AX: crash: com.apple.WebCore: WebCore::AccessibilityObject::findMatchingObjects ...
authorn_wang@apple.com <n_wang@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 19 Oct 2016 20:33:23 +0000 (20:33 +0000)
committern_wang@apple.com <n_wang@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 19 Oct 2016 20:33:23 +0000 (20:33 +0000)
https://bugs.webkit.org/show_bug.cgi?id=163682

Reviewed by Chris Fleizach.

Source/WebCore:

There's a null pointer crash when we ask for startObject->parentObjectUnignored() in
AccessibilityObject::findMatchingObject. Added a null check for the startObject to fix that.

Test: accessibility/mac/search-predicate-crash.html

* accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::findMatchingObjects):

LayoutTests:

* accessibility/mac/search-predicate-crash-expected.txt: Added.
* accessibility/mac/search-predicate-crash.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@207564 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/accessibility/mac/search-predicate-crash-expected.txt [new file with mode: 0644]
LayoutTests/accessibility/mac/search-predicate-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/accessibility/AccessibilityObject.cpp

index 89b35d0..73a9f8a 100644 (file)
@@ -1,3 +1,13 @@
+2016-10-19  Nan Wang  <n_wang@apple.com>
+
+        AX: crash: com.apple.WebCore: WebCore::AccessibilityObject::findMatchingObjects + 600
+        https://bugs.webkit.org/show_bug.cgi?id=163682
+
+        Reviewed by Chris Fleizach.
+
+        * accessibility/mac/search-predicate-crash-expected.txt: Added.
+        * accessibility/mac/search-predicate-crash.html: Added.
+
 2016-10-19  Myles C. Maxfield  <mmaxfield@apple.com>
 
         [macOS] [iOS] Disable variation fonts on macOS El Capitan and iOS 9
diff --git a/LayoutTests/accessibility/mac/search-predicate-crash-expected.txt b/LayoutTests/accessibility/mac/search-predicate-crash-expected.txt
new file mode 100644 (file)
index 0000000..8198d0f
--- /dev/null
@@ -0,0 +1,10 @@
+
+This tests that we don't crash in search predicate function if startObject has null parent.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/accessibility/mac/search-predicate-crash.html b/LayoutTests/accessibility/mac/search-predicate-crash.html
new file mode 100644 (file)
index 0000000..04a9d9a
--- /dev/null
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+
+<div id="container">
+<input type="submit" value="Submit">
+</div>
+
+<p id="description"></p>
+<div id="console"></div>
+
+<script>
+    description("This tests that we don't crash in search predicate function if startObject has null parent.");
+    
+    if (window.accessibilityController) {
+        document.getElementById("container").focus();
+        var containerElement = accessibilityController.focusedElement;
+        var startElement = accessibilityController.rootElement;
+        
+        // Make sure we don't crash
+        var linkCount = containerElement.uiElementCountForSearchPredicate(startElement, false, "AXLinkSearchKey", "", false);
+    }
+</script>
+
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
index 19fa7f8..a26c56f 100644 (file)
@@ -1,3 +1,18 @@
+2016-10-19  Nan Wang  <n_wang@apple.com>
+
+        AX: crash: com.apple.WebCore: WebCore::AccessibilityObject::findMatchingObjects + 600
+        https://bugs.webkit.org/show_bug.cgi?id=163682
+
+        Reviewed by Chris Fleizach.
+
+        There's a null pointer crash when we ask for startObject->parentObjectUnignored() in
+        AccessibilityObject::findMatchingObject. Added a null check for the startObject to fix that.
+
+        Test: accessibility/mac/search-predicate-crash.html
+
+        * accessibility/AccessibilityObject.cpp:
+        (WebCore::AccessibilityObject::findMatchingObjects):
+
 2016-10-19  David Kilzer  <ddkilzer@apple.com>
 
         Bug 163670: Refine assertions in WebCore::ImageData constructors
index 40f404e..6463493 100644 (file)
@@ -603,7 +603,7 @@ void AccessibilityObject::findMatchingObjects(AccessibilitySearchCriteria* crite
     }
     
     // The outer loop steps up the parent chain each time (unignored is important here because otherwise elements would be searched twice)
-    for (AccessibilityObject* stopSearchElement = parentObjectUnignored(); startObject != stopSearchElement; startObject = startObject->parentObjectUnignored()) {
+    for (AccessibilityObject* stopSearchElement = parentObjectUnignored(); startObject && startObject != stopSearchElement; startObject = startObject->parentObjectUnignored()) {
 
         // Only append the children after/before the previous element, so that the search does not check elements that are 
         // already behind/ahead of start element.