[webkit-changes] [94888] trunk

Fri, 09 Sep 2011 16:23:23 -0700

Title: [94888] trunk
Revision
94888
Author
commit-qu...@webkit.org
Date
2011-09-09 16:24:25 -0700 (Fri, 09 Sep 2011)

Log Message

Source/WebCore: AX: Images within anchors causes crash
https://bugs.webkit.org/show_bug.cgi?id=44149

Patch by Dominic Mazzoni <dmazz...@google.com> on 2011-09-09
Reviewed by Chris Fleizach.

Fixes the way parent RenderObject of an AccessibilityRenderObject
is computed in the presence of adjacent continuations.

Test: accessibility/div-within-anchors-causes-crash.html

* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::renderParentObject):

LayoutTests: Add a test to catch a case where an assertion failure or
crash is triggered in AccessibilityRenderObject when deleting
a node that includes a continuation.
https://bugs.webkit.org/show_bug.cgi?id=44149

Patch by Dominic Mazzoni <dmazz...@google.com> on 2011-09-09
Reviewed by Chris Fleizach.

* accessibility/div-within-anchors-causes-crash.html: Added.
* platform/mac/accessibility/div-within-anchors-causes-crash-expected.txt: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (94887 => 94888)


--- trunk/LayoutTests/ChangeLog	2011-09-09 23:22:49 UTC (rev 94887)
+++ trunk/LayoutTests/ChangeLog	2011-09-09 23:24:25 UTC (rev 94888)
@@ -1,3 +1,15 @@
+2011-09-09  Dominic Mazzoni  <dmazz...@google.com>
+
+        Add a test to catch a case where an assertion failure or
+        crash is triggered in AccessibilityRenderObject when deleting
+        a node that includes a continuation.
+        https://bugs.webkit.org/show_bug.cgi?id=44149
+
+        Reviewed by Chris Fleizach.
+
+        * accessibility/div-within-anchors-causes-crash.html: Added.
+        * platform/mac/accessibility/div-within-anchors-causes-crash-expected.txt: Added.
+
 2011-09-09  Kulanthaivel Palanichamy  <kulanthai...@codeaurora.org>
 
         CSS rules not being applied when a hidden field is inserted between an input[type=checkbox] and a label

Added: trunk/LayoutTests/accessibility/div-within-anchors-causes-crash.html (0 => 94888)


--- trunk/LayoutTests/accessibility/div-within-anchors-causes-crash.html	                        (rev 0)
+++ trunk/LayoutTests/accessibility/div-within-anchors-causes-crash.html	2011-09-09 23:24:25 UTC (rev 94888)
@@ -0,0 +1,69 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"> 
+<html> 
+<head> 
+<link rel="stylesheet" href="" 
+<script> 
+    var successfullyParsed = false;
+
+    function buildAccessibilityTree(accessibilityObject, indent) {
+        var str = "";
+        for (var i = 0; i < indent; i++)
+            str += "    ";
+        str += accessibilityObject.role;
+        str += " " + accessibilityObject.stringValue;
+        str += "\n";
+        document.getElementById("tree").innerText += str;
+
+        if (accessibilityObject.stringValue.indexOf('End of test') >= 0)
+            return false;
+
+        var count = accessibilityObject.childrenCount;
+        for (var i = 0; i < count; ++i) {
+            if (!buildAccessibilityTree(accessibilityObject.childAtIndex(i), indent + 1))
+                return false;
+        }
+
+        return true;
+    }
+</script> 
+<script src="" 
+</head> 
+<body> 
+ 
+<a><div></div></a>
+
+<a><div></div></a>
+
+<a href="" 
+
+<div>End of test</div>
+
+<pre id="tree"></pre>
+ 
+<p id="description"></p> 
+<div id="console"></div> 
+ 
+<script> 
+    description("This can cause a crash.");
+ 
+    if (window.accessibilityController) {
+        // First build up full accessibility tree.
+        document.getElementById("tree").innerText += "Before:\n";
+        document.body.focus();
+        buildAccessibilityTree(accessibilityController.focusedElement, 0);
+        
+        // Remove anchor that causes debug assert in AccessibilityRenderObject::addChildren
+        document.body.removeChild(document.body.children[2])
+        
+        // Build up full accessibility tree again.
+        document.getElementById("tree").innerText += "After:\n";
+        document.body.focus();
+        buildAccessibilityTree(accessibilityController.focusedElement, 0);
+    }
+ 
+    successfullyParsed = true;
+</script> 
+ 
+<script src="" 
+</body> 
+</html>

Added: trunk/LayoutTests/platform/mac/accessibility/div-within-anchors-causes-crash-expected.txt (0 => 94888)


--- trunk/LayoutTests/platform/mac/accessibility/div-within-anchors-causes-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/platform/mac/accessibility/div-within-anchors-causes-crash-expected.txt	2011-09-09 23:24:25 UTC (rev 94888)
@@ -0,0 +1,19 @@
+End of test
+Before:
+AXRole: AXWebArea AXValue: 
+    AXRole: AXLink AXValue: 
+    AXRole: AXGroup AXValue: 
+        AXRole: AXStaticText AXValue: End of test
+After:
+AXRole: AXWebArea AXValue: 
+    AXRole: AXGroup AXValue: 
+        AXRole: AXStaticText AXValue: End of test
+This can cause a crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Modified: trunk/Source/WebCore/ChangeLog (94887 => 94888)


--- trunk/Source/WebCore/ChangeLog	2011-09-09 23:22:49 UTC (rev 94887)
+++ trunk/Source/WebCore/ChangeLog	2011-09-09 23:24:25 UTC (rev 94888)
@@ -1,3 +1,18 @@
+2011-09-09  Dominic Mazzoni  <dmazz...@google.com>
+
+        AX: Images within anchors causes crash
+        https://bugs.webkit.org/show_bug.cgi?id=44149
+
+        Reviewed by Chris Fleizach.
+
+        Fixes the way parent RenderObject of an AccessibilityRenderObject
+        is computed in the presence of adjacent continuations.
+
+        Test: accessibility/div-within-anchors-causes-crash.html
+
+        * accessibility/AccessibilityRenderObject.cpp:
+        (WebCore::AccessibilityRenderObject::renderParentObject):
+
 2011-09-09  Kulanthaivel Palanichamy  <kulanthai...@codeaurora.org>
 
         CSS rules not being applied when a hidden field is inserted between an input[type=checkbox] and a label

Modified: trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (94887 => 94888)


--- trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2011-09-09 23:22:49 UTC (rev 94887)
+++ trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2011-09-09 23:24:25 UTC (rev 94888)
@@ -414,13 +414,17 @@
     else if (parent && (firstChild = parent->firstChild()) && firstChild->node()) {
         // Get the node's renderer and follow that continuation chain until the first child is found
         RenderObject* nodeRenderFirstChild = firstChild->node()->renderer();
-        if (nodeRenderFirstChild != firstChild) {
+        while (nodeRenderFirstChild != firstChild) {
             for (RenderObject* contsTest = nodeRenderFirstChild; contsTest; contsTest = nextContinuation(contsTest)) {
                 if (contsTest == firstChild) {
                     parent = nodeRenderFirstChild->parent();
                     break;
                 }
             }
+            if (firstChild == parent->firstChild())
+                break;
+            firstChild = parent->firstChild();
+            nodeRenderFirstChild = firstChild->node()->renderer();
         }
     }
         

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to