Title: [206494] trunk
- Revision
- 206494
- Author
- n_w...@apple.com
- Date
- 2016-09-27 21:09:21 -0700 (Tue, 27 Sep 2016)
Log Message
AX: CrashTracer: com.apple.WebKit.WebContent at WebCore::AXObjectCache::localCaretRectForCharacterOffset(WebCore::RenderObject*&, WebCore::CharacterOffset const&) + 116
https://bugs.webkit.org/show_bug.cgi?id=162654
Reviewed by Chris Fleizach.
Source/WebCore:
rangeForUnorderedCharacterOffsets() can return a null Range but we failed to
do a null check in localCaretRectForCharacterOffset() before dereferencing it.
Test: accessibility/mac/bounds-for-range-crash.html
* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::localCaretRectForCharacterOffset):
LayoutTests:
* accessibility/mac/bounds-for-range-crash-expected.txt: Added.
* accessibility/mac/bounds-for-range-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (206493 => 206494)
--- trunk/LayoutTests/ChangeLog 2016-09-28 03:03:40 UTC (rev 206493)
+++ trunk/LayoutTests/ChangeLog 2016-09-28 04:09:21 UTC (rev 206494)
@@ -1,3 +1,13 @@
+2016-09-27 Nan Wang <n_w...@apple.com>
+
+ AX: CrashTracer: com.apple.WebKit.WebContent at WebCore::AXObjectCache::localCaretRectForCharacterOffset(WebCore::RenderObject*&, WebCore::CharacterOffset const&) + 116
+ https://bugs.webkit.org/show_bug.cgi?id=162654
+
+ Reviewed by Chris Fleizach.
+
+ * accessibility/mac/bounds-for-range-crash-expected.txt: Added.
+ * accessibility/mac/bounds-for-range-crash.html: Added.
+
2016-09-27 Ryosuke Niwa <rn...@webkit.org>
Toggling display: none on a parent element of a slot which shares style with its parent doesn't update the slot's visibility
Added: trunk/LayoutTests/accessibility/mac/bounds-for-range-crash-expected.txt (0 => 206494)
--- trunk/LayoutTests/accessibility/mac/bounds-for-range-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/accessibility/mac/bounds-for-range-crash-expected.txt 2016-09-28 04:09:21 UTC (rev 206494)
@@ -0,0 +1,10 @@
+Shop
+This tests that boundsForRange with invalid text marker is not causing crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/accessibility/mac/bounds-for-range-crash.html (0 => 206494)
--- trunk/LayoutTests/accessibility/mac/bounds-for-range-crash.html (rev 0)
+++ trunk/LayoutTests/accessibility/mac/bounds-for-range-crash.html 2016-09-28 04:09:21 UTC (rev 206494)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+
+<a id="link" href=""
+Shop<img alt="">
+</a>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+ description("This tests that boundsForRange with invalid text marker is not causing crash.");
+
+ if (window.accessibilityController) {
+ var textChild = accessibilityController.accessibleElementById("link").childAtIndex(0);
+
+ // Make sure calling boundsForRange won't cause crash.
+ var bounds = textChild.boundsForRange(0, 5);
+ }
+</script>
+
+<script src=""
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (206493 => 206494)
--- trunk/Source/WebCore/ChangeLog 2016-09-28 03:03:40 UTC (rev 206493)
+++ trunk/Source/WebCore/ChangeLog 2016-09-28 04:09:21 UTC (rev 206494)
@@ -1,3 +1,18 @@
+2016-09-27 Nan Wang <n_w...@apple.com>
+
+ AX: CrashTracer: com.apple.WebKit.WebContent at WebCore::AXObjectCache::localCaretRectForCharacterOffset(WebCore::RenderObject*&, WebCore::CharacterOffset const&) + 116
+ https://bugs.webkit.org/show_bug.cgi?id=162654
+
+ Reviewed by Chris Fleizach.
+
+ rangeForUnorderedCharacterOffsets() can return a null Range but we failed to
+ do a null check in localCaretRectForCharacterOffset() before dereferencing it.
+
+ Test: accessibility/mac/bounds-for-range-crash.html
+
+ * accessibility/AXObjectCache.cpp:
+ (WebCore::AXObjectCache::localCaretRectForCharacterOffset):
+
2016-09-27 Alex Christensen <achristen...@webkit.org>
Inline critical functions in URLParser
Modified: trunk/Source/WebCore/accessibility/AXObjectCache.cpp (206493 => 206494)
--- trunk/Source/WebCore/accessibility/AXObjectCache.cpp 2016-09-28 03:03:40 UTC (rev 206493)
+++ trunk/Source/WebCore/accessibility/AXObjectCache.cpp 2016-09-28 04:09:21 UTC (rev 206494)
@@ -2463,6 +2463,9 @@
int caretOffset;
// Use a collapsed range to get the position.
RefPtr<Range> range = rangeForUnorderedCharacterOffsets(characterOffset, characterOffset);
+ if (!range)
+ return IntRect();
+
Position startPosition = range->startPosition();
startPosition.getInlineBoxAndOffset(DOWNSTREAM, inlineBox, caretOffset);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes