Title: [203083] trunk
- Revision
- 203083
- Author
- n_w...@apple.com
- Date
- 2016-07-11 14:04:28 -0700 (Mon, 11 Jul 2016)
Log Message
AX: Crash when backspacing in number field with spin button
https://bugs.webkit.org/show_bug.cgi?id=157830
Reviewed by Chris Fleizach.
Source/WebCore:
It's possible to access spin button parts after they've been detached from their parent, which can lead to crashes.
This adds in a number of redundant safeguards to prevent this and other cases in the future.
Test: accessibility/spinbutton-crash.html
* accessibility/AccessibilitySpinButton.cpp:
(WebCore::AccessibilitySpinButton::incrementButton):
(WebCore::AccessibilitySpinButton::decrementButton):
(WebCore::AccessibilitySpinButton::addChildren):
LayoutTests:
* accessibility/spinbutton-crash-expected.txt: Added.
* accessibility/spinbutton-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (203082 => 203083)
--- trunk/LayoutTests/ChangeLog 2016-07-11 20:53:48 UTC (rev 203082)
+++ trunk/LayoutTests/ChangeLog 2016-07-11 21:04:28 UTC (rev 203083)
@@ -1,3 +1,13 @@
+2016-07-11 Nan Wang <n_w...@apple.com>
+
+ AX: Crash when backspacing in number field with spin button
+ https://bugs.webkit.org/show_bug.cgi?id=157830
+
+ Reviewed by Chris Fleizach.
+
+ * accessibility/spinbutton-crash-expected.txt: Added.
+ * accessibility/spinbutton-crash.html: Added.
+
2016-07-11 Brent Fulgham <bfulg...@apple.com>
[WebGL] Check for existing buffer exists for enabled vertex array attributes before permitting glDrawArrays to execute
Added: trunk/LayoutTests/accessibility/spinbutton-crash-expected.txt (0 => 203083)
--- trunk/LayoutTests/accessibility/spinbutton-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/accessibility/spinbutton-crash-expected.txt 2016-07-11 21:04:28 UTC (rev 203083)
@@ -0,0 +1,14 @@
+
+This tests that a spin button won't access invalid attributes when its already detached.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+spinner incrementer: AXRole: AXButton
+PASS document.getElementById('number').value is '10'
+PASS document.getElementById('number').value is '5'
+PASS document.getElementById('number').value is ''
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/accessibility/spinbutton-crash.html (0 => 203083)
--- trunk/LayoutTests/accessibility/spinbutton-crash.html (rev 0)
+++ trunk/LayoutTests/accessibility/spinbutton-crash.html 2016-07-11 21:04:28 UTC (rev 203083)
@@ -0,0 +1,43 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+
+<body id="body">
+
+<input type="number" id="number" value="10">
+
+<p id="description"></p>
+<div id="console"></div>
+<script>
+
+ if (window.accessibilityController) {
+ description("This tests that a spin button won't access invalid attributes when its already detached.");
+
+ document.getElementById("number").focus();
+
+ var field = accessibilityController.accessibleElementById("number");
+ var spinner1 = field.childAtIndex(1);
+ var spinnerChild = spinner1.uiElementAttributeValue("AXIncrementButton");
+ debug("spinner incrementer: " + spinnerChild.role);
+
+ shouldBe("document.getElementById('number').value", "'10'");
+ eventSender.keyDown('\u0008');
+ eventSender.keyDown('5');
+ shouldBe("document.getElementById('number').value", "'5'");
+ eventSender.keyDown('\u0008');
+ eventSender.keyDown('\u0008');
+ eventSender.keyDown('\u0008');
+
+ shouldBe("document.getElementById('number').value", "''");
+
+ // Don't crash!
+ var spinnerChild = spinner1.uiElementAttributeValue("AXIncrementButton");
+ }
+ successfullyParsed = true;
+</script>
+
+<script src=""
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (203082 => 203083)
--- trunk/Source/WebCore/ChangeLog 2016-07-11 20:53:48 UTC (rev 203082)
+++ trunk/Source/WebCore/ChangeLog 2016-07-11 21:04:28 UTC (rev 203083)
@@ -1,3 +1,20 @@
+2016-07-11 Nan Wang <n_w...@apple.com>
+
+ AX: Crash when backspacing in number field with spin button
+ https://bugs.webkit.org/show_bug.cgi?id=157830
+
+ Reviewed by Chris Fleizach.
+
+ It's possible to access spin button parts after they've been detached from their parent, which can lead to crashes.
+ This adds in a number of redundant safeguards to prevent this and other cases in the future.
+
+ Test: accessibility/spinbutton-crash.html
+
+ * accessibility/AccessibilitySpinButton.cpp:
+ (WebCore::AccessibilitySpinButton::incrementButton):
+ (WebCore::AccessibilitySpinButton::decrementButton):
+ (WebCore::AccessibilitySpinButton::addChildren):
+
2016-07-11 Chris Dumez <cdu...@apple.com>
Possible null dereference under EventHandler::dispatchMouseEvent()
Modified: trunk/Source/WebCore/accessibility/AccessibilitySpinButton.cpp (203082 => 203083)
--- trunk/Source/WebCore/accessibility/AccessibilitySpinButton.cpp 2016-07-11 20:53:48 UTC (rev 203082)
+++ trunk/Source/WebCore/accessibility/AccessibilitySpinButton.cpp 2016-07-11 21:04:28 UTC (rev 203083)
@@ -49,6 +49,8 @@
{
if (!m_haveChildren)
addChildren();
+ if (!m_haveChildren)
+ return nullptr;
ASSERT(m_children.size() == 2);
@@ -59,6 +61,8 @@
{
if (!m_haveChildren)
addChildren();
+ if (!m_haveChildren)
+ return nullptr;
ASSERT(m_children.size() == 2);
@@ -80,14 +84,18 @@
void AccessibilitySpinButton::addChildren()
{
+ AXObjectCache* cache = axObjectCache();
+ if (!cache)
+ return;
+
m_haveChildren = true;
- auto& incrementor = downcast<AccessibilitySpinButtonPart>(*axObjectCache()->getOrCreate(SpinButtonPartRole));
+ auto& incrementor = downcast<AccessibilitySpinButtonPart>(*cache->getOrCreate(SpinButtonPartRole));
incrementor.setIsIncrementor(true);
incrementor.setParent(this);
m_children.append(&incrementor);
- auto& decrementor = downcast<AccessibilitySpinButtonPart>(*axObjectCache()->getOrCreate(SpinButtonPartRole));
+ auto& decrementor = downcast<AccessibilitySpinButtonPart>(*cache->getOrCreate(SpinButtonPartRole));
decrementor.setIsIncrementor(false);
decrementor.setParent(this);
m_children.append(&decrementor);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
