[webkit-changes] [198769] trunk

Mon, 28 Mar 2016 17:59:06 -0700

Title: [198769] trunk
Revision
198769
Author
cfleiz...@apple.com
Date
2016-03-28 17:58:23 -0700 (Mon, 28 Mar 2016)

Log Message

AX: Crash when AX trying to create element for an old auto fill element
https://bugs.webkit.org/show_bug.cgi?id=155943

Reviewed by Joanmarie Diggs.

Source/WebCore:

When an auto-fill element is removed, the Node hangs around but the renderer is gone.
In those cases, we can't blindly add the result of getOrCreate to the children array.

Test: accessibility/auto-fill-crash.html

* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::addTextFieldChildren):

LayoutTests:

* accessibility/auto-fill-crash-expected.txt: Added.
* accessibility/auto-fill-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (198768 => 198769)


--- trunk/LayoutTests/ChangeLog	2016-03-29 00:42:32 UTC (rev 198768)
+++ trunk/LayoutTests/ChangeLog	2016-03-29 00:58:23 UTC (rev 198769)
@@ -1,5 +1,15 @@
 2016-03-28  Chris Fleizach  <cfleiz...@apple.com>
 
+        AX: Crash when AX trying to create element for an old auto fill element
+        https://bugs.webkit.org/show_bug.cgi?id=155943
+
+        Reviewed by Joanmarie Diggs.
+
+        * accessibility/auto-fill-crash-expected.txt: Added.
+        * accessibility/auto-fill-crash.html: Added.
+
+2016-03-28  Chris Fleizach  <cfleiz...@apple.com>
+
         AX: iOS: Can't navigate inside ContentEditable fields with voiceover enabled
         https://bugs.webkit.org/show_bug.cgi?id=155942

Added: trunk/LayoutTests/accessibility/auto-fill-crash-expected.txt (0 => 198769)


--- trunk/LayoutTests/accessibility/auto-fill-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/accessibility/auto-fill-crash-expected.txt	2016-03-29 00:58:23 UTC (rev 198769)
@@ -0,0 +1,12 @@
+
+This tests that when an auto fill element is removed we won't crash accessing an old value.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS accessibilityController.accessibleElementById('textfield').childrenCount is 3
+PASS accessibilityController.accessibleElementById('textfield').childrenCount is 1
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/accessibility/auto-fill-crash.html (0 => 198769)


--- trunk/LayoutTests/accessibility/auto-fill-crash.html	                        (rev 0)
+++ trunk/LayoutTests/accessibility/auto-fill-crash.html	2016-03-29 00:58:23 UTC (rev 198769)
@@ -0,0 +1,32 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<meta charset="utf-8">
+<script src=""
+</head>
+<body id="body">
+
+<input type="text" value="hello" id="textfield">
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+
+    description("This tests that when an auto fill element is removed we won't crash accessing an old value.");
+
+    if (window.accessibilityController) {
+        var axTextField = accessibilityController.accessibleElementById("textfield");
+        window.internals.setShowAutoFillButton(document.getElementById("textfield"), "AutoFillButtonTypeContacts");
+        shouldBe("accessibilityController.accessibleElementById('textfield').childrenCount", "3");
+
+        // Don't crash!
+        window.internals.setShowAutoFillButton(document.getElementById("textfield"), "AutoFillButtonTypeNone");
+        shouldBe("accessibilityController.accessibleElementById('textfield').childrenCount", "1");
+    }
+
+</script>
+
+<script src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (198768 => 198769)


--- trunk/Source/WebCore/ChangeLog	2016-03-29 00:42:32 UTC (rev 198768)
+++ trunk/Source/WebCore/ChangeLog	2016-03-29 00:58:23 UTC (rev 198769)
@@ -1,5 +1,20 @@
 2016-03-28  Chris Fleizach  <cfleiz...@apple.com>
 
+        AX: Crash when AX trying to create element for an old auto fill element
+        https://bugs.webkit.org/show_bug.cgi?id=155943
+
+        Reviewed by Joanmarie Diggs.
+
+        When an auto-fill element is removed, the Node hangs around but the renderer is gone.
+        In those cases, we can't blindly add the result of getOrCreate to the children array.
+
+        Test: accessibility/auto-fill-crash.html
+
+        * accessibility/AccessibilityRenderObject.cpp:
+        (WebCore::AccessibilityRenderObject::addTextFieldChildren):
+
+2016-03-28  Chris Fleizach  <cfleiz...@apple.com>
+
         AX: iOS: Can't navigate inside ContentEditable fields with voiceover enabled
         https://bugs.webkit.org/show_bug.cgi?id=155942

Modified: trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (198768 => 198769)


--- trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2016-03-29 00:42:32 UTC (rev 198768)
+++ trunk/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	2016-03-29 00:58:23 UTC (rev 198769)
@@ -2944,8 +2944,10 @@
         return;
     
     HTMLInputElement& input = downcast<HTMLInputElement>(*node);
-    if (HTMLElement* autoFillElement = input.autoFillButtonElement())
-        m_children.append(axObjectCache()->getOrCreate(autoFillElement));
+    if (HTMLElement* autoFillElement = input.autoFillButtonElement()) {
+        if (AccessibilityObject* axAutoFill = axObjectCache()->getOrCreate(autoFillElement))
+            m_children.append(axAutoFill);
+    }
     
     HTMLElement* spinButtonElement = input.innerSpinButtonElement();
     if (!is<SpinButtonElement>(spinButtonElement))

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to