Skip to content
Permalink
Browse files
AX: Crash at WebCore::commonTreeScope
https://bugs.webkit.org/show_bug.cgi?id=125042

Reviewed by Mario Sanchez Prada.

Source/WebCore:

When an AX text marker that references a node in a detached document is used to create a text marker range, a crash occurs
because the method to determine commonTreeScopes does not account for when there are no common tree scopes.

Test: platform/mac/accessibility/ordered-textmarker-crash.html

* accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::visiblePositionRangeForUnorderedPositions):
* dom/TreeScope.cpp:
(WebCore::commonTreeScope):

LayoutTests:

* platform/mac/accessibility/ordered-textmarker-crash-expected.txt: Added.
* platform/mac/accessibility/ordered-textmarker-crash.html: Added.


Canonical link: https://commits.webkit.org/143175@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@159932 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
fleizach committed Dec 2, 2013
1 parent 073787c commit 78d097f8fa0253e6d40ae7e8dc0a99439fa02490
Showing 6 changed files with 92 additions and 0 deletions.
@@ -1,3 +1,13 @@
2013-12-02 Chris Fleizach <cfleizach@apple.com>

AX: Crash at WebCore::commonTreeScope
https://bugs.webkit.org/show_bug.cgi?id=125042

Reviewed by Mario Sanchez Prada.

* platform/mac/accessibility/ordered-textmarker-crash-expected.txt: Added.
* platform/mac/accessibility/ordered-textmarker-crash.html: Added.

2013-12-02 Zan Dobersek <zdobersek@igalia.com>

Unreviewed GTK gardening.
@@ -0,0 +1,7 @@

This tests that comparing text markers that have no common tree scope won't crash

On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".



@@ -0,0 +1,50 @@
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<script src="../../../resources/js-test-pre.js"></script>
</head>
<body id="body" onload="setTimeout('runTest();', 1)">

<div id="content1">
<iframe src="data:text/html,<body><div>hello</div>"></iframe>
</div>

<div role="group" id="console"></div>

<script>

description("This tests that comparing text markers that have no common tree scope won't crash");

if (window.accessibilityController && window.testRunner) {
window.testRunner.waitUntilDone();
window.jsTestIsAsync = true;
}

function runTest() {

// Get a text marker inside the frame we will remove.
var text1 = accessibilityController.accessibleElementById("content1").childAtIndex(0).childAtIndex(0).childAtIndex(0).childAtIndex(0);
var range1 = text1.textMarkerRangeForElement(text1);
marker1 = text1.startTextMarkerForTextMarkerRange(range1);

// Get a marker for the main frame.
var text2 = accessibilityController.rootElement.childAtIndex(0).childAtIndex(0);
var range2 = text2.textMarkerRangeForElement(text2);
marker2 = text2.startTextMarkerForTextMarkerRange(range2);

// Remove the child frame that we have a reference to the text marker from.
var content1 = document.getElementById("content1").childNodes[0];
content1.parentNode.removeChild(content1);

// Ask for the text marker range with the markers in a different tree.
// This should NOT crash!
var range = accessibilityController.rootElement.childAtIndex(0).textMarkerRangeForMarkers(marker1, marker2);
window.testRunner.notifyDone();
finishJSTest();
}

</script>

<script src="../../../resources/js-test-post.js"></script>
</body>
</html>
@@ -1,3 +1,20 @@
2013-12-02 Chris Fleizach <cfleizach@apple.com>

AX: Crash at WebCore::commonTreeScope
https://bugs.webkit.org/show_bug.cgi?id=125042

Reviewed by Mario Sanchez Prada.

When an AX text marker that references a node in a detached document is used to create a text marker range, a crash occurs
because the method to determine commonTreeScopes does not account for when there are no common tree scopes.

Test: platform/mac/accessibility/ordered-textmarker-crash.html

* accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::visiblePositionRangeForUnorderedPositions):
* dom/TreeScope.cpp:
(WebCore::commonTreeScope):

2013-12-02 Nick Diego Yamane <nick.yamane@openbossa.org>

Fix a crash in the webaudio source provider when the audio track is going away.
@@ -649,6 +649,10 @@ VisiblePositionRange AccessibilityObject::visiblePositionRangeForUnorderedPositi
if (visiblePos1.isNull() || visiblePos2.isNull())
return VisiblePositionRange();

// If there's no common tree scope between positions, return early.
if (!commonTreeScope(visiblePos1.deepEquivalent().deprecatedNode(), visiblePos2.deepEquivalent().deprecatedNode()))
return VisiblePositionRange();

VisiblePosition startPos;
VisiblePosition endPos;
bool alreadyInOrder;
@@ -425,6 +425,10 @@ TreeScope* commonTreeScope(Node* nodeA, Node* nodeB)

for (; indexA > 0 && indexB > 0 && treeScopesA[indexA - 1] == treeScopesB[indexB - 1]; --indexA, --indexB) { }

// If the nodes had no common tree scope, return immediately.
if (indexA == treeScopesA.size())
return nullptr;

return treeScopesA[indexA] == treeScopesB[indexB] ? treeScopesA[indexA] : nullptr;
}

0 comments on commit 78d097f

Please sign in to comment.