[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
cfleizach at apple.com
cfleizach at apple.com
Wed Dec 22 13:23:09 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit ce18195bf860e2762799c7b36fc70b50f7e309aa
Author: cfleizach at apple.com <cfleizach at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Sep 13 20:55:48 2010 +0000
CrashTracer: 874 crashes in Safari at com.apple.WebCore: WebCore::AccessibilityTable::isTableExposableThroughAccessibility + 663
https://bugs.webkit.org/show_bug.cgi?id=45697
Reviewed by Darin Adler.
WebCore:
Inside of AccessibilityTableRow, parentTable() should not use getOrCreate() on the parent table, because the render table may
be in a bad state and accessing internal variables can lead to a crash.
Test: platform/mac/accessibility/updating-attribute-in-table-row-crash.html
* accessibility/AccessibilityTableRow.cpp:
(WebCore::AccessibilityTableRow::parentTable):
LayoutTests:
* platform/mac/accessibility/updating-attribute-in-table-row-crash-expected.txt: Added.
* platform/mac/accessibility/updating-attribute-in-table-row-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@67407 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 5a9db50..10c4f5a 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-09-13 Chris Fleizach <cfleizach at apple.com>
+
+ Reviewed by Darin Adler.
+
+ CrashTracer: 874 crashes in Safari at com.apple.WebCore: WebCore::AccessibilityTable::isTableExposableThroughAccessibility + 663
+ https://bugs.webkit.org/show_bug.cgi?id=45697
+
+ * platform/mac/accessibility/updating-attribute-in-table-row-crash-expected.txt: Added.
+ * platform/mac/accessibility/updating-attribute-in-table-row-crash.html: Added.
+
2010-09-13 Tony Chang <tony at chromium.org>
Unreviewed, removing chromium-linux results that deduplicate-tests says are
diff --git a/LayoutTests/platform/mac/accessibility/updating-attribute-in-table-row-crash-expected.txt b/LayoutTests/platform/mac/accessibility/updating-attribute-in-table-row-crash-expected.txt
new file mode 100644
index 0000000..a62d9f2
--- /dev/null
+++ b/LayoutTests/platform/mac/accessibility/updating-attribute-in-table-row-crash-expected.txt
@@ -0,0 +1,11 @@
+1 2
+asdf
+This tests for a crash that can occur while altering an attribute on a table row because it accesses the table when its in a bad state.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/platform/mac/accessibility/updating-attribute-in-table-row-crash.html b/LayoutTests/platform/mac/accessibility/updating-attribute-in-table-row-crash.html
new file mode 100644
index 0000000..26699cd
--- /dev/null
+++ b/LayoutTests/platform/mac/accessibility/updating-attribute-in-table-row-crash.html
@@ -0,0 +1,42 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="../../../fast/js/resources/js-test-style.css">
+<script>
+ var successfullyParsed = false;
+</script>
+<script src="../../../fast/js/resources/js-test-pre.js"></script>
+</head>
+<body id="body">
+
+<table id="table">
+<tr id="row"><td id="tablecell" tabindex=0>1</td><td>2</td></tr>
+<tr id="row2"><td id="tablecell2" tabindex=0>1</td><td>2</td></tr>
+</table>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+ description("This tests for a crash that can occur while altering an attribute on a table row because it accesses the table when its in a bad state.");
+
+ if (window.accessibilityController) {
+ document.getElementById("body").focus();
+ var body = accessibilityController.focusedElement;
+ var tr = document.createElement("tr");
+ var td = document.createElement("td");
+ td.appendChild(document.createTextNode("asdf"));
+ tr.appendChild(td);
+
+ // To reproduce, we need to remove a row and replace with another row, then set an attribute in the meantime.
+ document.getElementById("table").getElementsByTagName("TBODY")[0].removeChild(document.getElementById("row2"));
+ document.getElementById("table").getElementsByTagName("TBODY")[0].appendChild(tr);
+ document.getElementById("row").setAttribute("title", "gridrow");
+ }
+
+ successfullyParsed = true;
+</script>
+
+<script src="../../../fast/js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index dda8a6d..17c3aec 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2010-09-13 Chris Fleizach <cfleizach at apple.com>
+
+ Reviewed by Darin Adler.
+
+ CrashTracer: 874 crashes in Safari at com.apple.WebCore: WebCore::AccessibilityTable::isTableExposableThroughAccessibility + 663
+ https://bugs.webkit.org/show_bug.cgi?id=45697
+
+ Inside of AccessibilityTableRow, parentTable() should not use getOrCreate() on the parent table, because the render table may
+ be in a bad state and accessing internal variables can lead to a crash.
+
+ Test: platform/mac/accessibility/updating-attribute-in-table-row-crash.html
+
+ * accessibility/AccessibilityTableRow.cpp:
+ (WebCore::AccessibilityTableRow::parentTable):
+
2010-09-13 Adam Barth <abarth at webkit.org>
Reviewed by Eric Seidel.
diff --git a/WebCore/accessibility/AccessibilityTableRow.cpp b/WebCore/accessibility/AccessibilityTableRow.cpp
index e2a1157..5e9f05c 100644
--- a/WebCore/accessibility/AccessibilityTableRow.cpp
+++ b/WebCore/accessibility/AccessibilityTableRow.cpp
@@ -93,7 +93,8 @@ AccessibilityObject* AccessibilityTableRow::parentTable() const
if (!m_renderer || !m_renderer->isTableRow())
return 0;
- return axObjectCache()->getOrCreate(toRenderTableRow(m_renderer)->table());
+ // Do not use getOrCreate. parentTable() can be called while the render tree is being modified.
+ return axObjectCache()->get(toRenderTableRow(m_renderer)->table());
}
AccessibilityObject* AccessibilityTableRow::headerObject()
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list