Check for null renderer in canBeScrolledIntoView
authordon.olmstead@sony.com <don.olmstead@sony.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 29 Aug 2018 05:05:23 +0000 (05:05 +0000)
committerdon.olmstead@sony.com <don.olmstead@sony.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 29 Aug 2018 05:05:23 +0000 (05:05 +0000)
https://bugs.webkit.org/show_bug.cgi?id=188935

Reviewed by Simon Fraser.

Source/WebCore:

Test: fast/spatial-navigation/snav-display-contents-crash.html

* page/SpatialNavigation.cpp:
(WebCore::canBeScrolledIntoView):

LayoutTests:

* fast/spatial-navigation/snav-display-contents-crash-expected.txt: Added.
* fast/spatial-navigation/snav-display-contents-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235457 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/spatial-navigation/snav-display-contents-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/spatial-navigation/snav-display-contents-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/SpatialNavigation.cpp

index 3b18891..f1b697d 100644 (file)
@@ -1,3 +1,13 @@
+2018-08-28  Don Olmstead  <don.olmstead@sony.com>
+
+        Check for null renderer in canBeScrolledIntoView
+        https://bugs.webkit.org/show_bug.cgi?id=188935
+
+        Reviewed by Simon Fraser.
+
+        * fast/spatial-navigation/snav-display-contents-crash-expected.txt: Added.
+        * fast/spatial-navigation/snav-display-contents-crash.html: Added.
+
 2018-08-28  Youenn Fablet  <youenn@apple.com>
 
         WebKitMediaSession should be GC collectable when its document is being stopped
diff --git a/LayoutTests/fast/spatial-navigation/snav-display-contents-crash-expected.txt b/LayoutTests/fast/spatial-navigation/snav-display-contents-crash-expected.txt
new file mode 100644 (file)
index 0000000..88e5335
--- /dev/null
@@ -0,0 +1 @@
+Shouldn't crash.
diff --git a/LayoutTests/fast/spatial-navigation/snav-display-contents-crash.html b/LayoutTests/fast/spatial-navigation/snav-display-contents-crash.html
new file mode 100644 (file)
index 0000000..6875710
--- /dev/null
@@ -0,0 +1,16 @@
+<div style="display: contents"><a href="#"></a></div>
+Shouldn't crash.
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.overridePreference("WebKitTabToLinksPreferenceKey", 1);
+    testRunner.setSpatialNavigationEnabled(true);
+}
+function runTest() {
+    if (window.eventSender) {
+        eventSender.keyDown("rightArrow");
+    }
+}
+
+window.onload = runTest;
+</script>
index 7986968..2ca79aa 100644 (file)
@@ -1,3 +1,15 @@
+2018-08-28  Don Olmstead  <don.olmstead@sony.com>
+
+        Check for null renderer in canBeScrolledIntoView
+        https://bugs.webkit.org/show_bug.cgi?id=188935
+
+        Reviewed by Simon Fraser.
+
+        Test: fast/spatial-navigation/snav-display-contents-crash.html
+
+        * page/SpatialNavigation.cpp:
+        (WebCore::canBeScrolledIntoView):
+
 2018-08-28  Youenn Fablet  <youenn@apple.com>
 
         IDBDatabase should not return true to hasPendingActivity after being stopped
index 763aea5..2beedd9 100644 (file)
@@ -705,6 +705,8 @@ bool canBeScrolledIntoView(FocusDirection direction, const FocusCandidate& candi
     ASSERT(candidate.visibleNode && candidate.isOffscreen);
     LayoutRect candidateRect = candidate.rect;
     for (Node* parentNode = candidate.visibleNode->parentNode(); parentNode; parentNode = parentNode->parentNode()) {
+        if (!parentNode->renderer())
+            continue;
         LayoutRect parentRect = nodeRectInAbsoluteCoordinates(parentNode);
         if (!candidateRect.intersects(parentRect)) {
             if (((direction == FocusDirectionLeft || direction == FocusDirectionRight) && parentNode->renderer()->style().overflowX() == Overflow::Hidden)