Title: [129246] trunk
- Revision
- 129246
- Author
- [email protected]
- Date
- 2012-09-21 12:40:19 -0700 (Fri, 21 Sep 2012)
Log Message
[GTK] [Stable] Infinite recursion in WebCore::AXObjectCache::getOrCreate
https://bugs.webkit.org/show_bug.cgi?id=96932
Patch by Joanmarie Diggs <[email protected]> on 2012-09-21
Reviewed by Martin Robinson.
Source/WebCore:
Make the decision based on RenderObjects rather than AccessibilityObjects
to avoid the infinite recursion which occurs when remapAriaRoleDueToParent
gets called.
Test: platform/gtk/accessibility/remapped-aria-crash.html
* accessibility/gtk/AccessibilityObjectAtk.cpp:
(WebCore::AccessibilityObject::accessibilityPlatformIncludesObject):
LayoutTests:
Added a new test which replicates the recursion and crash.
* platform/gtk/accessibility/remapped-aria-crash-expected.txt: Added.
* platform/gtk/accessibility/remapped-aria-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (129245 => 129246)
--- trunk/LayoutTests/ChangeLog 2012-09-21 19:35:06 UTC (rev 129245)
+++ trunk/LayoutTests/ChangeLog 2012-09-21 19:40:19 UTC (rev 129246)
@@ -1,3 +1,15 @@
+2012-09-21 Joanmarie Diggs <[email protected]>
+
+ [GTK] [Stable] Infinite recursion in WebCore::AXObjectCache::getOrCreate
+ https://bugs.webkit.org/show_bug.cgi?id=96932
+
+ Reviewed by Martin Robinson.
+
+ Added a new test which replicates the recursion and crash.
+
+ * platform/gtk/accessibility/remapped-aria-crash-expected.txt: Added.
+ * platform/gtk/accessibility/remapped-aria-crash.html: Added.
+
2012-09-21 Gavin Barraclough <[email protected]>
Global Math object should be configurable but isn't
Added: trunk/LayoutTests/platform/gtk/accessibility/remapped-aria-crash-expected.txt (0 => 129246)
--- trunk/LayoutTests/platform/gtk/accessibility/remapped-aria-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/gtk/accessibility/remapped-aria-crash-expected.txt 2012-09-21 19:40:19 UTC (rev 129246)
@@ -0,0 +1,9 @@
+Test to ensure a remapped ARIA role does not produce a crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/platform/gtk/accessibility/remapped-aria-crash.html (0 => 129246)
--- trunk/LayoutTests/platform/gtk/accessibility/remapped-aria-crash.html (rev 0)
+++ trunk/LayoutTests/platform/gtk/accessibility/remapped-aria-crash.html 2012-09-21 19:40:19 UTC (rev 129246)
@@ -0,0 +1,31 @@
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<div>
+ <a role="option"></a>
+</div>
+<p id="description"></p>
+<div id="console"></div>
+<script>
+ description("Test to ensure a remapped ARIA role does not produce a crash.");
+
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ }
+
+ document.body.focus();
+
+ if (window.accessibilityController) {
+ function touchTheEntireAccessibilityTree(accessibilityObject) {
+ for (var i = 0; i < accessibilityObject.childrenCount; ++i)
+ touchTheEntireAccessibilityTree(accessibilityObject.childAtIndex(i));
+ }
+ touchTheEntireAccessibilityTree(accessibilityController.focusedElement);
+ }
+</script>
+<script src=""
+</body>
+</html>
+
Modified: trunk/Source/WebCore/ChangeLog (129245 => 129246)
--- trunk/Source/WebCore/ChangeLog 2012-09-21 19:35:06 UTC (rev 129245)
+++ trunk/Source/WebCore/ChangeLog 2012-09-21 19:40:19 UTC (rev 129246)
@@ -1,3 +1,19 @@
+2012-09-21 Joanmarie Diggs <[email protected]>
+
+ [GTK] [Stable] Infinite recursion in WebCore::AXObjectCache::getOrCreate
+ https://bugs.webkit.org/show_bug.cgi?id=96932
+
+ Reviewed by Martin Robinson.
+
+ Make the decision based on RenderObjects rather than AccessibilityObjects
+ to avoid the infinite recursion which occurs when remapAriaRoleDueToParent
+ gets called.
+
+ Test: platform/gtk/accessibility/remapped-aria-crash.html
+
+ * accessibility/gtk/AccessibilityObjectAtk.cpp:
+ (WebCore::AccessibilityObject::accessibilityPlatformIncludesObject):
+
2012-09-21 Jonathan Dong <[email protected]>
[BlackBerry] HTML5 media does not handle SSL certificate failures
Modified: trunk/Source/WebCore/accessibility/gtk/AccessibilityObjectAtk.cpp (129245 => 129246)
--- trunk/Source/WebCore/accessibility/gtk/AccessibilityObjectAtk.cpp 2012-09-21 19:35:06 UTC (rev 129245)
+++ trunk/Source/WebCore/accessibility/gtk/AccessibilityObjectAtk.cpp 2012-09-21 19:40:19 UTC (rev 129246)
@@ -84,13 +84,16 @@
// usually have no need for the anonymous block. And when the wrong objects
// get included or ignored, needed accessibility signals do not get emitted.
if (role == ParagraphRole || role == DivRole) {
- AccessibilityObject* child = firstAnonymousBlockChild();
- if (!child)
+ if (textUnderElement().isEmpty())
return DefaultBehavior;
- child = child->firstChild();
- if (child && (child->isLink() || !child->firstAnonymousBlockChild()))
- return IncludeObject;
+ if (!parent->renderer() || parent->renderer()->isAnonymousBlock())
+ return DefaultBehavior;
+
+ for (RenderObject* r = renderer()->firstChild(); r; r = r->nextSibling()) {
+ if (r->isAnonymousBlock())
+ return IncludeObject;
+ }
}
// Block spans result in objects of ATK_ROLE_PANEL which are almost always unwanted.
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
