Title: [195468] trunk
Revision
195468
Author
n_w...@apple.com
Date
2016-01-22 12:53:31 -0800 (Fri, 22 Jan 2016)

Log Message

AX: Crash in setTextMarkerDataWithCharacterOffset
https://bugs.webkit.org/show_bug.cgi?id=153365
<rdar://problem/24287924>

Reviewed by Chris Fleizach.

Source/WebCore:

Sometimes when we try to create a text marker range from a stale text marker with a removed
node, it will cause crash. Fixed it by adding a null check for the AccessibilityObject we
create in setTextMarkerDataWithCharacterOffset.

Test: accessibility/text-marker/text-marker-range-with-removed-node-crash.html

* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::setTextMarkerDataWithCharacterOffset):

LayoutTests:

* accessibility/text-marker/text-marker-range-with-removed-node-crash-expected.txt: Added.
* accessibility/text-marker/text-marker-range-with-removed-node-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (195467 => 195468)


--- trunk/LayoutTests/ChangeLog	2016-01-22 20:37:42 UTC (rev 195467)
+++ trunk/LayoutTests/ChangeLog	2016-01-22 20:53:31 UTC (rev 195468)
@@ -1,3 +1,14 @@
+2016-01-22  Nan Wang  <n_w...@apple.com>
+
+        AX: Crash in setTextMarkerDataWithCharacterOffset
+        https://bugs.webkit.org/show_bug.cgi?id=153365
+        <rdar://problem/24287924>
+
+        Reviewed by Chris Fleizach.
+
+        * accessibility/text-marker/text-marker-range-with-removed-node-crash-expected.txt: Added.
+        * accessibility/text-marker/text-marker-range-with-removed-node-crash.html: Added.
+
 2016-01-22  Brady Eidson  <beid...@apple.com>
 
         Modern IDB: Add transactions and create/delete object store to SQLite backend

Added: trunk/LayoutTests/accessibility/text-marker/text-marker-range-with-removed-node-crash-expected.txt (0 => 195468)


--- trunk/LayoutTests/accessibility/text-marker/text-marker-range-with-removed-node-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/accessibility/text-marker/text-marker-range-with-removed-node-crash-expected.txt	2016-01-22 20:53:31 UTC (rev 195468)
@@ -0,0 +1,10 @@
+This tests that when we create a text marker range from a marker with removed text node, it won't crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+text to be removed
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/accessibility/text-marker/text-marker-range-with-removed-node-crash.html (0 => 195468)


--- trunk/LayoutTests/accessibility/text-marker/text-marker-range-with-removed-node-crash.html	                        (rev 0)
+++ trunk/LayoutTests/accessibility/text-marker/text-marker-range-with-removed-node-crash.html	2016-01-22 20:53:31 UTC (rev 195468)
@@ -0,0 +1,37 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+
+<body id="body">
+
+<div id="toBeRemoved">text to be removed</div>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+
+    description("This tests that when we create a text marker range from a marker with removed text node, it won't crash.");
+
+    if (window.accessibilityController) {
+
+          var textElement = accessibilityController.accessibleElementById("toBeRemoved");
+          var textMarkerRange = textElement.textMarkerRangeForElement(textElement);
+          debug(textElement.stringForTextMarkerRange(textMarkerRange));
+          
+          var startMarker = textElement.startTextMarkerForTextMarkerRange(textMarkerRange);
+          var endMarker = textElement.endTextMarkerForTextMarkerRange(textMarkerRange);
+          
+          // Remove the text node and recreate a text marker range, make sure it won't crash.
+          var text = document.getElementById("toBeRemoved");
+          text.removeChild(text.firstChild);
+          textMarkerRange = textElement.textMarkerRangeForMarkers(startMarker, endMarker);
+    }
+
+</script>
+
+<script src=""
+</body>
+</html>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (195467 => 195468)


--- trunk/Source/WebCore/ChangeLog	2016-01-22 20:37:42 UTC (rev 195467)
+++ trunk/Source/WebCore/ChangeLog	2016-01-22 20:53:31 UTC (rev 195468)
@@ -1,3 +1,20 @@
+2016-01-22  Nan Wang  <n_w...@apple.com>
+
+        AX: Crash in setTextMarkerDataWithCharacterOffset
+        https://bugs.webkit.org/show_bug.cgi?id=153365
+        <rdar://problem/24287924>
+
+        Reviewed by Chris Fleizach.
+
+        Sometimes when we try to create a text marker range from a stale text marker with a removed
+        node, it will cause crash. Fixed it by adding a null check for the AccessibilityObject we
+        create in setTextMarkerDataWithCharacterOffset.
+
+        Test: accessibility/text-marker/text-marker-range-with-removed-node-crash.html
+
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::setTextMarkerDataWithCharacterOffset):
+
 2016-01-22  Brady Eidson  <beid...@apple.com>
 
         Modern IDB: Add transactions and create/delete object store to SQLite backend

Modified: trunk/Source/WebCore/accessibility/AXObjectCache.cpp (195467 => 195468)


--- trunk/Source/WebCore/accessibility/AXObjectCache.cpp	2016-01-22 20:37:42 UTC (rev 195467)
+++ trunk/Source/WebCore/accessibility/AXObjectCache.cpp	2016-01-22 20:53:31 UTC (rev 195468)
@@ -1616,6 +1616,8 @@
     }
     
     RefPtr<AccessibilityObject> obj = this->getOrCreate(domNode);
+    if (!obj)
+        return;
     
     // Convert to visible position.
     VisiblePosition visiblePosition = visiblePositionFromCharacterOffset(obj.get(), characterOffset);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to