Title: [207564] trunk
- Revision
- 207564
- Author
- n_w...@apple.com
- Date
- 2016-10-19 13:33:23 -0700 (Wed, 19 Oct 2016)
Log Message
AX: crash: com.apple.WebCore: WebCore::AccessibilityObject::findMatchingObjects + 600
https://bugs.webkit.org/show_bug.cgi?id=163682
Reviewed by Chris Fleizach.
Source/WebCore:
There's a null pointer crash when we ask for startObject->parentObjectUnignored() in
AccessibilityObject::findMatchingObject. Added a null check for the startObject to fix that.
Test: accessibility/mac/search-predicate-crash.html
* accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::findMatchingObjects):
LayoutTests:
* accessibility/mac/search-predicate-crash-expected.txt: Added.
* accessibility/mac/search-predicate-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (207563 => 207564)
--- trunk/LayoutTests/ChangeLog 2016-10-19 20:30:27 UTC (rev 207563)
+++ trunk/LayoutTests/ChangeLog 2016-10-19 20:33:23 UTC (rev 207564)
@@ -1,3 +1,13 @@
+2016-10-19 Nan Wang <n_w...@apple.com>
+
+ AX: crash: com.apple.WebCore: WebCore::AccessibilityObject::findMatchingObjects + 600
+ https://bugs.webkit.org/show_bug.cgi?id=163682
+
+ Reviewed by Chris Fleizach.
+
+ * accessibility/mac/search-predicate-crash-expected.txt: Added.
+ * accessibility/mac/search-predicate-crash.html: Added.
+
2016-10-19 Myles C. Maxfield <mmaxfi...@apple.com>
[macOS] [iOS] Disable variation fonts on macOS El Capitan and iOS 9
Added: trunk/LayoutTests/accessibility/mac/search-predicate-crash-expected.txt (0 => 207564)
--- trunk/LayoutTests/accessibility/mac/search-predicate-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/accessibility/mac/search-predicate-crash-expected.txt 2016-10-19 20:33:23 UTC (rev 207564)
@@ -0,0 +1,10 @@
+
+This tests that we don't crash in search predicate function if startObject has null parent.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/accessibility/mac/search-predicate-crash.html (0 => 207564)
--- trunk/LayoutTests/accessibility/mac/search-predicate-crash.html (rev 0)
+++ trunk/LayoutTests/accessibility/mac/search-predicate-crash.html 2016-10-19 20:33:23 UTC (rev 207564)
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+
+<div id="container">
+<input type="submit" value="Submit">
+</div>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+ description("This tests that we don't crash in search predicate function if startObject has null parent.");
+
+ if (window.accessibilityController) {
+ document.getElementById("container").focus();
+ var containerElement = accessibilityController.focusedElement;
+ var startElement = accessibilityController.rootElement;
+
+ // Make sure we don't crash
+ var linkCount = containerElement.uiElementCountForSearchPredicate(startElement, false, "AXLinkSearchKey", "", false);
+ }
+</script>
+
+<script src=""
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (207563 => 207564)
--- trunk/Source/WebCore/ChangeLog 2016-10-19 20:30:27 UTC (rev 207563)
+++ trunk/Source/WebCore/ChangeLog 2016-10-19 20:33:23 UTC (rev 207564)
@@ -1,3 +1,18 @@
+2016-10-19 Nan Wang <n_w...@apple.com>
+
+ AX: crash: com.apple.WebCore: WebCore::AccessibilityObject::findMatchingObjects + 600
+ https://bugs.webkit.org/show_bug.cgi?id=163682
+
+ Reviewed by Chris Fleizach.
+
+ There's a null pointer crash when we ask for startObject->parentObjectUnignored() in
+ AccessibilityObject::findMatchingObject. Added a null check for the startObject to fix that.
+
+ Test: accessibility/mac/search-predicate-crash.html
+
+ * accessibility/AccessibilityObject.cpp:
+ (WebCore::AccessibilityObject::findMatchingObjects):
+
2016-10-19 David Kilzer <ddkil...@apple.com>
Bug 163670: Refine assertions in WebCore::ImageData constructors
Modified: trunk/Source/WebCore/accessibility/AccessibilityObject.cpp (207563 => 207564)
--- trunk/Source/WebCore/accessibility/AccessibilityObject.cpp 2016-10-19 20:30:27 UTC (rev 207563)
+++ trunk/Source/WebCore/accessibility/AccessibilityObject.cpp 2016-10-19 20:33:23 UTC (rev 207564)
@@ -603,7 +603,7 @@
}
// The outer loop steps up the parent chain each time (unignored is important here because otherwise elements would be searched twice)
- for (AccessibilityObject* stopSearchElement = parentObjectUnignored(); startObject != stopSearchElement; startObject = startObject->parentObjectUnignored()) {
+ for (AccessibilityObject* stopSearchElement = parentObjectUnignored(); startObject && startObject != stopSearchElement; startObject = startObject->parentObjectUnignored()) {
// Only append the children after/before the previous element, so that the search does not check elements that are
// already behind/ahead of start element.
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes