[webkit-changes] [151519] trunk

[rniwa]

Title: [151519] trunk

Revision

151519

Author

rn...@webkit.org

Date

2013-06-12 12:52:04 -0700 (Wed, 12 Jun 2013)

Log Message

Accessibility code assumes an area element's parent is a map element
https://bugs.webkit.org/show_bug.cgi?id=117496

Reviewed by Chris Fleizach.

Source/WebCore: 

We can't make such an assumption. Scripts can insert any element between area and map elements.

Merge https://chromium.googlesource.com/chromium/blink/+/b6f486284f08c52904701c93e1ec0b7d6e76af9f.

Test: accessibility/image-map-with-indirect-area-crash.html

* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::accessibilityImageMapHitTest):

LayoutTests: 

Add a regression test from https://chromium.googlesource.com/chromium/blink/+/b6f486284f08c52904701c93e1ec0b7d6e76af9f.

* accessibility/image-map-with-indirect-area-crash-expected.txt: Added.
* accessibility/image-map-with-indirect-area-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp

Added Paths

• trunk/LayoutTests/accessibility/image-map-with-indirect-area-crash-expected.txt
• trunk/LayoutTests/accessibility/image-map-with-indirect-area-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (151518 => 151519)

--- trunk/LayoutTests/ChangeLog	2013-06-12 19:20:33 UTC (rev 151518)
+++ trunk/LayoutTests/ChangeLog	2013-06-12 19:52:04 UTC (rev 151519)
@@ -1,3 +1,15 @@
+2013-06-12  Ryosuke Niwa  <rn...@webkit.org>
+
+        Accessibility code assumes an area element's parent is a map element
+        https://bugs.webkit.org/show_bug.cgi?id=117496
+
+        Reviewed by Chris Fleizach.
+
+        Add a regression test from https://chromium.googlesource.com/chromium/blink/+/b6f486284f08c52904701c93e1ec0b7d6e76af9f.
+
+        * accessibility/image-map-with-indirect-area-crash-expected.txt: Added.
+        * accessibility/image-map-with-indirect-area-crash.html: Added.
+
 2013-06-12  Robert Hogan  <rob...@webkit.org>
 
         Whitespace between inlines with nowrap and a shrink-to-fit parent line-break incorrectly

Added: trunk/LayoutTests/accessibility/image-map-with-indirect-area-crash-expected.txt (0 => 151519)

--- trunk/LayoutTests/accessibility/image-map-with-indirect-area-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/accessibility/image-map-with-indirect-area-crash-expected.txt	2013-06-12 19:52:04 UTC (rev 151519)
@@ -0,0 +1 @@
+Test passes if it does not crash. 

Added: trunk/LayoutTests/accessibility/image-map-with-indirect-area-crash.html (0 => 151519)

--- trunk/LayoutTests/accessibility/image-map-with-indirect-area-crash.html	                        (rev 0)
+++ trunk/LayoutTests/accessibility/image-map-with-indirect-area-crash.html	2013-06-12 19:52:04 UTC (rev 151519)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not crash.
+<body id=body>
+<img usemap="" height=500 width=613>
+<map name=img>
+<time>
+<area shape=default>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+if (window.accessibilityController) {
+    body.focus();
+    accessibilityController.focusedElement.elementAtPoint(100, 100);
+}
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (151518 => 151519)

--- trunk/Source/WebCore/ChangeLog	2013-06-12 19:20:33 UTC (rev 151518)
+++ trunk/Source/WebCore/ChangeLog	2013-06-12 19:52:04 UTC (rev 151519)
@@ -1,3 +1,19 @@
+2013-06-12  Ryosuke Niwa  <rn...@webkit.org>
+
+        Accessibility code assumes an area element's parent is a map element
+        https://bugs.webkit.org/show_bug.cgi?id=117496
+
+        Reviewed by Chris Fleizach.
+
+        We can't make such an assumption. Scripts can insert any element between area and map elements.
+
+        Merge https://chromium.googlesource.com/chromium/blink/+/b6f486284f08c52904701c93e1ec0b7d6e76af9f.
+
+        Test: accessibility/image-map-with-indirect-area-crash.html
+
+        * accessibility/AccessibilityRenderObject.cpp:
+        (WebCore::AccessibilityRenderObject::accessibilityImageMapHitTest):
+
 2013-06-12  Robert Hogan  <rob...@webkit.org>
 
         Whitespace between inlines with nowrap and a shrink-to-fit parent gets a line-break when it shouldn't

Modified: trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (151518 => 151519)

--- trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2013-06-12 19:20:33 UTC (rev 151518)
+++ trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2013-06-12 19:52:04 UTC (rev 151519)
@@ -2151,9 +2151,14 @@
 {
     if (!area)
         return 0;
-    
-    HTMLMapElement* map = static_cast<HTMLMapElement*>(area->parentNode());
-    AccessibilityObject* parent = accessibilityParentForImageMap(map);
+
+    AccessibilityObject* parent = 0;
+    for (Element* mapParent = area->parentElement(); mapParent; mapParent = mapParent->parentElement()) {
+        if (mapParent->hasTagName(mapTag)) {
+            parent = accessibilityParentForImageMap(static_cast<HTMLMapElement*>(mapParent));
+            break;
+        }
+    }
     if (!parent)
         return 0;
     

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes