AX: Crash in setTextMarkerDataWithCharacterOffset
authorn_wang@apple.com <n_wang@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 22 Jan 2016 20:53:31 +0000 (20:53 +0000)
committern_wang@apple.com <n_wang@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 22 Jan 2016 20:53:31 +0000 (20:53 +0000)
https://bugs.webkit.org/show_bug.cgi?id=153365
<rdar://problem/24287924>

Reviewed by Chris Fleizach.

Source/WebCore:

Sometimes when we try to create a text marker range from a stale text marker with a removed
node, it will cause crash. Fixed it by adding a null check for the AccessibilityObject we
create in setTextMarkerDataWithCharacterOffset.

Test: accessibility/text-marker/text-marker-range-with-removed-node-crash.html

* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::setTextMarkerDataWithCharacterOffset):

LayoutTests:

* accessibility/text-marker/text-marker-range-with-removed-node-crash-expected.txt: Added.
* accessibility/text-marker/text-marker-range-with-removed-node-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@195468 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/accessibility/text-marker/text-marker-range-with-removed-node-crash-expected.txt [new file with mode: 0644]
LayoutTests/accessibility/text-marker/text-marker-range-with-removed-node-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/accessibility/AXObjectCache.cpp

index 346fd85..57efd00 100644 (file)
@@ -1,3 +1,14 @@
+2016-01-22  Nan Wang  <n_wang@apple.com>
+
+        AX: Crash in setTextMarkerDataWithCharacterOffset
+        https://bugs.webkit.org/show_bug.cgi?id=153365
+        <rdar://problem/24287924>
+
+        Reviewed by Chris Fleizach.
+
+        * accessibility/text-marker/text-marker-range-with-removed-node-crash-expected.txt: Added.
+        * accessibility/text-marker/text-marker-range-with-removed-node-crash.html: Added.
+
 2016-01-22  Brady Eidson  <beidson@apple.com>
 
         Modern IDB: Add transactions and create/delete object store to SQLite backend
diff --git a/LayoutTests/accessibility/text-marker/text-marker-range-with-removed-node-crash-expected.txt b/LayoutTests/accessibility/text-marker/text-marker-range-with-removed-node-crash-expected.txt
new file mode 100644 (file)
index 0000000..c233fdc
--- /dev/null
@@ -0,0 +1,10 @@
+This tests that when we create a text marker range from a marker with removed text node, it won't crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+text to be removed
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/accessibility/text-marker/text-marker-range-with-removed-node-crash.html b/LayoutTests/accessibility/text-marker/text-marker-range-with-removed-node-crash.html
new file mode 100644 (file)
index 0000000..3c3cc73
--- /dev/null
@@ -0,0 +1,37 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+
+<body id="body">
+
+<div id="toBeRemoved">text to be removed</div>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+
+    description("This tests that when we create a text marker range from a marker with removed text node, it won't crash.");
+
+    if (window.accessibilityController) {
+
+          var textElement = accessibilityController.accessibleElementById("toBeRemoved");
+          var textMarkerRange = textElement.textMarkerRangeForElement(textElement);
+          debug(textElement.stringForTextMarkerRange(textMarkerRange));
+          
+          var startMarker = textElement.startTextMarkerForTextMarkerRange(textMarkerRange);
+          var endMarker = textElement.endTextMarkerForTextMarkerRange(textMarkerRange);
+          
+          // Remove the text node and recreate a text marker range, make sure it won't crash.
+          var text = document.getElementById("toBeRemoved");
+          text.removeChild(text.firstChild);
+          textMarkerRange = textElement.textMarkerRangeForMarkers(startMarker, endMarker);
+    }
+
+</script>
+
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
\ No newline at end of file
index 95486c2..d11cb62 100644 (file)
@@ -1,3 +1,20 @@
+2016-01-22  Nan Wang  <n_wang@apple.com>
+
+        AX: Crash in setTextMarkerDataWithCharacterOffset
+        https://bugs.webkit.org/show_bug.cgi?id=153365
+        <rdar://problem/24287924>
+
+        Reviewed by Chris Fleizach.
+
+        Sometimes when we try to create a text marker range from a stale text marker with a removed
+        node, it will cause crash. Fixed it by adding a null check for the AccessibilityObject we
+        create in setTextMarkerDataWithCharacterOffset.
+
+        Test: accessibility/text-marker/text-marker-range-with-removed-node-crash.html
+
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::setTextMarkerDataWithCharacterOffset):
+
 2016-01-22  Brady Eidson  <beidson@apple.com>
 
         Modern IDB: Add transactions and create/delete object store to SQLite backend
index 8cedd43..342a617 100644 (file)
@@ -1616,6 +1616,8 @@ void AXObjectCache::setTextMarkerDataWithCharacterOffset(TextMarkerData& textMar
     }
     
     RefPtr<AccessibilityObject> obj = this->getOrCreate(domNode);
+    if (!obj)
+        return;
     
     // Convert to visible position.
     VisiblePosition visiblePosition = visiblePositionFromCharacterOffset(obj.get(), characterOffset);