Title: [195468] trunk
- Revision
- 195468
- Author
- n_w...@apple.com
- Date
- 2016-01-22 12:53:31 -0800 (Fri, 22 Jan 2016)
Log Message
AX: Crash in setTextMarkerDataWithCharacterOffset
https://bugs.webkit.org/show_bug.cgi?id=153365
<rdar://problem/24287924>
Reviewed by Chris Fleizach.
Source/WebCore:
Sometimes when we try to create a text marker range from a stale text marker with a removed
node, it will cause crash. Fixed it by adding a null check for the AccessibilityObject we
create in setTextMarkerDataWithCharacterOffset.
Test: accessibility/text-marker/text-marker-range-with-removed-node-crash.html
* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::setTextMarkerDataWithCharacterOffset):
LayoutTests:
* accessibility/text-marker/text-marker-range-with-removed-node-crash-expected.txt: Added.
* accessibility/text-marker/text-marker-range-with-removed-node-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (195467 => 195468)
--- trunk/LayoutTests/ChangeLog 2016-01-22 20:37:42 UTC (rev 195467)
+++ trunk/LayoutTests/ChangeLog 2016-01-22 20:53:31 UTC (rev 195468)
@@ -1,3 +1,14 @@
+2016-01-22 Nan Wang <n_w...@apple.com>
+
+ AX: Crash in setTextMarkerDataWithCharacterOffset
+ https://bugs.webkit.org/show_bug.cgi?id=153365
+ <rdar://problem/24287924>
+
+ Reviewed by Chris Fleizach.
+
+ * accessibility/text-marker/text-marker-range-with-removed-node-crash-expected.txt: Added.
+ * accessibility/text-marker/text-marker-range-with-removed-node-crash.html: Added.
+
2016-01-22 Brady Eidson <beid...@apple.com>
Modern IDB: Add transactions and create/delete object store to SQLite backend
Added: trunk/LayoutTests/accessibility/text-marker/text-marker-range-with-removed-node-crash-expected.txt (0 => 195468)
--- trunk/LayoutTests/accessibility/text-marker/text-marker-range-with-removed-node-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/accessibility/text-marker/text-marker-range-with-removed-node-crash-expected.txt 2016-01-22 20:53:31 UTC (rev 195468)
@@ -0,0 +1,10 @@
+This tests that when we create a text marker range from a marker with removed text node, it won't crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+text to be removed
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/accessibility/text-marker/text-marker-range-with-removed-node-crash.html (0 => 195468)
--- trunk/LayoutTests/accessibility/text-marker/text-marker-range-with-removed-node-crash.html (rev 0)
+++ trunk/LayoutTests/accessibility/text-marker/text-marker-range-with-removed-node-crash.html 2016-01-22 20:53:31 UTC (rev 195468)
@@ -0,0 +1,37 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+
+<body id="body">
+
+<div id="toBeRemoved">text to be removed</div>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+
+ description("This tests that when we create a text marker range from a marker with removed text node, it won't crash.");
+
+ if (window.accessibilityController) {
+
+ var textElement = accessibilityController.accessibleElementById("toBeRemoved");
+ var textMarkerRange = textElement.textMarkerRangeForElement(textElement);
+ debug(textElement.stringForTextMarkerRange(textMarkerRange));
+
+ var startMarker = textElement.startTextMarkerForTextMarkerRange(textMarkerRange);
+ var endMarker = textElement.endTextMarkerForTextMarkerRange(textMarkerRange);
+
+ // Remove the text node and recreate a text marker range, make sure it won't crash.
+ var text = document.getElementById("toBeRemoved");
+ text.removeChild(text.firstChild);
+ textMarkerRange = textElement.textMarkerRangeForMarkers(startMarker, endMarker);
+ }
+
+</script>
+
+<script src=""
+</body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (195467 => 195468)
--- trunk/Source/WebCore/ChangeLog 2016-01-22 20:37:42 UTC (rev 195467)
+++ trunk/Source/WebCore/ChangeLog 2016-01-22 20:53:31 UTC (rev 195468)
@@ -1,3 +1,20 @@
+2016-01-22 Nan Wang <n_w...@apple.com>
+
+ AX: Crash in setTextMarkerDataWithCharacterOffset
+ https://bugs.webkit.org/show_bug.cgi?id=153365
+ <rdar://problem/24287924>
+
+ Reviewed by Chris Fleizach.
+
+ Sometimes when we try to create a text marker range from a stale text marker with a removed
+ node, it will cause crash. Fixed it by adding a null check for the AccessibilityObject we
+ create in setTextMarkerDataWithCharacterOffset.
+
+ Test: accessibility/text-marker/text-marker-range-with-removed-node-crash.html
+
+ * accessibility/AXObjectCache.cpp:
+ (WebCore::AXObjectCache::setTextMarkerDataWithCharacterOffset):
+
2016-01-22 Brady Eidson <beid...@apple.com>
Modern IDB: Add transactions and create/delete object store to SQLite backend
Modified: trunk/Source/WebCore/accessibility/AXObjectCache.cpp (195467 => 195468)
--- trunk/Source/WebCore/accessibility/AXObjectCache.cpp 2016-01-22 20:37:42 UTC (rev 195467)
+++ trunk/Source/WebCore/accessibility/AXObjectCache.cpp 2016-01-22 20:53:31 UTC (rev 195468)
@@ -1616,6 +1616,8 @@
}
RefPtr<AccessibilityObject> obj = this->getOrCreate(domNode);
+ if (!obj)
+ return;
// Convert to visible position.
VisiblePosition visiblePosition = visiblePositionFromCharacterOffset(obj.get(), characterOffset);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes