mon Sep 17 00:00:00 2001 From: Alexander Surkov Date: Fri, 18 Sep 2015 08:52:46 -0400 Subject: [PATCH] Bug 1205476 - crash in mozilla::a11y::DocAccessible::ProcessInvalidationList(), r=smaug --- accessible/generic/DocAccessible.cpp | 12 ++++++++++++ accessible/generic/DocAccessible.h | 4 ++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/accessible/generic/DocAccessible.cpp b/accessible/generic/DocAccessible.cpp index 441fa963221..2aa8d0bfb9a 100644 --- a/accessible/generic/DocAccessible.cpp +++ b/accessible/generic/DocAccessible.cpp @@ -116,6 +116,10 @@ NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_INHERITED(DocAccessible, Accessible) tmp->mDependentIDsHash.EnumerateRead(CycleCollectorTraverseDepIDsEntry, &cb); NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mAccessibleCache) NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mAnchorJumpElm) + for (uint32_t i = 0; i < tmp->mARIAOwnsInvalidationList.Length(); ++i) { + NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mARIAOwnsInvalidationList[i].mOwner) + NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mARIAOwnsInvalidationList[i].mChild) + } NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN_INHERITED(DocAccessible, Accessible) @@ -126,6 +130,10 @@ NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN_INHERITED(DocAccessible, Accessible) tmp->mNodeToAccessibleMap.Clear(); NS_IMPL_CYCLE_COLLECTION_UNLINK(mAccessibleCache) NS_IMPL_CYCLE_COLLECTION_UNLINK(mAnchorJumpElm) + for (uint32_t i = 0; i < tmp->mARIAOwnsInvalidationList.Length(); ++i) { + NS_IMPL_CYCLE_COLLECTION_UNLINK(mARIAOwnsInvalidationList[i].mOwner) + NS_IMPL_CYCLE_COLLECTION_UNLINK(mARIAOwnsInvalidationList[i].mChild) + } NS_IMPL_CYCLE_COLLECTION_UNLINK_END NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION_INHERITED(DocAccessible) @@ -1340,6 +1348,10 @@ DocAccessible::ProcessInvalidationList() // Alter the tree according to aria-owns (seize the trees). for (uint32_t idx = 0; idx < mARIAOwnsInvalidationList.Length(); idx++) { Accessible* owner = mARIAOwnsInvalidationList[idx].mOwner; + if (owner->IsDefunct()) { // eventually died until we've got here + continue; + } + Accessible* child = GetAccessible(mARIAOwnsInvalidationList[idx].mChild); if (!child) { continue; diff --git a/accessible/generic/DocAccessible.h b/accessible/generic/DocAccessible.h index 7b34e6670cd..37a2a12a240 100644 --- a/accessible/generic/DocAccessible.h +++ b/accessible/generic/DocAccessible.h @@ -681,8 +681,8 @@ protected: ARIAOwnsPair& operator =(const ARIAOwnsPair& aPair) { mOwner = aPair.mOwner; mChild = aPair.mChild; return *this; } - Accessible* mOwner; - nsIContent* mChild; + nsRefPtr mOwner; + nsCOMPtr mChild; }; nsTArray mARIAOwnsInvalidationList;