Title: [164249] trunk
- Revision
- 164249
- Author
- [email protected]
- Date
- 2014-02-17 14:26:54 -0800 (Mon, 17 Feb 2014)
Log Message
AX: Invalid cast in WebCore::AccessibilityTable::isDataTable (CRBug 280352)
<https://webkit.org/b/128925>
<rdar://problem/16087351>
Merged from Blink (patch by Dominic Mazzoni):
https://src.chromium.org/viewvc/blink?revision=159711&view=revision
Reviewed by Oliver Hunt.
Source/WebCore:
Don't cast to a table cell element unless we are sure it is one.
Test: accessibility/display-table-cell-causes-crash.html
* accessibility/AccessibilityTable.cpp:
(WebCore::AccessibilityTable::isDataTable):
LayoutTests:
* accessibility/display-table-cell-causes-crash-expected.txt: Added.
* accessibility/display-table-cell-causes-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (164248 => 164249)
--- trunk/LayoutTests/ChangeLog 2014-02-17 22:12:30 UTC (rev 164248)
+++ trunk/LayoutTests/ChangeLog 2014-02-17 22:26:54 UTC (rev 164249)
@@ -1,3 +1,17 @@
+2014-02-17 Chris Fleizach <[email protected]>
+
+ AX: Invalid cast in WebCore::AccessibilityTable::isDataTable (CRBug 280352)
+ <https://webkit.org/b/128925>
+ <rdar://problem/16087351>
+
+ Merged from Blink (patch by Dominic Mazzoni):
+ https://src.chromium.org/viewvc/blink?revision=159711&view=revision
+
+ Reviewed by Oliver Hunt.
+
+ * accessibility/display-table-cell-causes-crash-expected.txt: Added.
+ * accessibility/display-table-cell-causes-crash.html: Added.
+
2014-02-17 Simon Fraser <[email protected]>
Fix layout test added in r164232 to avoid bug 128929
Added: trunk/LayoutTests/accessibility/display-table-cell-causes-crash-expected.txt (0 => 164249)
--- trunk/LayoutTests/accessibility/display-table-cell-causes-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/accessibility/display-table-cell-causes-crash-expected.txt 2014-02-17 22:26:54 UTC (rev 164249)
@@ -0,0 +1,6 @@
+This test makes sure that an element with a display of table-cell doesn't cause a crash when accessibility code assumes it must be a TD or TH element.
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/accessibility/display-table-cell-causes-crash.html (0 => 164249)
--- trunk/LayoutTests/accessibility/display-table-cell-causes-crash.html (rev 0)
+++ trunk/LayoutTests/accessibility/display-table-cell-causes-crash.html 2014-02-17 22:26:54 UTC (rev 164249)
@@ -0,0 +1,35 @@
+<html>
+<head>
+<script src=""
+</head>
+<body>
+
+<p id="description">This test makes sure that an element with a display of table-cell doesn't cause a crash when accessibility code assumes it must be a TD or TH element.</p>
+
+<div id="console"></div>
+
+<table></table>
+
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ // Ensure AX is loaded.
+ if (window.accessibilityController) {
+ accessibilityController.accessibleElementById("description");
+ }
+ var table = document.querySelector('table');
+ var span = document.createElement('span');
+ table.appendChild(span);
+ var div = document.createElement('div');
+ div.style.display = 'table-cell';
+ table.appendChild(div);
+ var input = document.createElement('input');
+ input.setAttribute('autofocus', 'autofocus');
+ div.appendChild(input);
+</script>
+
+<script src=""
+
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (164248 => 164249)
--- trunk/Source/WebCore/ChangeLog 2014-02-17 22:12:30 UTC (rev 164248)
+++ trunk/Source/WebCore/ChangeLog 2014-02-17 22:26:54 UTC (rev 164249)
@@ -1,3 +1,21 @@
+2014-02-17 Chris Fleizach <[email protected]>
+
+ AX: Invalid cast in WebCore::AccessibilityTable::isDataTable (CRBug 280352)
+ <https://webkit.org/b/128925>
+ <rdar://problem/16087351>
+
+ Merged from Blink (patch by Dominic Mazzoni):
+ https://src.chromium.org/viewvc/blink?revision=159711&view=revision
+
+ Reviewed by Oliver Hunt.
+
+ Don't cast to a table cell element unless we are sure it is one.
+
+ Test: accessibility/display-table-cell-causes-crash.html
+
+ * accessibility/AccessibilityTable.cpp:
+ (WebCore::AccessibilityTable::isDataTable):
+
2014-02-17 Antti Koivisto <[email protected]>
Node constructor should take Document reference
Modified: trunk/Source/WebCore/accessibility/AccessibilityTable.cpp (164248 => 164249)
--- trunk/Source/WebCore/accessibility/AccessibilityTable.cpp 2014-02-17 22:12:30 UTC (rev 164248)
+++ trunk/Source/WebCore/accessibility/AccessibilityTable.cpp 2014-02-17 22:26:54 UTC (rev 164249)
@@ -175,7 +175,9 @@
RenderTableCell* cell = firstBody->primaryCellAt(row, col);
if (!cell)
continue;
- if (!cell->element())
+
+ Element* cellElement = cell->element();
+ if (!cellElement)
continue;
if (cell->width() < 1 || cell->height() < 1)
@@ -183,8 +185,6 @@
validCellCount++;
- HTMLTableCellElement* cellElement = toHTMLTableCellElement(cell->element());
-
bool isTHCell = cellElement->hasTagName(thTag);
// If the first row is comprised of all <th> tags, assume it is a data table.
if (!row && isTHCell)
@@ -194,11 +194,13 @@
if (!col && isTHCell)
headersInFirstColumnCount++;
- // in this case, the developer explicitly assigned a "data" table attribute
- if (!cellElement->headers().isEmpty() || !cellElement->abbr().isEmpty()
- || !cellElement->axis().isEmpty() || !cellElement->scope().isEmpty())
- return true;
-
+ // In this case, the developer explicitly assigned a "data" table attribute.
+ if (cellElement->hasTagName(tdTag) || cellElement->hasTagName(thTag)) {
+ HTMLTableCellElement* tableCellElement = toHTMLTableCellElement(cellElement);
+ if (!tableCellElement->headers().isEmpty() || !tableCellElement->abbr().isEmpty()
+ || !tableCellElement->axis().isEmpty() || !tableCellElement->scope().isEmpty())
+ return true;
+ }
const RenderStyle& renderStyle = cell->style();
// If the empty-cells style is set, we'll call it a data table.
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
