Skip to site navigation (Press enter)

[webkit-changes] [202647] trunk

n_wang Wed, 29 Jun 2016 14:23:58 -0700

Title: [202647] trunk

Revision: 202647
Author: n_w...@apple.com
Date: 2016-06-29 14:23:29 -0700 (Wed, 29 Jun 2016)

Log Message

AX: Crash in WebCore::Document::focusNavigationStartingNode(WebCore::FocusDirection) const + 128
https://bugs.webkit.org/show_bug.cgi?id=159240


Reviewed by Ryosuke Niwa.

Source/WebCore:

This crash is caused by passing an empty node to ElementTraversal::previous(Node&). When the
focusNavigationStartingNode has been removed and it has no next sibling, we should fallback
to itself for calculating the next focused element.

Test: fast/events/remove-focus-navigation-starting-point-crash.html

* dom/Document.cpp:
(WebCore::Document::focusNavigationStartingNode):

LayoutTests:

* fast/events/remove-focus-navigation-starting-point-crash-expected.txt: Added.
* fast/events/remove-focus-navigation-starting-point-crash.html: Added.
* platform/ios-simulator/TestExpectations:

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/LayoutTests/platform/ios-simulator/TestExpectations
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/dom/Document.cpp

Added Paths

trunk/LayoutTests/fast/events/remove-focus-navigation-starting-point-crash-expected.txt
trunk/LayoutTests/fast/events/remove-focus-navigation-starting-point-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (202646 => 202647)


--- trunk/LayoutTests/ChangeLog	2016-06-29 20:59:04 UTC (rev 202646)
+++ trunk/LayoutTests/ChangeLog	2016-06-29 21:23:29 UTC (rev 202647)
@@ -1,3 +1,14 @@
+2016-06-29  Nan Wang  <n_w...@apple.com>
+
+        AX: Crash in WebCore::Document::focusNavigationStartingNode(WebCore::FocusDirection) const + 128
+        https://bugs.webkit.org/show_bug.cgi?id=159240
+
+        Reviewed by Ryosuke Niwa.
+
+        * fast/events/remove-focus-navigation-starting-point-crash-expected.txt: Added.
+        * fast/events/remove-focus-navigation-starting-point-crash.html: Added.
+        * platform/ios-simulator/TestExpectations:
+
 2016-06-29  Ryan Haddad  <ryanhad...@apple.com>
 
         Marking animations/multiple-backgrounds.html as flaky on ios-simulator.

Added: trunk/LayoutTests/fast/events/remove-focus-navigation-starting-point-crash-expected.txt (0 => 202647)


--- trunk/LayoutTests/fast/events/remove-focus-navigation-starting-point-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/events/remove-focus-navigation-starting-point-crash-expected.txt	2016-06-29 21:23:29 UTC (rev 202647)
@@ -0,0 +1,4 @@
+After removing a focused element at the end of tree, accessing focus navigation starting point shouldn't lead to crash.
+PASS insertEnd(); focusEnd(); removeEnd(); moveFocus('forward'); document.activeElement.id is 'next'
+PASS insertEnd(); focusEnd(); removeEnd(); moveFocus('backward'); document.activeElement.id is 'prev'
+

Added: trunk/LayoutTests/fast/events/remove-focus-navigation-starting-point-crash.html (0 => 202647)


--- trunk/LayoutTests/fast/events/remove-focus-navigation-starting-point-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/events/remove-focus-navigation-starting-point-crash.html	2016-06-29 21:23:29 UTC (rev 202647)
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<head>
+<script src=""
+<script src=""
+</head>
+
+<script>
+if (!window.eventSender)
+    document.body.textContent = 'This test requires window.eventSender.';
+
+function moveFocus(direction) { 
+    eventSender.keyDown('\t', direction == 'forward' ? [] : ['shiftKey']); 
+}
+
+function focusEnd() {
+    document.getElementById("end").focus();
+}
+
+function removeEnd() {
+    document.getElementById("body").removeChild(document.getElementById("end"));
+}
+
+function insertEnd() {
+    var input = document.createElement("input");
+    input.setAttribute('id', 'end');
+    insertAfter(input, document.getElementById("next"));
+}
+
+function insertAfter(newNode, referenceNode) {
+    referenceNode.parentNode.insertBefore(newNode, referenceNode.nextSibling);
+}
+
+function runTest() {
+    debug("After removing a focused element at the end of tree, accessing focus navigation starting point shouldn't lead to crash.");
+    shouldBe("insertEnd(); focusEnd(); removeEnd(); moveFocus('forward'); document.activeElement.id", "'next'");
+    shouldBe("insertEnd(); focusEnd(); removeEnd(); moveFocus('backward'); document.activeElement.id", "'prev'");
+}
+
+</script>
+
+<body id="body" _onload_="runTest();">
+<div id="log"></div>
+<div id="container"></div>
+<input id="prev"><input id="next"></body>
\ No newline at end of file

Modified: trunk/LayoutTests/platform/ios-simulator/TestExpectations (202646 => 202647)


--- trunk/LayoutTests/platform/ios-simulator/TestExpectations	2016-06-29 20:59:04 UTC (rev 202646)
+++ trunk/LayoutTests/platform/ios-simulator/TestExpectations	2016-06-29 21:23:29 UTC (rev 202647)
@@ -275,6 +275,7 @@
 fast/shadow-dom/focus-on-iframe.html [ Failure ]
 fast/shadow-dom/negative-tabindex-on-shadow-host.html [ Failure ]
 webkit.org/b/116046 fast/events/sequential-focus-navigation-starting-point.html [ Skip ]
+webkit.org/b/159240 fast/events/remove-focus-navigation-starting-point-crash.html [ Skip ]
 
 webkit.org/b/150225 fast/custom-elements [ Pass ]

Modified: trunk/Source/WebCore/ChangeLog (202646 => 202647)


--- trunk/Source/WebCore/ChangeLog	2016-06-29 20:59:04 UTC (rev 202646)
+++ trunk/Source/WebCore/ChangeLog	2016-06-29 21:23:29 UTC (rev 202647)
@@ -1,3 +1,19 @@
+2016-06-29  Nan Wang  <n_w...@apple.com>
+
+        AX: Crash in WebCore::Document::focusNavigationStartingNode(WebCore::FocusDirection) const + 128
+        https://bugs.webkit.org/show_bug.cgi?id=159240
+
+        Reviewed by Ryosuke Niwa.
+
+        This crash is caused by passing an empty node to ElementTraversal::previous(Node&). When the
+        focusNavigationStartingNode has been removed and it has no next sibling, we should fallback
+        to itself for calculating the next focused element.
+
+        Test: fast/events/remove-focus-navigation-starting-point-crash.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::focusNavigationStartingNode):
+
 2016-06-29  Ryan Haddad  <ryanhad...@apple.com>
 
         Unreviewed, rolling out r202617.

Modified: trunk/Source/WebCore/dom/Document.cpp (202646 => 202647)


--- trunk/Source/WebCore/dom/Document.cpp	2016-06-29 20:59:04 UTC (rev 202646)
+++ trunk/Source/WebCore/dom/Document.cpp	2016-06-29 21:23:29 UTC (rev 202647)
@@ -3940,6 +3940,8 @@
     // the previous sibling of the removed node.
     if (m_focusNavigationStartingNodeIsRemoved) {
         Node* nextNode = NodeTraversal::next(*node);
+        if (!nextNode)
+            nextNode = node;
         if (direction == FocusDirectionForward)
             return ElementTraversal::previous(*nextNode);
         if (is<Element>(*nextNode))

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes