[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

cfleizach at apple.com cfleizach at apple.com
Wed Dec 22 11:53:41 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 0eed8a422007e017e1b8b85c0c67ff2723a43c44
Author: cfleizach at apple.com <cfleizach at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Aug 10 21:35:27 2010 +0000

    Removing an element from an anonymous block causes crash
    https://bugs.webkit.org/show_bug.cgi?id=42309
    
    Reviewed by Dave Hyatt.
    
    WebCore:
    
    There was a case where a continuation was added as a child, but if you asked
    that child who is your parent, it would return the wrong answer.
    
    The specific scenario was when a sibling of an element who was the start of a
    continuation was present. Retrieving the parent object had then follow the sibling
    chain and then follow the originating continuation chain.
    
    Test: accessibility/removed-anonymous-block-child-causes-crash.html
    
    * accessibility/AccessibilityRenderObject.cpp:
    (WebCore::AccessibilityRenderObject::nextSibling):
        Fix erroneous comment
    (WebCore::nextContinuation):
    (WebCore::AccessibilityRenderObject::renderParentObject):
        Handle unhandled continuation case.
    (WebCore::AccessibilityRenderObject::addChildren):
        ASSERT that the parentObject() is the same when adding a new child.
    
    LayoutTests:
    
    * accessibility/removed-anonymous-block-child-causes-crash-expected.txt: Added.
    * accessibility/removed-anonymous-block-child-causes-crash.html: Added.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@65095 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 7d37a95..6b08cd0 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-08-10  Chris Fleizach  <cfleizach at apple.com>
+
+        Reviewed by Dave Hyatt.
+
+        Removing an element from an anonymous block causes crash
+        https://bugs.webkit.org/show_bug.cgi?id=42309
+
+        * accessibility/removed-anonymous-block-child-causes-crash-expected.txt: Added.
+        * accessibility/removed-anonymous-block-child-causes-crash.html: Added.
+
 2010-08-10  Abhishek Arya  <inferno at chromium.org>
 
         Reviewed by David Hyatt.
diff --git a/LayoutTests/accessibility/removed-anonymous-block-child-causes-crash-expected.txt b/LayoutTests/accessibility/removed-anonymous-block-child-causes-crash-expected.txt
new file mode 100644
index 0000000..497ac08
--- /dev/null
+++ b/LayoutTests/accessibility/removed-anonymous-block-child-causes-crash-expected.txt
@@ -0,0 +1,11 @@
+a
+a
+In certain cases removing a decendent from an anonymous block element does not update the parent chain correctly. This can cause a crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/accessibility/removed-anonymous-block-child-causes-crash.html b/LayoutTests/accessibility/removed-anonymous-block-child-causes-crash.html
new file mode 100644
index 0000000..b9f4387
--- /dev/null
+++ b/LayoutTests/accessibility/removed-anonymous-block-child-causes-crash.html
@@ -0,0 +1,55 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="../fast/js/resources/js-test-style.css">
+<script>
+    var successfullyParsed = false;
+
+    function removeElement() {
+        document.getElementById('div').removeChild(document.getElementById('div').children[2]);
+    }
+
+    function queryIsEnabledOnDecendants(accessibilityObject) {
+        accessibilityObject.isEnabled
+
+        var count = accessibilityObject.childrenCount;
+        for (var i = 0; i < count; ++i)
+            queryIsEnabledOnDecendants(accessibilityObject.childAtIndex(i));
+    }
+</script>
+<script src="../fast/js/resources/js-test-pre.js"></script>
+</head>
+<body>
+
+<div id="div">
+  <span>
+    <div>a</div>
+  </span>
+  <div style="float:left">a</div>
+  <span title="title">b</span>
+</div>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+    description("In certain cases removing a decendent from an anonymous block element does not update the parent chain correctly. This can cause a crash.");
+
+    if (window.accessibilityController) {
+        // First build up full accessibility tree.
+        document.body.focus();
+        queryIsEnabledOnDecendants(accessibilityController.focusedElement);
+        
+        removeElement()
+        
+        // Now call isEnabled on each accessibility object.
+        document.body.focus();
+        queryIsEnabledOnDecendants(accessibilityController.focusedElement);
+    }
+
+    successfullyParsed = true;
+</script>
+
+<script src="../fast/js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 671744c..f29d191 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,28 @@
+2010-08-10  Chris Fleizach  <cfleizach at apple.com>
+
+        Reviewed by Dave Hyatt.
+
+        Removing an element from an anonymous block causes crash
+        https://bugs.webkit.org/show_bug.cgi?id=42309
+
+        There was a case where a continuation was added as a child, but if you asked
+        that child who is your parent, it would return the wrong answer.
+   
+        The specific scenario was when a sibling of an element who was the start of a 
+        continuation was present. Retrieving the parent object had then follow the sibling
+        chain and then follow the originating continuation chain.
+
+        Test: accessibility/removed-anonymous-block-child-causes-crash.html
+
+        * accessibility/AccessibilityRenderObject.cpp:
+        (WebCore::AccessibilityRenderObject::nextSibling):
+            Fix erroneous comment
+        (WebCore::nextContinuation):
+        (WebCore::AccessibilityRenderObject::renderParentObject):
+            Handle unhandled continuation case.
+        (WebCore::AccessibilityRenderObject::addChildren):
+            ASSERT that the parentObject() is the same when adding a new child.
+
 2010-08-10  Abhishek Arya  <inferno at chromium.org>
 
         Reviewed by David Hyatt.
diff --git a/WebCore/accessibility/AccessibilityRenderObject.cpp b/WebCore/accessibility/AccessibilityRenderObject.cpp
index 24c29d4..c4669cd 100644
--- a/WebCore/accessibility/AccessibilityRenderObject.cpp
+++ b/WebCore/accessibility/AccessibilityRenderObject.cpp
@@ -354,10 +354,10 @@ AccessibilityObject* AccessibilityRenderObject::nextSibling() const
     else if (isInlineWithContinuation(m_renderer->parent())) {
         RenderObject* continuation = toRenderInline(m_renderer->parent())->continuation();
         
-        // Case 4a: continuation is a block - in this case the block itself is the next sibling.
+        // Case 5a: continuation is a block - in this case the block itself is the next sibling.
         if (continuation->isRenderBlock())
             nextSibling = continuation;
-        // Case 4b: continuation is an inline - in this case the inline's first child is the next sibling
+        // Case 5b: continuation is an inline - in this case the inline's first child is the next sibling
         else
             nextSibling = firstChildConsideringContinuation(continuation);
     }
@@ -368,6 +368,13 @@ AccessibilityObject* AccessibilityRenderObject::nextSibling() const
     return axObjectCache()->getOrCreate(nextSibling);
 }
 
+static RenderBoxModelObject* nextContinuation(RenderObject* renderer)
+{
+    if (renderer->isInline() && !renderer->isReplaced())
+        return toRenderInline(renderer)->continuation();
+    return toRenderBlock(renderer)->inlineElementContinuation();
+}
+    
 RenderObject* AccessibilityRenderObject::renderParentObject() const
 {
     if (!m_renderer)
@@ -377,7 +384,8 @@ RenderObject* AccessibilityRenderObject::renderParentObject() const
 
     // Case 1: node is a block and is an inline's continuation. Parent
     // is the start of the continuation chain.
-    RenderInline* startOfConts = 0;
+    RenderObject* startOfConts = 0;
+    RenderObject* firstChild = 0;
     if (m_renderer->isRenderBlock() && (startOfConts = startOfContinuations(m_renderer)))
         parent = startOfConts;
 
@@ -386,6 +394,20 @@ RenderObject* AccessibilityRenderObject::renderParentObject() const
     else if (parent && parent->isRenderInline() && (startOfConts = startOfContinuations(parent)))
         parent = startOfConts;
     
+    // Case 3: The first sibling is the beginning of a continuation chain. Find the origin of that continuation.
+    else if (parent && (firstChild = parent->firstChild()) && firstChild->node()) {
+        // Get the node's renderer and follow that continuation chain until the first child is found
+        RenderObject* nodeRenderFirstChild = firstChild->node()->renderer();
+        if (nodeRenderFirstChild != firstChild) {
+            for (RenderObject* contsTest = nodeRenderFirstChild; contsTest; contsTest = nextContinuation(contsTest)) {
+                if (contsTest == firstChild) {
+                    parent = nodeRenderFirstChild->parent();
+                    break;
+                }
+            }
+        }
+    }
+        
     return parent;
 }
     
@@ -3299,8 +3321,10 @@ void AccessibilityRenderObject::addChildren()
             unsigned length = children.size();
             for (unsigned i = 0; i < length; ++i)
                 m_children.append(children[i]);
-        } else
+        } else {
+            ASSERT(obj->parentObject() == this);
             m_children.append(obj);
+        }
     }
     
     // for a RenderImage, add the <area> elements as individual accessibility objects

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list