Skip to site navigation (Press enter)

[webkit-changes] [206494] trunk

n_wang Tue, 27 Sep 2016 21:09:04 -0700

Title: [206494] trunk

Revision: 206494
Author: n_w...@apple.com
Date: 2016-09-27 21:09:21 -0700 (Tue, 27 Sep 2016)

Log Message

AX: CrashTracer: com.apple.WebKit.WebContent at WebCore::AXObjectCache::localCaretRectForCharacterOffset(WebCore::RenderObject*&, WebCore::CharacterOffset const&) + 116
https://bugs.webkit.org/show_bug.cgi?id=162654


Reviewed by Chris Fleizach.

Source/WebCore:

rangeForUnorderedCharacterOffsets() can return a null Range but we failed to
do a null check in localCaretRectForCharacterOffset() before dereferencing it.

Test: accessibility/mac/bounds-for-range-crash.html

* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::localCaretRectForCharacterOffset):

LayoutTests:

* accessibility/mac/bounds-for-range-crash-expected.txt: Added.
* accessibility/mac/bounds-for-range-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/accessibility/AXObjectCache.cpp

Added Paths

trunk/LayoutTests/accessibility/mac/bounds-for-range-crash-expected.txt
trunk/LayoutTests/accessibility/mac/bounds-for-range-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (206493 => 206494)


--- trunk/LayoutTests/ChangeLog	2016-09-28 03:03:40 UTC (rev 206493)
+++ trunk/LayoutTests/ChangeLog	2016-09-28 04:09:21 UTC (rev 206494)
@@ -1,3 +1,13 @@
+2016-09-27  Nan Wang  <n_w...@apple.com>
+
+        AX: CrashTracer: com.apple.WebKit.WebContent at WebCore::AXObjectCache::localCaretRectForCharacterOffset(WebCore::RenderObject*&, WebCore::CharacterOffset const&) + 116
+        https://bugs.webkit.org/show_bug.cgi?id=162654
+
+        Reviewed by Chris Fleizach.
+
+        * accessibility/mac/bounds-for-range-crash-expected.txt: Added.
+        * accessibility/mac/bounds-for-range-crash.html: Added.
+
 2016-09-27  Ryosuke Niwa  <rn...@webkit.org>
 
         Toggling display: none on a parent element of a slot which shares style with its parent doesn't update the slot's visibility

Added: trunk/LayoutTests/accessibility/mac/bounds-for-range-crash-expected.txt (0 => 206494)


--- trunk/LayoutTests/accessibility/mac/bounds-for-range-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/accessibility/mac/bounds-for-range-crash-expected.txt	2016-09-28 04:09:21 UTC (rev 206494)
@@ -0,0 +1,10 @@
+Shop
+This tests that boundsForRange with invalid text marker is not causing crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/accessibility/mac/bounds-for-range-crash.html (0 => 206494)


--- trunk/LayoutTests/accessibility/mac/bounds-for-range-crash.html	                        (rev 0)
+++ trunk/LayoutTests/accessibility/mac/bounds-for-range-crash.html	2016-09-28 04:09:21 UTC (rev 206494)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+
+<a id="link" href=""
+Shop<img alt="">
+</a>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+    description("This tests that boundsForRange with invalid text marker is not causing crash.");
+    
+    if (window.accessibilityController) {
+        var textChild = accessibilityController.accessibleElementById("link").childAtIndex(0);
+        
+        // Make sure calling boundsForRange won't cause crash.
+        var bounds = textChild.boundsForRange(0, 5);
+    }
+</script>
+
+<script src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (206493 => 206494)


--- trunk/Source/WebCore/ChangeLog	2016-09-28 03:03:40 UTC (rev 206493)
+++ trunk/Source/WebCore/ChangeLog	2016-09-28 04:09:21 UTC (rev 206494)
@@ -1,3 +1,18 @@
+2016-09-27  Nan Wang  <n_w...@apple.com>
+
+        AX: CrashTracer: com.apple.WebKit.WebContent at WebCore::AXObjectCache::localCaretRectForCharacterOffset(WebCore::RenderObject*&, WebCore::CharacterOffset const&) + 116
+        https://bugs.webkit.org/show_bug.cgi?id=162654
+
+        Reviewed by Chris Fleizach.
+
+        rangeForUnorderedCharacterOffsets() can return a null Range but we failed to
+        do a null check in localCaretRectForCharacterOffset() before dereferencing it.
+
+        Test: accessibility/mac/bounds-for-range-crash.html
+
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::localCaretRectForCharacterOffset):
+
 2016-09-27  Alex Christensen  <achristen...@webkit.org>
 
         Inline critical functions in URLParser

Modified: trunk/Source/WebCore/accessibility/AXObjectCache.cpp (206493 => 206494)


--- trunk/Source/WebCore/accessibility/AXObjectCache.cpp	2016-09-28 03:03:40 UTC (rev 206493)
+++ trunk/Source/WebCore/accessibility/AXObjectCache.cpp	2016-09-28 04:09:21 UTC (rev 206494)
@@ -2463,6 +2463,9 @@
     int caretOffset;
     // Use a collapsed range to get the position.
     RefPtr<Range> range = rangeForUnorderedCharacterOffsets(characterOffset, characterOffset);
+    if (!range)
+        return IntRect();
+    
     Position startPosition = range->startPosition();
     startPosition.getInlineBoxAndOffset(DOWNSTREAM, inlineBox, caretOffset);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes