Removing an element from an anonymous block causes crash
authorcfleizach@apple.com <cfleizach@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 10 Aug 2010 21:35:27 +0000 (21:35 +0000)
committercfleizach@apple.com <cfleizach@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 10 Aug 2010 21:35:27 +0000 (21:35 +0000)
commite81c8636f466cd2812e721c52b5411f3ba23a2ce
tree8f0124261831ae3f7d3ed70223bbb297333b0b0d
parente533375cea1003d1cbfc152d0d31ac1242de5928
Removing an element from an anonymous block causes crash
https://bugs.webkit.org/show_bug.cgi?id=42309

Reviewed by Dave Hyatt.

WebCore:

There was a case where a continuation was added as a child, but if you asked
that child who is your parent, it would return the wrong answer.

The specific scenario was when a sibling of an element who was the start of a
continuation was present. Retrieving the parent object had then follow the sibling
chain and then follow the originating continuation chain.

Test: accessibility/removed-anonymous-block-child-causes-crash.html

* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::nextSibling):
    Fix erroneous comment
(WebCore::nextContinuation):
(WebCore::AccessibilityRenderObject::renderParentObject):
    Handle unhandled continuation case.
(WebCore::AccessibilityRenderObject::addChildren):
    ASSERT that the parentObject() is the same when adding a new child.

LayoutTests:

* accessibility/removed-anonymous-block-child-causes-crash-expected.txt: Added.
* accessibility/removed-anonymous-block-child-causes-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@65095 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/accessibility/removed-anonymous-block-child-causes-crash-expected.txt [new file with mode: 0644]
LayoutTests/accessibility/removed-anonymous-block-child-causes-crash.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/accessibility/AccessibilityRenderObject.cpp