Title: [199494] releases/WebKitGTK/webkit-2.12
- Revision
- 199494
- Author
- [email protected]
- Date
- 2016-04-13 08:53:03 -0700 (Wed, 13 Apr 2016)
Log Message
Merge r199229 - AX: [ATK] Crash getting text under element in CSS table
https://bugs.webkit.org/show_bug.cgi?id=156328
Reviewed by Chris Fleizach.
Source/WebCore:
AccessibilityRenderObject::textUnderElement() assumes (and asserts) that
the first and last child of an anonymous block will each have nodes with
which to define positions. This is not the case for CSS Tables and their
anonymous descendants. AccessibilityNodeObject:textUnderElement() is our
fallback for the instances where a text range cannot be created based on
positions, so let it handle anonymous RenderTable parts.
Test: accessibility/generated-content-with-display-table-crash.html
* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::textUnderElement):
(WebCore::AccessibilityRenderObject::shouldGetTextFromNode):
* accessibility/AccessibilityRenderObject.h:
LayoutTests:
While this crash is currently seen only for ATK, there is nothing to
prevent another port from attempting to get all the text under a CSS
RenderTable. Hence the shared test.
* accessibility/generated-content-with-display-table-crash.html: Added.
* platform/gtk/accessibility/generated-content-with-display-table-crash-expected.txt: Added.
* platform/mac/accessibility/generated-content-with-display-table-crash-expected.txt: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (199493 => 199494)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-04-13 15:51:43 UTC (rev 199493)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-04-13 15:53:03 UTC (rev 199494)
@@ -1,3 +1,18 @@
+2016-04-08 Joanmarie Diggs <[email protected]>
+
+ AX: [ATK] Crash getting text under element in CSS table
+ https://bugs.webkit.org/show_bug.cgi?id=156328
+
+ Reviewed by Chris Fleizach.
+
+ While this crash is currently seen only for ATK, there is nothing to
+ prevent another port from attempting to get all the text under a CSS
+ RenderTable. Hence the shared test.
+
+ * accessibility/generated-content-with-display-table-crash.html: Added.
+ * platform/gtk/accessibility/generated-content-with-display-table-crash-expected.txt: Added.
+ * platform/mac/accessibility/generated-content-with-display-table-crash-expected.txt: Added.
+
2016-04-05 Chris Dumez <[email protected]>
MessageEvent.source window is incorrect once window has been reified
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/accessibility/generated-content-with-display-table-crash.html (0 => 199494)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/accessibility/generated-content-with-display-table-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/accessibility/generated-content-with-display-table-crash.html 2016-04-13 15:53:03 UTC (rev 199494)
@@ -0,0 +1,32 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+<script src=""
+<style>
+[class*="foo"]:after { content: "!"; }
+[class*="bar"]:after { content: "!"; display: table; }
+[class*="baz"]:after { display: table; }
+</style>
+</head>
+<body id="body">
+<div id="div1" class="foo">foo</div>
+<div id="div2" class="bar">bar</div>
+<div id="div3" class="baz">baz</div>
+<div id="stopElement">End of test</div>
+
+<pre id="tree"></pre>
+
+<p id="description"></p>
+<div id="console"></div>
+<script>
+ description("This verifies that getting content of an element with generated content in CSS table doesn't cause a crash.");
+ if (window.accessibilityController) {
+ document.body.focus();
+ var stopElement = accessibilityController.accessibleElementById("stopElement");
+ dumpAccessibilityTree(accessibilityController.focusedElement, stopElement, 0);
+ }
+</script>
+<script src=""
+</body>
+</html>
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/platform/gtk/accessibility/generated-content-with-display-table-crash-expected.txt (0 => 199494)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/platform/gtk/accessibility/generated-content-with-display-table-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/platform/gtk/accessibility/generated-content-with-display-table-crash-expected.txt 2016-04-13 15:53:03 UTC (rev 199494)
@@ -0,0 +1,18 @@
+foo
+bar
+baz
+End of test
+AXRole: AXWebArea
+ AXRole: AXSection AXValue: foo !
+ AXRole: AXSection AXValue: bar !
+ AXRole: AXSection AXValue: baz
+ AXRole: AXSection AXValue: End of test
+This verifies that getting content of an element with generated content in CSS table doesn't cause a crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/platform/mac/accessibility/generated-content-with-display-table-crash-expected.txt (0 => 199494)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/platform/mac/accessibility/generated-content-with-display-table-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/platform/mac/accessibility/generated-content-with-display-table-crash-expected.txt 2016-04-13 15:53:03 UTC (rev 199494)
@@ -0,0 +1,23 @@
+foo
+bar
+baz
+End of test
+AXRole: AXWebArea AXValue:
+ AXRole: AXGroup AXValue:
+ AXRole: AXStaticText AXValue: foo
+ AXRole: AXStaticText AXValue: !
+ AXRole: AXGroup AXValue:
+ AXRole: AXStaticText AXValue: bar
+ AXRole: AXStaticText AXValue: !
+ AXRole: AXGroup AXValue:
+ AXRole: AXStaticText AXValue: baz
+ AXRole: AXGroup AXValue:
+This verifies that getting content of an element with generated content in CSS table doesn't cause a crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (199493 => 199494)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-04-13 15:51:43 UTC (rev 199493)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-04-13 15:53:03 UTC (rev 199494)
@@ -1,3 +1,24 @@
+2016-04-08 Joanmarie Diggs <[email protected]>
+
+ AX: [ATK] Crash getting text under element in CSS table
+ https://bugs.webkit.org/show_bug.cgi?id=156328
+
+ Reviewed by Chris Fleizach.
+
+ AccessibilityRenderObject::textUnderElement() assumes (and asserts) that
+ the first and last child of an anonymous block will each have nodes with
+ which to define positions. This is not the case for CSS Tables and their
+ anonymous descendants. AccessibilityNodeObject:textUnderElement() is our
+ fallback for the instances where a text range cannot be created based on
+ positions, so let it handle anonymous RenderTable parts.
+
+ Test: accessibility/generated-content-with-display-table-crash.html
+
+ * accessibility/AccessibilityRenderObject.cpp:
+ (WebCore::AccessibilityRenderObject::textUnderElement):
+ (WebCore::AccessibilityRenderObject::shouldGetTextFromNode):
+ * accessibility/AccessibilityRenderObject.h:
+
2016-04-05 Chris Dumez <[email protected]>
MessageEvent.source window is incorrect once window has been reified
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (199493 => 199494)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/accessibility/AccessibilityRenderObject.cpp 2016-04-13 15:51:43 UTC (rev 199493)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/accessibility/AccessibilityRenderObject.cpp 2016-04-13 15:53:03 UTC (rev 199494)
@@ -643,8 +643,7 @@
return downcast<RenderMathMLOperator>(*m_renderer).element().textContent();
#endif
- // rangeOfContents does not include CSS-generated content.
- if (m_renderer->isBeforeOrAfterContent())
+ if (shouldGetTextFromNode(mode))
return AccessibilityNodeObject::textUnderElement(mode);
// We use a text iterator for text objects AND for those cases where we are
@@ -656,12 +655,6 @@
Document* nodeDocument = nullptr;
RefPtr<Range> textRange;
if (Node* node = m_renderer->node()) {
- // rangeOfContents does not include CSS-generated content.
- Node* firstChild = node->pseudoAwareFirstChild();
- Node* lastChild = node->pseudoAwareLastChild();
- if ((firstChild && firstChild->isPseudoElement()) || (lastChild && lastChild->isPseudoElement()))
- return AccessibilityNodeObject::textUnderElement(mode);
-
nodeDocument = &node->document();
textRange = rangeOfContents(*node);
} else {
@@ -719,6 +712,31 @@
return AccessibilityNodeObject::textUnderElement(mode);
}
+bool AccessibilityRenderObject::shouldGetTextFromNode(AccessibilityTextUnderElementMode mode) const
+{
+ if (!m_renderer)
+ return false;
+
+ // AccessibilityRenderObject::textUnderElement() gets the text of anonymous blocks by using
+ // the child nodes to define positions. CSS tables and their anonymous descendants lack
+ // children with nodes.
+ if (m_renderer->isAnonymous() && m_renderer->isTablePart())
+ return mode.childrenInclusion == AccessibilityTextUnderElementMode::TextUnderElementModeIncludeAllChildren;
+
+ // AccessibilityRenderObject::textUnderElement() calls rangeOfContents() to create the text
+ // range. rangeOfContents() does not include CSS-generated content.
+ if (m_renderer->isBeforeOrAfterContent())
+ return true;
+ if (Node* node = m_renderer->node()) {
+ Node* firstChild = node->pseudoAwareFirstChild();
+ Node* lastChild = node->pseudoAwareLastChild();
+ if ((firstChild && firstChild->isPseudoElement()) || (lastChild && lastChild->isPseudoElement()))
+ return true;
+ }
+
+ return false;
+}
+
Node* AccessibilityRenderObject::node() const
{
if (!m_renderer)
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/accessibility/AccessibilityRenderObject.h (199493 => 199494)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/accessibility/AccessibilityRenderObject.h 2016-04-13 15:51:43 UTC (rev 199493)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/accessibility/AccessibilityRenderObject.h 2016-04-13 15:53:03 UTC (rev 199494)
@@ -283,6 +283,8 @@
virtual bool inheritsPresentationalRole() const override;
+ bool shouldGetTextFromNode(AccessibilityTextUnderElementMode) const;
+
#if ENABLE(MATHML)
// All math elements return true for isMathElement().
virtual bool isMathElement() const override;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
