Title: [191461] branches/safari-601.1.46-branch/Source/WebCore
- Revision
- 191461
- Author
- matthew_han...@apple.com
- Date
- 2015-10-22 11:36:09 -0700 (Thu, 22 Oct 2015)
Log Message
Merge r191357. rdar://problem/23103005
Modified Paths
Diff
Modified: branches/safari-601.1.46-branch/Source/WebCore/ChangeLog (191460 => 191461)
--- branches/safari-601.1.46-branch/Source/WebCore/ChangeLog 2015-10-22 18:36:01 UTC (rev 191460)
+++ branches/safari-601.1.46-branch/Source/WebCore/ChangeLog 2015-10-22 18:36:09 UTC (rev 191461)
@@ -1,5 +1,24 @@
2015-10-20 Matthew Hanson <matthew_han...@apple.com>
+ Merge r191357. rdar://problem/23103005
+
+ 2015-10-20 Chris Fleizach <cfleiz...@apple.com>
+
+ AX: CrashTracer: com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::AccessibilityTable::tableElement const + 116
+ https://bugs.webkit.org/show_bug.cgi?id=150349
+
+ Reviewed by Brent Fulgham.
+
+ The crash point for this bug says that the parentElement of the firstBody is garbage when it's accessed.
+ Unfortunately, I could not reproduce this in-situ or with a test.
+ So my speculative solution is to recalculate those body elements to ensure that they're valid before we access.
+
+ * accessibility/AccessibilityTable.cpp:
+ (WebCore::AccessibilityTable::tableElement):
+ (WebCore::AccessibilityTable::isDataTable):
+
+2015-10-20 Matthew Hanson <matthew_han...@apple.com>
+
Merge r191223. rdar://problem/22900764
2015-10-16 Alex Christensen <achristen...@webkit.org>
Modified: branches/safari-601.1.46-branch/Source/WebCore/accessibility/AccessibilityTable.cpp (191460 => 191461)
--- branches/safari-601.1.46-branch/Source/WebCore/accessibility/AccessibilityTable.cpp 2015-10-22 18:36:01 UTC (rev 191460)
+++ branches/safari-601.1.46-branch/Source/WebCore/accessibility/AccessibilityTable.cpp 2015-10-22 18:36:09 UTC (rev 191461)
@@ -99,17 +99,15 @@
if (is<HTMLTableElement>(table.element()))
return downcast<HTMLTableElement>(table.element());
+ table.forceSectionsRecalc();
+
// If the table has a display:table-row-group, then the RenderTable does not have a pointer to it's HTMLTableElement.
// We can instead find it by asking the firstSection for its parent.
RenderTableSection* firstBody = table.firstBody();
if (!firstBody || !firstBody->element())
return nullptr;
- Element* actualTable = firstBody->element()->parentElement();
- if (!is<HTMLTableElement>(actualTable))
- return nullptr;
-
- return downcast<HTMLTableElement>(actualTable);
+ return ancestorsOfType<HTMLTableElement>(*(firstBody->element())).first();
}
bool AccessibilityTable::isDataTable() const
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
