[webkit-changes] [103650] trunk

[aboxhall]

Title: [103650] trunk

Revision

103650

Author

aboxh...@chromium.org

Date

2011-12-23 21:41:56 -0800 (Fri, 23 Dec 2011)

Log Message

Fix crash when adding paragraph in contenteditable with role=textbox.
https://bugs.webkit.org/show_bug.cgi?id=75159

Reviewed by Ryosuke Niwa.

Source/WebCore:

Test: accessibility/textbox-role-on-contenteditable-crash.html

* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::childrenChanged): Use rendererIsEditable() rather than isContentEditable()
as this method is called during render layouts, and isContentEditable() triggers a layout update, which crashes.

LayoutTests:

* accessibility/textbox-role-on-contenteditable-crash-expected.txt: Added.
* accessibility/textbox-role-on-contenteditable-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp

Added Paths

• trunk/LayoutTests/accessibility/textbox-role-on-contenteditable-crash-expected.txt
• trunk/LayoutTests/accessibility/textbox-role-on-contenteditable-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (103649 => 103650)

--- trunk/LayoutTests/ChangeLog	2011-12-24 05:35:58 UTC (rev 103649)
+++ trunk/LayoutTests/ChangeLog	2011-12-24 05:41:56 UTC (rev 103650)
@@ -1,3 +1,13 @@
+2011-12-23  Alice Boxhall  <aboxh...@chromium.org>
+
+        Fix crash when adding paragraph in contenteditable with role=textbox.
+        https://bugs.webkit.org/show_bug.cgi?id=75159
+
+        Reviewed by Ryosuke Niwa.
+
+        * accessibility/textbox-role-on-contenteditable-crash-expected.txt: Added.
+        * accessibility/textbox-role-on-contenteditable-crash.html: Added.
+
 2011-12-23  Ryosuke Niwa  <rn...@webkit.org>
 
         Mac rebaseline after r103468.

Added: trunk/LayoutTests/accessibility/textbox-role-on-contenteditable-crash-expected.txt (0 => 103650)

--- trunk/LayoutTests/accessibility/textbox-role-on-contenteditable-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/accessibility/textbox-role-on-contenteditable-crash-expected.txt	2011-12-24 05:41:56 UTC (rev 103650)
@@ -0,0 +1,5 @@
+This tests a crashing scenario where an element with a textbox role attribute which also contenteditable has its content changed.
+
+
+Textbox content.
+PASS

Added: trunk/LayoutTests/accessibility/textbox-role-on-contenteditable-crash.html (0 => 103650)

--- trunk/LayoutTests/accessibility/textbox-role-on-contenteditable-crash.html	                        (rev 0)
+++ trunk/LayoutTests/accessibility/textbox-role-on-contenteditable-crash.html	2011-12-24 05:41:56 UTC (rev 103650)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests a crashing scenario where an element with a textbox role attribute which also contenteditable has its content changed.</p>
+<div id="textbox" role="textbox" aria-multiline="true" contenteditable="true" tabindex="0">
+Textbox content.
+</div>
+
+<script>
+
+if (window.accessibilityController) {
+    layoutTestController.dumpAsText();
+    var textbox = document.getElementById("textbox");
+    textbox.focus();
+    var textboxAXElement = accessibilityController.focusedElement;
+
+    getSelection().setBaseAndExtent(textbox.firstChild, 0, textbox.firstChild, 0);
+
+    // This should not crash.
+    document.execCommand("InsertParagraph");
+
+    document.write("PASS");
+}
+
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (103649 => 103650)

--- trunk/Source/WebCore/ChangeLog	2011-12-24 05:35:58 UTC (rev 103649)
+++ trunk/Source/WebCore/ChangeLog	2011-12-24 05:41:56 UTC (rev 103650)
@@ -1,3 +1,16 @@
+2011-12-23  Alice Boxhall  <aboxh...@chromium.org>
+
+        Fix crash when adding paragraph in contenteditable with role=textbox.
+        https://bugs.webkit.org/show_bug.cgi?id=75159
+
+        Reviewed by Ryosuke Niwa.
+
+        Test: accessibility/textbox-role-on-contenteditable-crash.html
+
+        * accessibility/AccessibilityRenderObject.cpp:
+        (WebCore::AccessibilityRenderObject::childrenChanged): Use rendererIsEditable() rather than isContentEditable()
+        as this method is called during render layouts, and isContentEditable() triggers a layout update, which crashes.
+
 2011-12-23  Noel Gordon  <noel.gor...@gmail.com>
 
         [chromium] JPEG image with CMYK ICC color profile renders color-inverted and squashed

Modified: trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (103649 => 103650)

--- trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2011-12-24 05:35:58 UTC (rev 103649)
+++ trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2011-12-24 05:41:56 UTC (rev 103650)
@@ -3427,7 +3427,7 @@
             axObjectCache()->postNotification(parent, parent->document(), AXObjectCache::AXLiveRegionChanged, true);
         
         // If this element is an ARIA text control, notify the AT of changes.
-        if (parent->isARIATextControl() && !parent->isNativeTextControl() && !parent->node()->isContentEditable())
+        if (parent->isARIATextControl() && !parent->isNativeTextControl() && !parent->node()->rendererIsEditable())
             axObjectCache()->postNotification(parent, parent->document(), AXObjectCache::AXValueChanged, true);
     }
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes