AX: CrashTracer: com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::Accessibi...
authorcfleizach@apple.com <cfleizach@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 20 Oct 2015 21:34:23 +0000 (21:34 +0000)
committercfleizach@apple.com <cfleizach@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 20 Oct 2015 21:34:23 +0000 (21:34 +0000)
https://bugs.webkit.org/show_bug.cgi?id=150349

Reviewed by Brent Fulgham.

The crash point for this bug says that the parentElement of the firstBody is garbage when it's accessed.
Unfortunately, I could not reproduce this in-situ or with a test.
So my speculative solution is to recalculate those body elements to ensure that they're valid before we access.

* accessibility/AccessibilityTable.cpp:
(WebCore::AccessibilityTable::tableElement):
(WebCore::AccessibilityTable::isDataTable):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@191357 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/accessibility/AccessibilityTable.cpp

index aa48d01..5ad9fe3 100644 (file)
@@ -1,3 +1,18 @@
+2015-10-20  Chris Fleizach  <cfleizach@apple.com>
+
+        AX: CrashTracer: com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::AccessibilityTable::tableElement const + 116
+        https://bugs.webkit.org/show_bug.cgi?id=150349
+
+        Reviewed by Brent Fulgham.
+
+        The crash point for this bug says that the parentElement of the firstBody is garbage when it's accessed. 
+        Unfortunately, I could not reproduce this in-situ or with a test. 
+        So my speculative solution is to recalculate those body elements to ensure that they're valid before we access.
+
+        * accessibility/AccessibilityTable.cpp:
+        (WebCore::AccessibilityTable::tableElement):
+        (WebCore::AccessibilityTable::isDataTable):
+
 2015-10-20  Chris Dumez  <cdumez@apple.com>
 
         Unreviewed, GTK build fix after r191351.
index c2f4bbf..69cc7ba 100644 (file)
@@ -101,17 +101,15 @@ HTMLTableElement* AccessibilityTable::tableElement() const
     if (is<HTMLTableElement>(table.element()))
         return downcast<HTMLTableElement>(table.element());
     
+    table.forceSectionsRecalc();
+
     // If the table has a display:table-row-group, then the RenderTable does not have a pointer to it's HTMLTableElement.
     // We can instead find it by asking the firstSection for its parent.
     RenderTableSection* firstBody = table.firstBody();
     if (!firstBody || !firstBody->element())
         return nullptr;
     
-    Element* actualTable = firstBody->element()->parentElement();
-    if (!is<HTMLTableElement>(actualTable))
-        return nullptr;
-    
-    return downcast<HTMLTableElement>(actualTable);
+    return ancestorsOfType<HTMLTableElement>(*(firstBody->element())).first();
 }
     
 bool AccessibilityTable::isDataTable() const