Title: [200054] trunk
Revision
200054
Author
n_w...@apple.com
Date
2016-04-25 15:40:45 -0700 (Mon, 25 Apr 2016)

Log Message

AX: Crash at -[WebAccessibilityObjectWrapper accessibilityAttributeValue:] + 4391
https://bugs.webkit.org/show_bug.cgi?id=156987

Reviewed by Chris Fleizach.

Source/WebCore:

When we hit test on a slider indicator asking for the value when the parent slider's
accessibility object is not created or the parent slider has been removed, it will cause
crash. Fixed it by adding a check to see if the object is detached from the parent.

Test: accessibility/mac/slider-thumb-value-crash.html

* accessibility/mac/WebAccessibilityObjectWrapperMac.mm:
(-[WebAccessibilityObjectWrapper accessibilityAttributeValue:]):

LayoutTests:

* accessibility/mac/slider-thumb-value-crash-expected.txt: Added.
* accessibility/mac/slider-thumb-value-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (200053 => 200054)


--- trunk/LayoutTests/ChangeLog	2016-04-25 22:40:24 UTC (rev 200053)
+++ trunk/LayoutTests/ChangeLog	2016-04-25 22:40:45 UTC (rev 200054)
@@ -1,3 +1,13 @@
+2016-04-25  Nan Wang  <n_w...@apple.com>
+
+        AX: Crash at -[WebAccessibilityObjectWrapper accessibilityAttributeValue:] + 4391
+        https://bugs.webkit.org/show_bug.cgi?id=156987
+
+        Reviewed by Chris Fleizach.
+
+        * accessibility/mac/slider-thumb-value-crash-expected.txt: Added.
+        * accessibility/mac/slider-thumb-value-crash.html: Added.
+
 2016-04-25  Brady Eidson  <beid...@apple.com>
 
         Attempt to fix a flaky test after r200032

Added: trunk/LayoutTests/accessibility/mac/slider-thumb-value-crash-expected.txt (0 => 200054)


--- trunk/LayoutTests/accessibility/mac/slider-thumb-value-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/accessibility/mac/slider-thumb-value-crash-expected.txt	2016-04-25 22:40:45 UTC (rev 200054)
@@ -0,0 +1,10 @@
+This tests that getting the indicator's value from a removed slider won't cause crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS indicator.intValue is 0
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/accessibility/mac/slider-thumb-value-crash.html (0 => 200054)


--- trunk/LayoutTests/accessibility/mac/slider-thumb-value-crash.html	                        (rev 0)
+++ trunk/LayoutTests/accessibility/mac/slider-thumb-value-crash.html	2016-04-25 22:40:45 UTC (rev 200054)
@@ -0,0 +1,32 @@
+<html>
+<head>
+<script src=""
+</head>
+<body id="body">
+
+<input id="range1" type="range">
+
+<p id="description"></p>
+<div id="console"></div>
+<div id="notifications"></div>
+
+<script>
+
+    description("This tests that getting the indicator's value from a removed slider won't cause crash.");
+
+    if (window.accessibilityController) {
+
+        var range = accessibilityController.accessibleElementById("range1");
+        var indicator = range.childAtIndex(0);
+        
+        // Remove the slider, make sure we getting value from the indicator won't cause crash.
+        var rangeElement = document.getElementById("range1");
+        document.body.removeChild(rangeElement);
+        shouldBe("indicator.intValue", "0");
+    }
+
+</script>
+
+<script src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (200053 => 200054)


--- trunk/Source/WebCore/ChangeLog	2016-04-25 22:40:24 UTC (rev 200053)
+++ trunk/Source/WebCore/ChangeLog	2016-04-25 22:40:45 UTC (rev 200054)
@@ -1,3 +1,19 @@
+2016-04-25  Nan Wang  <n_w...@apple.com>
+
+        AX: Crash at -[WebAccessibilityObjectWrapper accessibilityAttributeValue:] + 4391
+        https://bugs.webkit.org/show_bug.cgi?id=156987
+
+        Reviewed by Chris Fleizach.
+
+        When we hit test on a slider indicator asking for the value when the parent slider's
+        accessibility object is not created or the parent slider has been removed, it will cause
+        crash. Fixed it by adding a check to see if the object is detached from the parent. 
+
+        Test: accessibility/mac/slider-thumb-value-crash.html
+
+        * accessibility/mac/WebAccessibilityObjectWrapperMac.mm:
+        (-[WebAccessibilityObjectWrapper accessibilityAttributeValue:]):
+
 2016-04-25  Jer Noble  <jer.no...@apple.com>
 
         WebKitPlaybackSessionModelMediaElement should initialize the interface added by setWebPlaybackSessionInterface() with initial data

Modified: trunk/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm (200053 => 200054)


--- trunk/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm	2016-04-25 22:40:24 UTC (rev 200053)
+++ trunk/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm	2016-04-25 22:40:45 UTC (rev 200054)
@@ -2561,6 +2561,9 @@
     if (![self updateObjectBackingStore])
         return nil;
     
+    if (m_object->isDetachedFromParent())
+        return nil;
+    
     if ([attributeName isEqualToString: NSAccessibilityRoleAttribute])
         return [self role];
     
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to