[webkit-changes] [191357] trunk/Source/WebCore

[cfleizach]

Title: [191357] trunk/Source/WebCore

Revision

191357

Author

cfleiz...@apple.com

Date

2015-10-20 14:34:23 -0700 (Tue, 20 Oct 2015)

Log Message

AX: CrashTracer: com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::AccessibilityTable::tableElement const + 116
https://bugs.webkit.org/show_bug.cgi?id=150349

Reviewed by Brent Fulgham.

The crash point for this bug says that the parentElement of the firstBody is garbage when it's accessed.
Unfortunately, I could not reproduce this in-situ or with a test.
So my speculative solution is to recalculate those body elements to ensure that they're valid before we access.

* accessibility/AccessibilityTable.cpp:
(WebCore::AccessibilityTable::tableElement):
(WebCore::AccessibilityTable::isDataTable):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/accessibility/AccessibilityTable.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (191356 => 191357)

--- trunk/Source/WebCore/ChangeLog	2015-10-20 20:54:28 UTC (rev 191356)
+++ trunk/Source/WebCore/ChangeLog	2015-10-20 21:34:23 UTC (rev 191357)
@@ -1,3 +1,18 @@
+2015-10-20  Chris Fleizach  <cfleiz...@apple.com>
+
+        AX: CrashTracer: com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::AccessibilityTable::tableElement const + 116
+        https://bugs.webkit.org/show_bug.cgi?id=150349
+
+        Reviewed by Brent Fulgham.
+
+        The crash point for this bug says that the parentElement of the firstBody is garbage when it's accessed. 
+        Unfortunately, I could not reproduce this in-situ or with a test. 
+        So my speculative solution is to recalculate those body elements to ensure that they're valid before we access.
+
+        * accessibility/AccessibilityTable.cpp:
+        (WebCore::AccessibilityTable::tableElement):
+        (WebCore::AccessibilityTable::isDataTable):
+
 2015-10-20  Chris Dumez  <cdu...@apple.com>
 
         Unreviewed, GTK build fix after r191351.

Modified: trunk/Source/WebCore/accessibility/AccessibilityTable.cpp (191356 => 191357)

--- trunk/Source/WebCore/accessibility/AccessibilityTable.cpp	2015-10-20 20:54:28 UTC (rev 191356)
+++ trunk/Source/WebCore/accessibility/AccessibilityTable.cpp	2015-10-20 21:34:23 UTC (rev 191357)
@@ -101,17 +101,15 @@
     if (is<HTMLTableElement>(table.element()))
         return downcast<HTMLTableElement>(table.element());
     
+    table.forceSectionsRecalc();
+
     // If the table has a display:table-row-group, then the RenderTable does not have a pointer to it's HTMLTableElement.
     // We can instead find it by asking the firstSection for its parent.
     RenderTableSection* firstBody = table.firstBody();
     if (!firstBody || !firstBody->element())
         return nullptr;
     
-    Element* actualTable = firstBody->element()->parentElement();
-    if (!is<HTMLTableElement>(actualTable))
-        return nullptr;
-    
-    return downcast<HTMLTableElement>(actualTable);
+    return ancestorsOfType<HTMLTableElement>(*(firstBody->element())).first();
 }
     
 bool AccessibilityTable::isDataTable() const

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes