[webkit-changes] [191475] branches/safari-601-branch/Source/WebCore

[matthew_hanson]

Title: [191475] branches/safari-601-branch/Source/WebCore

Revision

191475

Author

matthew_han...@apple.com

Date

2015-10-22 14:33:18 -0700 (Thu, 22 Oct 2015)

Log Message

Merge r191357. rdar://problem/23103279

Modified Paths

branches/safari-601-branch/Source/WebCore/ChangeLog
branches/safari-601-branch/Source/WebCore/accessibility/AccessibilityTable.cpp

Diff

Modified: branches/safari-601-branch/Source/WebCore/ChangeLog (191474 => 191475)

--- branches/safari-601-branch/Source/WebCore/ChangeLog	2015-10-22 21:29:54 UTC (rev 191474)
+++ branches/safari-601-branch/Source/WebCore/ChangeLog	2015-10-22 21:33:18 UTC (rev 191475)
@@ -1,3 +1,22 @@
+2015-10-22  Matthew Hanson  <matthew_han...@apple.com>
+
+        Merge r191357. rdar://problem/23103279
+
+    2015-10-20  Chris Fleizach  <cfleiz...@apple.com>
+
+            AX: CrashTracer: com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::AccessibilityTable::tableElement const + 116
+            https://bugs.webkit.org/show_bug.cgi?id=150349
+
+            Reviewed by Brent Fulgham.
+
+            The crash point for this bug says that the parentElement of the firstBody is garbage when it's accessed.
+            Unfortunately, I could not reproduce this in-situ or with a test.
+            So my speculative solution is to recalculate those body elements to ensure that they're valid before we access.
+
+            * accessibility/AccessibilityTable.cpp:
+            (WebCore::AccessibilityTable::tableElement):
+            (WebCore::AccessibilityTable::isDataTable):
+
 2015-10-14  Matthew Hanson  <matthew_han...@apple.com>
 
         Merge r191077. rdar://problem/22993325

Modified: branches/safari-601-branch/Source/WebCore/accessibility/AccessibilityTable.cpp (191474 => 191475)

--- branches/safari-601-branch/Source/WebCore/accessibility/AccessibilityTable.cpp	2015-10-22 21:29:54 UTC (rev 191474)
+++ branches/safari-601-branch/Source/WebCore/accessibility/AccessibilityTable.cpp	2015-10-22 21:33:18 UTC (rev 191475)
@@ -101,17 +101,15 @@
     if (is<HTMLTableElement>(table.element()))
         return downcast<HTMLTableElement>(table.element());
     
+    table.forceSectionsRecalc();
+
     // If the table has a display:table-row-group, then the RenderTable does not have a pointer to it's HTMLTableElement.
     // We can instead find it by asking the firstSection for its parent.
     RenderTableSection* firstBody = table.firstBody();
     if (!firstBody || !firstBody->element())
         return nullptr;
     
-    Element* actualTable = firstBody->element()->parentElement();
-    if (!is<HTMLTableElement>(actualTable))
-        return nullptr;
-    
-    return downcast<HTMLTableElement>(actualTable);
+    return ancestorsOfType<HTMLTableElement>(*(firstBody->element())).first();
 }
     
 bool AccessibilityTable::isDataTable() const

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes