Title: [177627] trunk
- Revision
- 177627
- Author
- rga...@webkit.org
- Date
- 2014-12-21 15:56:55 -0800 (Sun, 21 Dec 2014)
Log Message
AX: Hidden aria table crash
https://bugs.webkit.org/show_bug.cgi?id=139856
Reviewed by Chris Fleizach.
Source/WebCore:
Change axCaption to pointer and check it's value because
AXObjectCache::getOrCreate() can return with nullptr.
Test: accessibility/aria-hidden-crash.html
* accessibility/AccessibilityTable.cpp:
(WebCore::AccessibilityTable::addChildren):
LayoutTests:
Add layout test to cover this crash.
* accessibility/aria-hidden-crash-expected.txt: Added.
* accessibility/aria-hidden-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (177626 => 177627)
--- trunk/LayoutTests/ChangeLog 2014-12-21 22:11:53 UTC (rev 177626)
+++ trunk/LayoutTests/ChangeLog 2014-12-21 23:56:55 UTC (rev 177627)
@@ -1,3 +1,15 @@
+2014-12-21 Gabor Rapcsanyi <rga...@webkit.org>
+
+ AX: Hidden aria table crash
+ https://bugs.webkit.org/show_bug.cgi?id=139856
+
+ Reviewed by Chris Fleizach.
+
+ Add layout test to cover this crash.
+
+ * accessibility/aria-hidden-crash-expected.txt: Added.
+ * accessibility/aria-hidden-crash.html: Added.
+
2014-12-21 Alexey Proskuryakov <a...@apple.com>
Update expectations for two WebGL tests to match what bots see.
Added: trunk/LayoutTests/accessibility/aria-hidden-crash-expected.txt (0 => 177627)
--- trunk/LayoutTests/accessibility/aria-hidden-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/accessibility/aria-hidden-crash-expected.txt 2014-12-21 23:56:55 UTC (rev 177627)
@@ -0,0 +1,5 @@
+Bug 139856: Hidden aria table crash.
+
+This test PASSES if it does not CRASH.
+
+
Added: trunk/LayoutTests/accessibility/aria-hidden-crash.html (0 => 177627)
--- trunk/LayoutTests/accessibility/aria-hidden-crash.html (rev 0)
+++ trunk/LayoutTests/accessibility/aria-hidden-crash.html 2014-12-21 23:56:55 UTC (rev 177627)
@@ -0,0 +1,27 @@
+<html>
+ <head>
+ <script>
+ function test()
+ {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ }
+ </script>
+ </head>
+ <body _onload_="test()">
+ <p>Bug <a href="" Hidden aria table crash.</p>
+ <p>This test PASSES if it does not CRASH.</p>
+
+ <ul aria-hidden="true">
+ <table>
+ <theader>
+ <td>
+ <span aria-live="assertive"></span>
+ </td>
+ </theader>
+ <caption></caption>
+ </table>
+ </ul>
+ <svg _onerror_="logPass()"></svg>
+ </body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (177626 => 177627)
--- trunk/Source/WebCore/ChangeLog 2014-12-21 22:11:53 UTC (rev 177626)
+++ trunk/Source/WebCore/ChangeLog 2014-12-21 23:56:55 UTC (rev 177627)
@@ -1,3 +1,18 @@
+2014-12-21 Gabor Rapcsanyi <rga...@webkit.org>
+
+ AX: Hidden aria table crash
+ https://bugs.webkit.org/show_bug.cgi?id=139856
+
+ Reviewed by Chris Fleizach.
+
+ Change axCaption to pointer and check it's value because
+ AXObjectCache::getOrCreate() can return with nullptr.
+
+ Test: accessibility/aria-hidden-crash.html
+
+ * accessibility/AccessibilityTable.cpp:
+ (WebCore::AccessibilityTable::addChildren):
+
2014-12-20 Chris Dumez <cdu...@apple.com>
Get rid of error-prone ReleaseParsedCalcValueCondition argument in CSSParser
Modified: trunk/Source/WebCore/accessibility/AccessibilityTable.cpp (177626 => 177627)
--- trunk/Source/WebCore/accessibility/AccessibilityTable.cpp 2014-12-21 22:11:53 UTC (rev 177626)
+++ trunk/Source/WebCore/accessibility/AccessibilityTable.cpp 2014-12-21 23:56:55 UTC (rev 177627)
@@ -364,9 +364,9 @@
if (HTMLTableElement* tableElement = this->tableElement()) {
if (HTMLTableCaptionElement* caption = tableElement->caption()) {
- AccessibilityObject& axCaption = *axObjectCache()->getOrCreate(caption);
- if (!axCaption.accessibilityIsIgnored())
- m_children.append(&axCaption);
+ AccessibilityObject* axCaption = axObjectCache()->getOrCreate(caption);
+ if (axCaption && !axCaption->accessibilityIsIgnored())
+ m_children.append(axCaption);
}
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
