Title: [178359] releases/WebKitGTK/webkit-2.6
- Revision
- 178359
- Author
- [email protected]
- Date
- 2015-01-13 04:09:53 -0800 (Tue, 13 Jan 2015)
Log Message
Merge r177537 - AX: Recursive crash at WebCore::accessibleNameForNode
https://bugs.webkit.org/show_bug.cgi?id=139616
Reviewed by Mario Sanchez Prada.
Source/WebCore:
An image that uses aria-labelledby to reference its own parent can lead to a recursion crash.
There needs to be some information we can pass through these methods to ensure we don't hit this case.
Test: accessibility/accessibility-description-crash.html
* accessibility/AccessibilityNodeObject.cpp:
(WebCore::AccessibilityNodeObject::alternativeText):
(WebCore::AccessibilityNodeObject::textUnderElement):
(WebCore::accessibleNameForNode):
(WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements):
* accessibility/AccessibilityObject.h:
(WebCore::AccessibilityTextUnderElementMode::AccessibilityTextUnderElementMode):
LayoutTests:
* accessibility/accessibility-description-crash-expected.txt: Added.
* accessibility/accessibility-description-crash.html: Added.
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.6/LayoutTests/ChangeLog (178358 => 178359)
--- releases/WebKitGTK/webkit-2.6/LayoutTests/ChangeLog 2015-01-13 12:05:42 UTC (rev 178358)
+++ releases/WebKitGTK/webkit-2.6/LayoutTests/ChangeLog 2015-01-13 12:09:53 UTC (rev 178359)
@@ -1,3 +1,13 @@
+2014-12-18 Chris Fleizach <[email protected]>
+
+ AX: Recursive crash at WebCore::accessibleNameForNode
+ https://bugs.webkit.org/show_bug.cgi?id=139616
+
+ Reviewed by Mario Sanchez Prada.
+
+ * accessibility/accessibility-description-crash-expected.txt: Added.
+ * accessibility/accessibility-description-crash.html: Added.
+
2014-12-16 Chris Dumez <[email protected]>
REGRESSION (r163928): Animated GIFs are not resumed when translated into view using -webkit-transform
Modified: releases/WebKitGTK/webkit-2.6/Source/WebCore/ChangeLog (178358 => 178359)
--- releases/WebKitGTK/webkit-2.6/Source/WebCore/ChangeLog 2015-01-13 12:05:42 UTC (rev 178358)
+++ releases/WebKitGTK/webkit-2.6/Source/WebCore/ChangeLog 2015-01-13 12:09:53 UTC (rev 178359)
@@ -1,3 +1,23 @@
+2014-12-18 Chris Fleizach <[email protected]>
+
+ AX: Recursive crash at WebCore::accessibleNameForNode
+ https://bugs.webkit.org/show_bug.cgi?id=139616
+
+ Reviewed by Mario Sanchez Prada.
+
+ An image that uses aria-labelledby to reference its own parent can lead to a recursion crash.
+ There needs to be some information we can pass through these methods to ensure we don't hit this case.
+
+ Test: accessibility/accessibility-description-crash.html
+
+ * accessibility/AccessibilityNodeObject.cpp:
+ (WebCore::AccessibilityNodeObject::alternativeText):
+ (WebCore::AccessibilityNodeObject::textUnderElement):
+ (WebCore::accessibleNameForNode):
+ (WebCore::AccessibilityNodeObject::accessibilityDescriptionForElements):
+ * accessibility/AccessibilityObject.h:
+ (WebCore::AccessibilityTextUnderElementMode::AccessibilityTextUnderElementMode):
+
2014-12-18 Joseph Pecoraro <[email protected]>
Web Inspector: ASSERT seen closing/opening multiple inspectors
Modified: releases/WebKitGTK/webkit-2.6/Source/WebCore/accessibility/AccessibilityNodeObject.cpp (178358 => 178359)
--- releases/WebKitGTK/webkit-2.6/Source/WebCore/accessibility/AccessibilityNodeObject.cpp 2015-01-13 12:05:42 UTC (rev 178358)
+++ releases/WebKitGTK/webkit-2.6/Source/WebCore/accessibility/AccessibilityNodeObject.cpp 2015-01-13 12:09:53 UTC (rev 178359)
@@ -86,7 +86,7 @@
using namespace HTMLNames;
-static String accessibleNameForNode(Node*);
+static String accessibleNameForNode(Node* node, Node* labelledbyNode = nullptr);
AccessibilityNodeObject::AccessibilityNodeObject(Node* node)
: AccessibilityObject()
@@ -1661,6 +1661,8 @@
StringBuilder builder;
for (AccessibilityObject* child = firstChild(); child; child = child->nextSibling()) {
+ if (mode.ignoredChildNode && child->node() == mode.ignoredChildNode)
+ continue;
bool shouldDeriveNameFromAuthor = (mode.childrenInclusion == AccessibilityTextUnderElementMode::TextUnderElementModeIncludeNameFromContentsChildren && !child->accessibleNameDerivesFromContent());
if (shouldDeriveNameFromAuthor) {
@@ -1837,7 +1839,7 @@
// This function implements the ARIA accessible name as described by the Mozilla
// ARIA Implementer's Guide.
-static String accessibleNameForNode(Node* node)
+static String accessibleNameForNode(Node* node, Node* labelledbyNode)
{
ASSERT(node);
if (!node || !node->isElementNode())
@@ -1867,7 +1869,7 @@
String text;
if (axObject) {
if (axObject->accessibleNameDerivesFromContent())
- text = axObject->textUnderElement(AccessibilityTextUnderElementMode(AccessibilityTextUnderElementMode::TextUnderElementModeIncludeNameFromContentsChildren, true));
+ text = axObject->textUnderElement(AccessibilityTextUnderElementMode(AccessibilityTextUnderElementMode::TextUnderElementModeIncludeNameFromContentsChildren, true, labelledbyNode));
} else
text = element->innerText();
@@ -1886,7 +1888,7 @@
StringBuilder builder;
unsigned size = elements.size();
for (unsigned i = 0; i < size; ++i)
- appendNameToStringBuilder(builder, accessibleNameForNode(elements[i]));
+ appendNameToStringBuilder(builder, accessibleNameForNode(elements[i], node()));
return builder.toString();
}
Modified: releases/WebKitGTK/webkit-2.6/Source/WebCore/accessibility/AccessibilityObject.h (178358 => 178359)
--- releases/WebKitGTK/webkit-2.6/Source/WebCore/accessibility/AccessibilityObject.h 2015-01-13 12:05:42 UTC (rev 178358)
+++ releases/WebKitGTK/webkit-2.6/Source/WebCore/accessibility/AccessibilityObject.h 2015-01-13 12:09:53 UTC (rev 178359)
@@ -253,11 +253,13 @@
ChildrenInclusion childrenInclusion;
bool includeFocusableContent;
+ Node* ignoredChildNode;
- AccessibilityTextUnderElementMode(ChildrenInclusion c = TextUnderElementModeSkipIgnoredChildren, bool i = false)
- : childrenInclusion(c)
- , includeFocusableContent(i)
- { }
+ AccessibilityTextUnderElementMode(ChildrenInclusion c = TextUnderElementModeSkipIgnoredChildren, bool i = false, Node* ignored = nullptr)
+ : childrenInclusion(c)
+ , includeFocusableContent(i)
+ , ignoredChildNode(ignored)
+ { }
};
enum AccessibilityOrientation {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
