Title: [165219] branches/safari-537.75-branch
Diff
Modified: branches/safari-537.75-branch/LayoutTests/ChangeLog (165218 => 165219)
--- branches/safari-537.75-branch/LayoutTests/ChangeLog 2014-03-06 22:43:27 UTC (rev 165218)
+++ branches/safari-537.75-branch/LayoutTests/ChangeLog 2014-03-06 23:06:50 UTC (rev 165219)
@@ -1,5 +1,23 @@
2014-03-06 Matthew Hanson <[email protected]>
+ Merge r164249.
+
+ 2014-02-17 Chris Fleizach <[email protected]>
+
+ AX: Invalid cast in WebCore::AccessibilityTable::isDataTable (CRBug 280352)
+ <https://webkit.org/b/128925>
+ <rdar://problem/16087351>
+
+ Merged from Blink (patch by Dominic Mazzoni):
+ https://src.chromium.org/viewvc/blink?revision=159711&view=revision
+
+ Reviewed by Oliver Hunt.
+
+ * accessibility/display-table-cell-causes-crash-expected.txt: Added.
+ * accessibility/display-table-cell-causes-crash.html: Added.
+
+2014-03-06 Matthew Hanson <[email protected]>
+
Merge r156716.
2013-10-01 Myles C. Maxfield <[email protected]>
Copied: branches/safari-537.75-branch/LayoutTests/accessibility/display-table-cell-causes-crash-expected.txt (from rev 164249, trunk/LayoutTests/accessibility/display-table-cell-causes-crash-expected.txt) (0 => 165219)
--- branches/safari-537.75-branch/LayoutTests/accessibility/display-table-cell-causes-crash-expected.txt (rev 0)
+++ branches/safari-537.75-branch/LayoutTests/accessibility/display-table-cell-causes-crash-expected.txt 2014-03-06 23:06:50 UTC (rev 165219)
@@ -0,0 +1,6 @@
+This test makes sure that an element with a display of table-cell doesn't cause a crash when accessibility code assumes it must be a TD or TH element.
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: branches/safari-537.75-branch/LayoutTests/accessibility/display-table-cell-causes-crash.html (from rev 164249, trunk/LayoutTests/accessibility/display-table-cell-causes-crash.html) (0 => 165219)
--- branches/safari-537.75-branch/LayoutTests/accessibility/display-table-cell-causes-crash.html (rev 0)
+++ branches/safari-537.75-branch/LayoutTests/accessibility/display-table-cell-causes-crash.html 2014-03-06 23:06:50 UTC (rev 165219)
@@ -0,0 +1,35 @@
+<html>
+<head>
+<script src=""
+</head>
+<body>
+
+<p id="description">This test makes sure that an element with a display of table-cell doesn't cause a crash when accessibility code assumes it must be a TD or TH element.</p>
+
+<div id="console"></div>
+
+<table></table>
+
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ // Ensure AX is loaded.
+ if (window.accessibilityController) {
+ accessibilityController.accessibleElementById("description");
+ }
+ var table = document.querySelector('table');
+ var span = document.createElement('span');
+ table.appendChild(span);
+ var div = document.createElement('div');
+ div.style.display = 'table-cell';
+ table.appendChild(div);
+ var input = document.createElement('input');
+ input.setAttribute('autofocus', 'autofocus');
+ div.appendChild(input);
+</script>
+
+<script src=""
+
+</body>
+</html>
Modified: branches/safari-537.75-branch/Source/WebCore/ChangeLog (165218 => 165219)
--- branches/safari-537.75-branch/Source/WebCore/ChangeLog 2014-03-06 22:43:27 UTC (rev 165218)
+++ branches/safari-537.75-branch/Source/WebCore/ChangeLog 2014-03-06 23:06:50 UTC (rev 165219)
@@ -1,5 +1,27 @@
2014-03-06 Matthew Hanson <[email protected]>
+ Merge r164249.
+
+ 2014-02-17 Chris Fleizach <[email protected]>
+
+ AX: Invalid cast in WebCore::AccessibilityTable::isDataTable (CRBug 280352)
+ <https://webkit.org/b/128925>
+ <rdar://problem/16087351>
+
+ Merged from Blink (patch by Dominic Mazzoni):
+ https://src.chromium.org/viewvc/blink?revision=159711&view=revision
+
+ Reviewed by Oliver Hunt.
+
+ Don't cast to a table cell element unless we are sure it is one.
+
+ Test: accessibility/display-table-cell-causes-crash.html
+
+ * accessibility/AccessibilityTable.cpp:
+ (WebCore::AccessibilityTable::isDataTable):
+
+2014-03-06 Matthew Hanson <[email protected]>
+
Merge r165145.
2014-03-05 Daniel Bates <[email protected]>
Modified: branches/safari-537.75-branch/Source/WebCore/accessibility/AccessibilityTable.cpp (165218 => 165219)
--- branches/safari-537.75-branch/Source/WebCore/accessibility/AccessibilityTable.cpp 2014-03-06 22:43:27 UTC (rev 165218)
+++ branches/safari-537.75-branch/Source/WebCore/accessibility/AccessibilityTable.cpp 2014-03-06 23:06:50 UTC (rev 165219)
@@ -178,7 +178,7 @@
if (!cell)
continue;
Node* cellNode = cell->node();
- if (!cellNode)
+ if (!cellNode || !cellNode->isElementNode())
continue;
if (cell->width() < 1 || cell->height() < 1)
@@ -186,7 +186,7 @@
validCellCount++;
- HTMLTableCellElement* cellElement = static_cast<HTMLTableCellElement*>(cellNode);
+ Element* cellElement = toElement(cellNode);
bool isTHCell = cellElement->hasTagName(thTag);
// If the first row is comprised of all <th> tags, assume it is a data table.
@@ -198,9 +198,13 @@
headersInFirstColumnCount++;
// in this case, the developer explicitly assigned a "data" table attribute
- if (!cellElement->headers().isEmpty() || !cellElement->abbr().isEmpty()
- || !cellElement->axis().isEmpty() || !cellElement->scope().isEmpty())
- return true;
+ if (cellElement->hasTagName(tdTag) || cellElement->hasTagName(thTag)) {
+ HTMLTableCellElement* tableCellElement = static_cast<HTMLTableCellElement*>(cellNode);
+
+ if (!tableCellElement->headers().isEmpty() || !tableCellElement->abbr().isEmpty()
+ || !tableCellElement->axis().isEmpty() || !tableCellElement->scope().isEmpty())
+ return true;
+ }
RenderStyle* renderStyle = cell->style();
if (!renderStyle)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
