[webkit-changes] [111030] trunk

[dmazzoni]

Title: [111030] trunk

Revision

111030

Author

dmazz...@google.com

Date

2012-03-16 11:23:25 -0700 (Fri, 16 Mar 2012)

Log Message

File input control accessibility can cause a crash
https://bugs.webkit.org/show_bug.cgi?id=80896

Reviewed by Chris Fleizach.

Source/WebCore:

Test: accessibility/input-file-causes-crash.html

* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::textUnderElement):

LayoutTests:

* accessibility/input-file-causes-crash-expected.txt: Added.
* accessibility/input-file-causes-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp

Added Paths

• trunk/LayoutTests/accessibility/input-file-causes-crash-expected.txt
• trunk/LayoutTests/accessibility/input-file-causes-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (111029 => 111030)

--- trunk/LayoutTests/ChangeLog	2012-03-16 18:21:16 UTC (rev 111029)
+++ trunk/LayoutTests/ChangeLog	2012-03-16 18:23:25 UTC (rev 111030)
@@ -1,3 +1,13 @@
+2012-03-16  Dominic Mazzoni  <dmazz...@google.com>
+
+        File input control accessibility can cause a crash
+        https://bugs.webkit.org/show_bug.cgi?id=80896
+
+        Reviewed by Chris Fleizach.
+
+        * accessibility/input-file-causes-crash-expected.txt: Added.
+        * accessibility/input-file-causes-crash.html: Added.
+
 2012-03-16  Aaron Colwell  <acolw...@chromium.org>
 
         [chromium] compositing tests with videos fail in chromium DumpRenderTree, seeking doesn't appear to work

Added: trunk/LayoutTests/accessibility/input-file-causes-crash-expected.txt (0 => 111030)

--- trunk/LayoutTests/accessibility/input-file-causes-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/accessibility/input-file-causes-crash-expected.txt	2012-03-16 18:23:25 UTC (rev 111030)
@@ -0,0 +1,11 @@
+
+This can cause a crash if AccessibilityRenderObject assumes that a file input element's renderer must be type RenderFileUploadControl, but in corner cases (display:run-in) this may not be true.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS title is non-null.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/accessibility/input-file-causes-crash.html (0 => 111030)

--- trunk/LayoutTests/accessibility/input-file-causes-crash.html	                        (rev 0)
+++ trunk/LayoutTests/accessibility/input-file-causes-crash.html	2012-03-16 18:23:25 UTC (rev 111030)
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"> 
+<html>
+<head>
+<script src=""
+</head>
+<body>
+ 
+<input id="file-input" style="display:run-in;" type="file"/>
+<dl>
+ 
+<p id="description"></p>
+<div id="console"></div>
+ 
+<script>
+    description("This can cause a crash if AccessibilityRenderObject assumes that a file input element's renderer must be type RenderFileUploadControl, but in corner cases (display:run-in) this may not be true.");
+
+    if (window.accessibilityController) {
+        document.getElementById("file-input").focus();
+        var element = accessibilityController.focusedElement;
+        var title = element.title;
+        shouldBeNonNull("title");
+    }
+</script>
+
+<script src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (111029 => 111030)

--- trunk/Source/WebCore/ChangeLog	2012-03-16 18:21:16 UTC (rev 111029)
+++ trunk/Source/WebCore/ChangeLog	2012-03-16 18:23:25 UTC (rev 111030)
@@ -1,3 +1,15 @@
+2012-03-16  Dominic Mazzoni  <dmazz...@google.com>
+
+        File input control accessibility can cause a crash
+        https://bugs.webkit.org/show_bug.cgi?id=80896
+
+        Reviewed by Chris Fleizach.
+
+        Test: accessibility/input-file-causes-crash.html
+
+        * accessibility/AccessibilityRenderObject.cpp:
+        (WebCore::AccessibilityRenderObject::textUnderElement):
+
 2012-03-08  Jer Noble  <jer.no...@apple.com>
 
         Support W3C Full Screen API proposal

Modified: trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (111029 => 111030)

--- trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2012-03-16 18:21:16 UTC (rev 111029)
+++ trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2012-03-16 18:23:25 UTC (rev 111030)
@@ -1075,7 +1075,7 @@
     if (!m_renderer)
         return String();
     
-    if (isFileUploadButton())
+    if (m_renderer->isFileUploadControl())
         return toRenderFileUploadControl(m_renderer)->buttonValue();
     
     Node* node = m_renderer->node();
@@ -1198,7 +1198,7 @@
     if (isTextControl())
         return text();
     
-    if (isFileUploadButton())
+    if (m_renderer->isFileUploadControl())
         return toRenderFileUploadControl(m_renderer)->fileTextValue();
     
     // FIXME: We might need to implement a value here for more types

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes