Skip to site navigation (Press enter)

[webkit-changes] [159932] trunk

cfleizach Mon, 02 Dec 2013 06:17:00 -0800

Title: [159932] trunk

Revision: 159932
Author: [email protected]
Date: 2013-12-02 06:19:10 -0800 (Mon, 02 Dec 2013)

Log Message

AX: Crash at WebCore::commonTreeScope
https://bugs.webkit.org/show_bug.cgi?id=125042


Reviewed by Mario Sanchez Prada.

Source/WebCore:

When an AX text marker that references a node in a detached document is used to create a text marker range, a crash occurs
because the method to determine commonTreeScopes does not account for when there are no common tree scopes.

Test: platform/mac/accessibility/ordered-textmarker-crash.html

* accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::visiblePositionRangeForUnorderedPositions):
* dom/TreeScope.cpp:
(WebCore::commonTreeScope):

LayoutTests:

* platform/mac/accessibility/ordered-textmarker-crash-expected.txt: Added.
* platform/mac/accessibility/ordered-textmarker-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/accessibility/AccessibilityObject.cpp
trunk/Source/WebCore/dom/TreeScope.cpp

Added Paths

trunk/LayoutTests/platform/mac/accessibility/ordered-textmarker-crash-expected.txt
trunk/LayoutTests/platform/mac/accessibility/ordered-textmarker-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (159931 => 159932)


--- trunk/LayoutTests/ChangeLog	2013-12-02 13:58:39 UTC (rev 159931)
+++ trunk/LayoutTests/ChangeLog	2013-12-02 14:19:10 UTC (rev 159932)
@@ -1,3 +1,13 @@
+2013-12-02  Chris Fleizach  <[email protected]>
+
+        AX: Crash at WebCore::commonTreeScope
+        https://bugs.webkit.org/show_bug.cgi?id=125042
+
+        Reviewed by Mario Sanchez Prada.
+
+        * platform/mac/accessibility/ordered-textmarker-crash-expected.txt: Added.
+        * platform/mac/accessibility/ordered-textmarker-crash.html: Added.
+
 2013-12-02  Zan Dobersek  <[email protected]>
 
         Unreviewed GTK gardening.

Added: trunk/LayoutTests/platform/mac/accessibility/ordered-textmarker-crash-expected.txt (0 => 159932)


--- trunk/LayoutTests/platform/mac/accessibility/ordered-textmarker-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/platform/mac/accessibility/ordered-textmarker-crash-expected.txt	2013-12-02 14:19:10 UTC (rev 159932)
@@ -0,0 +1,7 @@
+
+This tests that comparing text markers that have no common tree scope won't crash
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+

Added: trunk/LayoutTests/platform/mac/accessibility/ordered-textmarker-crash.html (0 => 159932)


--- trunk/LayoutTests/platform/mac/accessibility/ordered-textmarker-crash.html	                        (rev 0)
+++ trunk/LayoutTests/platform/mac/accessibility/ordered-textmarker-crash.html	2013-12-02 14:19:10 UTC (rev 159932)
@@ -0,0 +1,50 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body id="body" _onload_="setTimeout('runTest();', 1)">
+
+<div id="content1">
+<iframe src=""
+</div>
+
+<div role="group" id="console"></div>
+
+<script>
+
+    description("This tests that comparing text markers that have no common tree scope won't crash");
+
+    if (window.accessibilityController && window.testRunner) {
+        window.testRunner.waitUntilDone();
+        window.jsTestIsAsync = true;
+    }
+
+    function runTest() {
+
+        // Get a text marker inside the frame we will remove.
+        var text1 = accessibilityController.accessibleElementById("content1").childAtIndex(0).childAtIndex(0).childAtIndex(0).childAtIndex(0);
+        var range1 = text1.textMarkerRangeForElement(text1);
+        marker1 = text1.startTextMarkerForTextMarkerRange(range1);
+
+        // Get a marker for the main frame.
+        var text2 = accessibilityController.rootElement.childAtIndex(0).childAtIndex(0);
+        var range2 = text2.textMarkerRangeForElement(text2);
+        marker2 = text2.startTextMarkerForTextMarkerRange(range2);
+
+        // Remove the child frame that we have a reference to the text marker from.
+        var content1 = document.getElementById("content1").childNodes[0];
+        content1.parentNode.removeChild(content1);
+
+        // Ask for the text marker range with the markers in a different tree.
+        // This should NOT crash!
+        var range = accessibilityController.rootElement.childAtIndex(0).textMarkerRangeForMarkers(marker1, marker2);
+        window.testRunner.notifyDone();
+        finishJSTest();
+    }
+
+</script>
+
+<script src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (159931 => 159932)


--- trunk/Source/WebCore/ChangeLog	2013-12-02 13:58:39 UTC (rev 159931)
+++ trunk/Source/WebCore/ChangeLog	2013-12-02 14:19:10 UTC (rev 159932)
@@ -1,3 +1,20 @@
+2013-12-02  Chris Fleizach  <[email protected]>
+
+        AX: Crash at WebCore::commonTreeScope
+        https://bugs.webkit.org/show_bug.cgi?id=125042
+
+        Reviewed by Mario Sanchez Prada.
+
+        When an AX text marker that references a node in a detached document is used to create a text marker range, a crash occurs
+        because the method to determine commonTreeScopes does not account for when there are no common tree scopes.
+
+        Test: platform/mac/accessibility/ordered-textmarker-crash.html
+
+        * accessibility/AccessibilityObject.cpp:
+        (WebCore::AccessibilityObject::visiblePositionRangeForUnorderedPositions):
+        * dom/TreeScope.cpp:
+        (WebCore::commonTreeScope):
+
 2013-12-02  Nick Diego Yamane  <[email protected]>
 
         Fix a crash in the webaudio source provider when the audio track is going away.

Modified: trunk/Source/WebCore/accessibility/AccessibilityObject.cpp (159931 => 159932)


--- trunk/Source/WebCore/accessibility/AccessibilityObject.cpp	2013-12-02 13:58:39 UTC (rev 159931)
+++ trunk/Source/WebCore/accessibility/AccessibilityObject.cpp	2013-12-02 14:19:10 UTC (rev 159932)
@@ -649,6 +649,10 @@
     if (visiblePos1.isNull() || visiblePos2.isNull())
         return VisiblePositionRange();
 
+    // If there's no common tree scope between positions, return early.
+    if (!commonTreeScope(visiblePos1.deepEquivalent().deprecatedNode(), visiblePos2.deepEquivalent().deprecatedNode()))
+        return VisiblePositionRange();
+    
     VisiblePosition startPos;
     VisiblePosition endPos;
     bool alreadyInOrder;

Modified: trunk/Source/WebCore/dom/TreeScope.cpp (159931 => 159932)


--- trunk/Source/WebCore/dom/TreeScope.cpp	2013-12-02 13:58:39 UTC (rev 159931)
+++ trunk/Source/WebCore/dom/TreeScope.cpp	2013-12-02 14:19:10 UTC (rev 159932)
@@ -425,6 +425,10 @@
 
     for (; indexA > 0 && indexB > 0 && treeScopesA[indexA - 1] == treeScopesB[indexB - 1]; --indexA, --indexB) { }
 
+    // If the nodes had no common tree scope, return immediately.
+    if (indexA == treeScopesA.size())
+        return nullptr;
+    
     return treeScopesA[indexA] == treeScopesB[indexB] ? treeScopesA[indexA] : nullptr;
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes