[webkit-changes] [207564] trunk

Wed, 19 Oct 2016 13:33:13 -0700

Title: [207564] trunk
Revision
207564
Author
n_w...@apple.com
Date
2016-10-19 13:33:23 -0700 (Wed, 19 Oct 2016)

Log Message

AX: crash: com.apple.WebCore: WebCore::AccessibilityObject::findMatchingObjects + 600
https://bugs.webkit.org/show_bug.cgi?id=163682

Reviewed by Chris Fleizach.

Source/WebCore:

There's a null pointer crash when we ask for startObject->parentObjectUnignored() in
AccessibilityObject::findMatchingObject. Added a null check for the startObject to fix that.

Test: accessibility/mac/search-predicate-crash.html

* accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::findMatchingObjects):

LayoutTests:

* accessibility/mac/search-predicate-crash-expected.txt: Added.
* accessibility/mac/search-predicate-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (207563 => 207564)


--- trunk/LayoutTests/ChangeLog	2016-10-19 20:30:27 UTC (rev 207563)
+++ trunk/LayoutTests/ChangeLog	2016-10-19 20:33:23 UTC (rev 207564)
@@ -1,3 +1,13 @@
+2016-10-19  Nan Wang  <n_w...@apple.com>
+
+        AX: crash: com.apple.WebCore: WebCore::AccessibilityObject::findMatchingObjects + 600
+        https://bugs.webkit.org/show_bug.cgi?id=163682
+
+        Reviewed by Chris Fleizach.
+
+        * accessibility/mac/search-predicate-crash-expected.txt: Added.
+        * accessibility/mac/search-predicate-crash.html: Added.
+
 2016-10-19  Myles C. Maxfield  <mmaxfi...@apple.com>
 
         [macOS] [iOS] Disable variation fonts on macOS El Capitan and iOS 9

Added: trunk/LayoutTests/accessibility/mac/search-predicate-crash-expected.txt (0 => 207564)


--- trunk/LayoutTests/accessibility/mac/search-predicate-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/accessibility/mac/search-predicate-crash-expected.txt	2016-10-19 20:33:23 UTC (rev 207564)
@@ -0,0 +1,10 @@
+
+This tests that we don't crash in search predicate function if startObject has null parent.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/accessibility/mac/search-predicate-crash.html (0 => 207564)


--- trunk/LayoutTests/accessibility/mac/search-predicate-crash.html	                        (rev 0)
+++ trunk/LayoutTests/accessibility/mac/search-predicate-crash.html	2016-10-19 20:33:23 UTC (rev 207564)
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+
+<div id="container">
+<input type="submit" value="Submit">
+</div>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+    description("This tests that we don't crash in search predicate function if startObject has null parent.");
+    
+    if (window.accessibilityController) {
+        document.getElementById("container").focus();
+        var containerElement = accessibilityController.focusedElement;
+        var startElement = accessibilityController.rootElement;
+        
+        // Make sure we don't crash
+        var linkCount = containerElement.uiElementCountForSearchPredicate(startElement, false, "AXLinkSearchKey", "", false);
+    }
+</script>
+
+<script src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (207563 => 207564)


--- trunk/Source/WebCore/ChangeLog	2016-10-19 20:30:27 UTC (rev 207563)
+++ trunk/Source/WebCore/ChangeLog	2016-10-19 20:33:23 UTC (rev 207564)
@@ -1,3 +1,18 @@
+2016-10-19  Nan Wang  <n_w...@apple.com>
+
+        AX: crash: com.apple.WebCore: WebCore::AccessibilityObject::findMatchingObjects + 600
+        https://bugs.webkit.org/show_bug.cgi?id=163682
+
+        Reviewed by Chris Fleizach.
+
+        There's a null pointer crash when we ask for startObject->parentObjectUnignored() in
+        AccessibilityObject::findMatchingObject. Added a null check for the startObject to fix that.
+
+        Test: accessibility/mac/search-predicate-crash.html
+
+        * accessibility/AccessibilityObject.cpp:
+        (WebCore::AccessibilityObject::findMatchingObjects):
+
 2016-10-19  David Kilzer  <ddkil...@apple.com>
 
         Bug 163670: Refine assertions in WebCore::ImageData constructors

Modified: trunk/Source/WebCore/accessibility/AccessibilityObject.cpp (207563 => 207564)


--- trunk/Source/WebCore/accessibility/AccessibilityObject.cpp	2016-10-19 20:30:27 UTC (rev 207563)
+++ trunk/Source/WebCore/accessibility/AccessibilityObject.cpp	2016-10-19 20:33:23 UTC (rev 207564)
@@ -603,7 +603,7 @@
     }
     
     // The outer loop steps up the parent chain each time (unignored is important here because otherwise elements would be searched twice)
-    for (AccessibilityObject* stopSearchElement = parentObjectUnignored(); startObject != stopSearchElement; startObject = startObject->parentObjectUnignored()) {
+    for (AccessibilityObject* stopSearchElement = parentObjectUnignored(); startObject && startObject != stopSearchElement; startObject = startObject->parentObjectUnignored()) {
 
         // Only append the children after/before the previous element, so that the search does not check elements that are 
         // already behind/ahead of start element.

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to