[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

cfleizach at apple.com cfleizach at apple.com
Wed Dec 22 11:22:20 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit d440b59ec76272338f9831748b2cd27748151a26
Author: cfleizach at apple.com <cfleizach at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Jul 20 21:34:11 2010 +0000

    CrashTracer: [USER] 300 crashes in Safari at com.apple.WebCore: WebCore::AccessibilityTable::isTableExposableThroughAccessibility + 573
    https://bugs.webkit.org/show_bug.cgi?id=42652
    
    Reviewed by Beth Dakin.
    
    WebCore:
    
    When a table cell accesses its parent table, we should not use getOrCreate, because creating an AXTable inspects its render tree state
    which may be out of date, leading to a crash.
    By using only get(), it implies that the AXTable must be created before AXTableCells. This should
    always be the case when AT clients access a table.
    
    Test: accessibility/updating-attribute-in-table-causes-crash.html
    
    * accessibility/AccessibilityTableCell.cpp:
    (WebCore::AccessibilityTableCell::parentTable):
    
    LayoutTests:
    
    * accessibility/updating-attribute-in-table-causes-crash-expected.txt: Added.
    * accessibility/updating-attribute-in-table-causes-crash.html: Added.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@63774 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 7bdb89a..31e503a 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-07-20  Chris Fleizach  <cfleizach at apple.com>
+
+        Reviewed by Beth Dakin.
+
+        CrashTracer: [USER] 300 crashes in Safari at com.apple.WebCore: WebCore::AccessibilityTable::isTableExposableThroughAccessibility + 573
+        https://bugs.webkit.org/show_bug.cgi?id=42652
+
+        * accessibility/updating-attribute-in-table-causes-crash-expected.txt: Added.
+        * accessibility/updating-attribute-in-table-causes-crash.html: Added.
+
 2010-07-20  Abhishek Arya  <inferno at chromium.org>
 
         Reviewed by David Hyatt.
diff --git a/LayoutTests/accessibility/updating-attribute-in-table-causes-crash-expected.txt b/LayoutTests/accessibility/updating-attribute-in-table-causes-crash-expected.txt
new file mode 100644
index 0000000..c80c8f8
--- /dev/null
+++ b/LayoutTests/accessibility/updating-attribute-in-table-causes-crash-expected.txt
@@ -0,0 +1,11 @@
+1	2
+asdf
+This tests for a crash that can occur while altering an attribute on a table cell because it accesses the table when its in a bad state.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/accessibility/updating-attribute-in-table-causes-crash.html b/LayoutTests/accessibility/updating-attribute-in-table-causes-crash.html
new file mode 100644
index 0000000..51f0fc7
--- /dev/null
+++ b/LayoutTests/accessibility/updating-attribute-in-table-causes-crash.html
@@ -0,0 +1,42 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="../fast/js/resources/js-test-style.css">
+<script>
+    var successfullyParsed = false;
+</script>
+<script src="../fast/js/resources/js-test-pre.js"></script>
+</head>
+<body id="body">
+
+<table id="table">
+<tr id="row"><td id="tablecell" tabindex=0>1</td><td>2</td></tr>
+<tr id="row2"><td id="tablecell2" tabindex=0>1</td><td>2</td></tr>
+</table>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+    description("This tests for a crash that can occur while altering an attribute on a table cell because it accesses the table when its in a bad state.");
+
+    if (window.accessibilityController) {
+        document.getElementById("body").focus();
+        var body = accessibilityController.focusedElement;
+        var tr = document.createElement("tr");
+        var td = document.createElement("td");
+        td.appendChild(document.createTextNode("asdf"));
+        tr.appendChild(td);
+
+        // To reproduce, we need to remove a row and replace with another row, then set an attribute in the meantime.
+        document.getElementById("table").getElementsByTagName("TBODY")[0].removeChild(document.getElementById("row2"));
+        document.getElementById("table").getElementsByTagName("TBODY")[0].appendChild(tr);
+        document.getElementById("tablecell").setAttribute("title", "test");
+    }
+
+    successfullyParsed = true;
+</script>
+
+<script src="../fast/js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 7471a48..0d56de0 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2010-07-20  Chris Fleizach  <cfleizach at apple.com>
+
+        Reviewed by Beth Dakin.
+
+        CrashTracer: [USER] 300 crashes in Safari at com.apple.WebCore: WebCore::AccessibilityTable::isTableExposableThroughAccessibility + 573
+        https://bugs.webkit.org/show_bug.cgi?id=42652
+
+        When a table cell accesses its parent table, we should not use getOrCreate, because creating an AXTable inspects its render tree state
+        which may be out of date, leading to a crash.
+        By using only get(), it implies that the AXTable must be created before AXTableCells. This should
+        always be the case when AT clients access a table.
+
+        Test: accessibility/updating-attribute-in-table-causes-crash.html
+
+        * accessibility/AccessibilityTableCell.cpp:
+        (WebCore::AccessibilityTableCell::parentTable):
+
 2010-07-20  Abhishek Arya  <inferno at chromium.org>
 
         Reviewed by David Hyatt.
diff --git a/WebCore/accessibility/AccessibilityTableCell.cpp b/WebCore/accessibility/AccessibilityTableCell.cpp
index 7fadb88..28e66ad 100644
--- a/WebCore/accessibility/AccessibilityTableCell.cpp
+++ b/WebCore/accessibility/AccessibilityTableCell.cpp
@@ -73,7 +73,12 @@ AccessibilityObject* AccessibilityTableCell::parentTable() const
     if (!m_renderer || !m_renderer->isTableCell())
         return 0;
     
-    return axObjectCache()->getOrCreate(toRenderTableCell(m_renderer)->table());
+    // Do not use getOrCreate. parentTable() can be called while the render tree is being modified 
+    // by javascript, and creating a table element may try to access the render tree while in a bad state.
+    // By using only get() implies that the AXTable must be created before AXTableCells. This should
+    // always be the case when AT clients access a table.
+    // https://bugs.webkit.org/show_bug.cgi?id=42652    
+    return axObjectCache()->get(toRenderTableCell(m_renderer)->table());
 }
     
 bool AccessibilityTableCell::isTableCell() const

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list