Diff
Modified: branches/safari-536.26-branch/LayoutTests/ChangeLog (124105 => 124106)
--- branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-07-30 22:37:54 UTC (rev 124105)
+++ branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-07-30 22:42:55 UTC (rev 124106)
@@ -1,5 +1,19 @@
2012-07-30 Lucas Forschler <lforsch...@apple.com>
+ Merge 118478 (required 118143)
+
+ 2012-05-24 Dominic Mazzoni <dmazz...@google.com>
+
+ Crash in WebCore::AccessibilityTable::isDataTable
+ https://bugs.webkit.org/show_bug.cgi?id=87409
+
+ Reviewed by Abhishek Arya.
+
+ * accessibility/contenteditable-table-check-causes-crash-expected.txt: Added.
+ * accessibility/contenteditable-table-check-causes-crash.html: Added.
+
+2012-07-30 Lucas Forschler <lforsch...@apple.com>
+
Merge 118471
2012-05-24 Hayato Ito <hay...@chromium.org>
Added: branches/safari-536.26-branch/LayoutTests/accessibility/contenteditable-table-check-causes-crash-expected.txt (0 => 124106)
--- branches/safari-536.26-branch/LayoutTests/accessibility/contenteditable-table-check-causes-crash-expected.txt (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/accessibility/contenteditable-table-check-causes-crash-expected.txt 2012-07-30 22:42:55 UTC (rev 124106)
@@ -0,0 +1,9 @@
+Ensures that this snippet does not lead to a crash in the code that detects if a table is contenteditable. Bug 87409.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: branches/safari-536.26-branch/LayoutTests/accessibility/contenteditable-table-check-causes-crash.html (0 => 124106)
--- branches/safari-536.26-branch/LayoutTests/accessibility/contenteditable-table-check-causes-crash.html (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/accessibility/contenteditable-table-check-causes-crash.html 2012-07-30 22:42:55 UTC (rev 124106)
@@ -0,0 +1,29 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+
+<script>
+ description("Ensures that this snippet does not lead to a crash in the code that detects if a table is contenteditable. Bug 87409.");
+</script>
+
+<style>
+.tableStyle { display: inline-table; content: counter(section);</style>
+<script>
+function crash() {
+ var node = document.createElement('keygen');
+ node.setAttribute('autofocus', 'autofocus');
+ node.setAttribute('class', 'tableStyle');
+ document.documentElement.appendChild(node);
+}
+window._onload_ = crash;
+</script>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script src=""
+</body>
+</html>
Modified: branches/safari-536.26-branch/LayoutTests/accessibility/table-detection.html (124105 => 124106)
--- branches/safari-536.26-branch/LayoutTests/accessibility/table-detection.html 2012-07-30 22:37:54 UTC (rev 124105)
+++ branches/safari-536.26-branch/LayoutTests/accessibility/table-detection.html 2012-07-30 22:42:55 UTC (rev 124106)
@@ -98,6 +98,13 @@
</style>
<table class="nmTB" cellpadding="0" cellspacing="0"><tr><td class="nmIBD" id="nmb" name="nmb" nm_sn="3032552" nm_suf="" CM_sf="Ex" CM="NewsMenuL1" pn="newsmenu" ct="nm0" cn="Politics"><a class="nmLBD" href="" class="nmIB" id="nmb" name="nmb" nm_sn="18970411" nm_suf="" CM_sf="Ex" CM="NewsMenuL1" pn="newsmenu" ct="nxf" cn="Decision '08"><a class="nmLB" href="" '08</a></td></tr><tr><td class="nmIB" id="nmb" name="nmb" nm_sn="18296896" nm_suf="" CM_sf="Ex" CM="NewsMenuL1" pn="newsmenu" ct="nxf" cn="The debates"><a class="nmLB" href="" debates</a></td></tr><tr><td class="nmIB" id="nmb" name="nmb" nm_sn="21491043" nm_suf="" CM_sf="Ex" CM="NewsMenuL1" pn="newsmenu" ct="nxf" cn="The White House"><a class="nmLB" href="" White House</a></td></tr><tr><td class="nmIB" id="nmb" name="nmb" nm_sn="21491571" nm_suf="" CM_sf="Ex" CM="NewsMenuL1" pn="newsmenu" ct="nxf" cn="Capitol Hill"><a class="nmLB" href="" Hill</a></td></tr><tr><td class="nmIB" id="nmb" name="nmb" nm_sn="14016004" nm_suf="" CM_sf="Ex" CM="NewsMenuL1" pn="newsmenu" ct="nxf" cn="National Journal"><a class="nmLB" href="" Journal</a></td></tr><tr><td class="nmIB" id="nmb" name="nmb" nm_sn="19748467" nm_suf="" CM_sf="Ex" CM="NewsMenuL1" pn="newsmenu" ct="nxf" cn="New York Times"><a class="nmLB" href="" York Times</a></td></tr></table>
+ // this should be a table because it's editable
+ <div contenteditable>
+ <table style='border: 1px solid black'>
+ <tr><td >asdf</td><td>asdf</td></tr>
+ </table>
+ </div>
+
<div id="result"></div>
<script>
Modified: branches/safari-536.26-branch/LayoutTests/platform/mac/accessibility/table-detection-expected.txt (124105 => 124106)
--- branches/safari-536.26-branch/LayoutTests/platform/mac/accessibility/table-detection-expected.txt 2012-07-30 22:37:54 UTC (rev 124105)
+++ branches/safari-536.26-branch/LayoutTests/platform/mac/accessibility/table-detection-expected.txt 2012-07-30 22:42:55 UTC (rev 124106)
@@ -30,6 +30,8 @@
Capitol Hill
National Journal
New York Times
+// this should be a table because it's editable
+asdf asdf
--------------------------
AXRole: AXGroup
@@ -879,6 +881,61 @@
AXChildren: <array of size 1>
AXHelp:
AXParent: <AXGroup>
+AXSize: NSSize: {769, 18}
+AXTitle:
+AXDescription:
+AXValue:
+AXFocused: 0
+AXEnabled: 1
+AXWindow: <AXGroup>
+AXSelectedTextMarkerRange: (null)
+AXStartTextMarker: <AXGroup>
+AXEndTextMarker: <AXGroup>
+AXVisited: 0
+AXLinkedUIElements: (null)
+AXSelected: 0
+AXBlockQuoteLevel: 0
+AXTopLevelUIElement: <AXGroup>
+AXTitleUIElement: (null)
+
+------------
+AXRole: AXTable
+AXSubrole: (null)
+AXRoleDescription: table
+AXChildren: <array of size 4>
+AXHelp:
+AXParent: <AXTable>
+AXSize: NSSize: {64, 26}
+AXTitle:
+AXDescription:
+AXValue:
+AXFocused: 0
+AXEnabled: 1
+AXWindow: <AXTable>
+AXSelectedTextMarkerRange: (null)
+AXStartTextMarker: <AXTable>
+AXEndTextMarker: <AXTable>
+AXVisited: 0
+AXLinkedUIElements: (null)
+AXSelected: 0
+AXBlockQuoteLevel: 0
+AXTopLevelUIElement: <AXTable>
+AXRows: <array of size 1>
+AXVisibleRows: <array of size 1>
+AXColumns: <array of size 2>
+AXVisibleColumns: <array of size 2>
+AXVisibleCells: <array of size 2>
+AXColumnHeaderUIElements: <array of size 0>
+AXRowHeaderUIElements: <array of size 0>
+AXHeader: <AXTable>
+
+------------
+AXRole: AXGroup
+AXSubrole: (null)
+AXRoleDescription: group
+AXChildren: <array of size 1>
+AXHelp:
+AXParent: <AXGroup>
AXSize: NSSize: {769, 36}
AXTitle:
AXDescription:
Modified: branches/safari-536.26-branch/Source/WebCore/ChangeLog (124105 => 124106)
--- branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-07-30 22:37:54 UTC (rev 124105)
+++ branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-07-30 22:42:55 UTC (rev 124106)
@@ -1,5 +1,30 @@
2012-07-30 Lucas Forschler <lforsch...@apple.com>
+ Merge 118478 (required 118143)
+
+ 2012-05-24 Dominic Mazzoni <dmazz...@google.com>
+
+ Crash in WebCore::AccessibilityTable::isDataTable
+ https://bugs.webkit.org/show_bug.cgi?id=87409
+
+ Reviewed by Abhishek Arya.
+
+ Use Node::rendererIsEditable everywhere rather than
+ Node::isContentEditable because the latter can trigger a layout
+ and destroy the renderer. New test covers the change to
+ AccessibilityTable.cpp, changes to AccessibilityRenderObject.cpp
+ are covered by existing tests.
+
+ Test: accessibility/contenteditable-table-check-causes-crash.html
+
+ * accessibility/AccessibilityRenderObject.cpp:
+ (WebCore::AccessibilityRenderObject::isReadOnly):
+ (WebCore::AccessibilityRenderObject::contentChanged):
+ * accessibility/AccessibilityTable.cpp:
+ (WebCore::AccessibilityTable::isDataTable):
+
+2012-07-30 Lucas Forschler <lforsch...@apple.com>
+
Merge 118471
2012-05-24 Hayato Ito <hay...@chromium.org>
Modified: branches/safari-536.26-branch/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (124105 => 124106)
--- branches/safari-536.26-branch/Source/WebCore/accessibility/AccessibilityRenderObject.cpp 2012-07-30 22:37:54 UTC (rev 124105)
+++ branches/safari-536.26-branch/Source/WebCore/accessibility/AccessibilityRenderObject.cpp 2012-07-30 22:42:55 UTC (rev 124106)
@@ -717,7 +717,7 @@
return true;
HTMLElement* body = document->body();
- if (body && body->isContentEditable())
+ if (body && body->rendererIsEditable())
return false;
return !document->rendererIsEditable();
@@ -3428,14 +3428,8 @@
if (parent->supportsARIALiveRegion())
cache->postNotification(renderParent, AXObjectCache::AXLiveRegionChanged, true);
- if (parent->isARIATextControl() && !parent->isNativeTextControl() && !parent->node()->isContentEditable()) {
- // isContentEditable() might trigger a layout update and invalidate the parent.
- ASSERT(!parent->renderer() || parent->renderer() == renderParent);
- if (parent->isDetached())
- break;
-
+ if (parent->isARIATextControl() && !parent->isNativeTextControl() && !parent->node()->rendererIsEditable())
cache->postNotification(renderParent, AXObjectCache::AXValueChanged, true);
- }
}
}
Modified: branches/safari-536.26-branch/Source/WebCore/accessibility/AccessibilityTable.cpp (124105 => 124106)
--- branches/safari-536.26-branch/Source/WebCore/accessibility/AccessibilityTable.cpp 2012-07-30 22:37:54 UTC (rev 124105)
+++ branches/safari-536.26-branch/Source/WebCore/accessibility/AccessibilityTable.cpp 2012-07-30 22:42:55 UTC (rev 124106)
@@ -96,6 +96,12 @@
if (hasARIARole())
return false;
+ // When a section of the document is contentEditable, all tables should be
+ // treated as data tables, otherwise users may not be able to work with rich
+ // text editors that allow creating and editing tables.
+ if (node() && node()->rendererIsEditable())
+ return true;
+
// This employs a heuristic to determine if this table should appear.
// Only "data" tables should be exposed as tables.
// Unfortunately, there is no good way to determine the difference
