AX: Hidden aria table crash
authorrgabor@webkit.org <rgabor@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 21 Dec 2014 23:56:55 +0000 (23:56 +0000)
committerrgabor@webkit.org <rgabor@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 21 Dec 2014 23:56:55 +0000 (23:56 +0000)
https://bugs.webkit.org/show_bug.cgi?id=139856

Reviewed by Chris Fleizach.

Source/WebCore:

Change axCaption to pointer and check it's value because
AXObjectCache::getOrCreate() can return with nullptr.

Test: accessibility/aria-hidden-crash.html

* accessibility/AccessibilityTable.cpp:
(WebCore::AccessibilityTable::addChildren):

LayoutTests:

Add layout test to cover this crash.

* accessibility/aria-hidden-crash-expected.txt: Added.
* accessibility/aria-hidden-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@177627 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/accessibility/aria-hidden-crash-expected.txt [new file with mode: 0644]
LayoutTests/accessibility/aria-hidden-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/accessibility/AccessibilityTable.cpp

index f2c164a..d337049 100644 (file)
@@ -1,3 +1,15 @@
+2014-12-21  Gabor Rapcsanyi  <rgabor@webkit.org>
+
+        AX: Hidden aria table crash
+        https://bugs.webkit.org/show_bug.cgi?id=139856
+
+        Reviewed by Chris Fleizach.
+
+        Add layout test to cover this crash.
+
+        * accessibility/aria-hidden-crash-expected.txt: Added.
+        * accessibility/aria-hidden-crash.html: Added.
+
 2014-12-21  Alexey Proskuryakov  <ap@apple.com>
 
         Update expectations for two WebGL tests to match what bots see.
diff --git a/LayoutTests/accessibility/aria-hidden-crash-expected.txt b/LayoutTests/accessibility/aria-hidden-crash-expected.txt
new file mode 100644 (file)
index 0000000..1dfed53
--- /dev/null
@@ -0,0 +1,5 @@
+Bug 139856: Hidden aria table crash.
+
+This test PASSES if it does not CRASH.
+
+
diff --git a/LayoutTests/accessibility/aria-hidden-crash.html b/LayoutTests/accessibility/aria-hidden-crash.html
new file mode 100644 (file)
index 0000000..d7a858e
--- /dev/null
@@ -0,0 +1,27 @@
+<html>
+    <head>
+        <script>
+            function test()
+            {
+                if (window.testRunner)
+                    testRunner.dumpAsText();
+            }
+        </script>
+    </head>
+    <body onload="test()">
+        <p>Bug <a href="https://bugs.webkit.org/show_bug.cgi?id=139856">139856</a>: Hidden aria table crash.</p>
+        <p>This test PASSES if it does not CRASH.</p>
+
+        <ul aria-hidden="true">
+            <table>
+                <theader>
+                    <td>
+                        <span aria-live="assertive"></span>
+                    </td>
+                </theader>
+                <caption></caption>
+            </table>
+        </ul>
+        <svg onerror="logPass()"></svg>
+    </body>
+</html>
index 5da0da9..67b8ee0 100644 (file)
@@ -1,3 +1,18 @@
+2014-12-21  Gabor Rapcsanyi  <rgabor@webkit.org>
+
+        AX: Hidden aria table crash
+        https://bugs.webkit.org/show_bug.cgi?id=139856
+
+        Reviewed by Chris Fleizach.
+
+        Change axCaption to pointer and check it's value because
+        AXObjectCache::getOrCreate() can return with nullptr.
+
+        Test: accessibility/aria-hidden-crash.html
+
+        * accessibility/AccessibilityTable.cpp:
+        (WebCore::AccessibilityTable::addChildren):
+
 2014-12-20  Chris Dumez  <cdumez@apple.com>
 
         Get rid of error-prone ReleaseParsedCalcValueCondition argument in CSSParser
index 912f649..696d076 100644 (file)
@@ -364,9 +364,9 @@ void AccessibilityTable::addChildren()
     
     if (HTMLTableElement* tableElement = this->tableElement()) {
         if (HTMLTableCaptionElement* caption = tableElement->caption()) {
-            AccessibilityObject& axCaption = *axObjectCache()->getOrCreate(caption);
-            if (!axCaption.accessibilityIsIgnored())
-                m_children.append(&axCaption);
+            AccessibilityObject* axCaption = axObjectCache()->getOrCreate(caption);
+            if (axCaption && !axCaption->accessibilityIsIgnored())
+                m_children.append(axCaption);
         }
     }