[webkit-changes] [117976] trunk

Tue, 22 May 2012 08:23:50 -0700

Title: [117976] trunk
Revision
117976
Author
dmazz...@google.com
Date
2012-05-22 08:24:33 -0700 (Tue, 22 May 2012)

Log Message

Chromium AX: Crash when menulist adds selected option via document.write
https://bugs.webkit.org/show_bug.cgi?id=87028

Reviewed by Chris Fleizach.

Source/WebCore:

Test: platform/chromium/accessibility/add-to-menu-list-crashes.html

* rendering/RenderMenuList.cpp:
(WebCore::RenderMenuList::addChild):

LayoutTests:

* platform/chromium/accessibility/add-to-menu-list-crashes-expected.txt: Added.
* platform/chromium/accessibility/add-to-menu-list-crashes.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (117975 => 117976)


--- trunk/LayoutTests/ChangeLog	2012-05-22 15:21:49 UTC (rev 117975)
+++ trunk/LayoutTests/ChangeLog	2012-05-22 15:24:33 UTC (rev 117976)
@@ -1,3 +1,13 @@
+2012-05-22  Dominic Mazzoni  <dmazz...@google.com>
+
+        Chromium AX: Crash when menulist adds selected option via document.write
+        https://bugs.webkit.org/show_bug.cgi?id=87028
+
+        Reviewed by Chris Fleizach.
+
+        * platform/chromium/accessibility/add-to-menu-list-crashes-expected.txt: Added.
+        * platform/chromium/accessibility/add-to-menu-list-crashes.html: Added.
+
 2012-05-22  Nikolas Zimmermann  <nzimmerm...@rim.com>
 
         Crash in WebCore::SVGTextLayoutAttributesBuilder::fillCharacterDataMap

Added: trunk/LayoutTests/platform/chromium/accessibility/add-to-menu-list-crashes-expected.txt (0 => 117976)


--- trunk/LayoutTests/platform/chromium/accessibility/add-to-menu-list-crashes-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/platform/chromium/accessibility/add-to-menu-list-crashes-expected.txt	2012-05-22 15:24:33 UTC (rev 117976)
@@ -0,0 +1,9 @@
+This test makes sure that adding a selected option to a menu list via an unusual route (document.write from an external script) doesn't trigger a crash when didUpdateActiveOption is called before the children are updated.
+
+PASS accessiblePopup.childrenCount is 1
+PASS accessiblePopup.childrenCount is 2
+PASS accessiblePopup.childrenCount is 1
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/platform/chromium/accessibility/add-to-menu-list-crashes.html (0 => 117976)


--- trunk/LayoutTests/platform/chromium/accessibility/add-to-menu-list-crashes.html	                        (rev 0)
+++ trunk/LayoutTests/platform/chromium/accessibility/add-to-menu-list-crashes.html	2012-05-22 15:24:33 UTC (rev 117976)
@@ -0,0 +1,41 @@
+<html>
+<head>
+<script src=""
+</head>
+<body>
+
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+</script>
+
+<p id="description">This test makes sure that adding a selected option to a menu list via an unusual route (document.write from an external script) doesn't trigger a crash when didUpdateActiveOption is called before the children are updated.</p>
+<div id="console"></div>
+
+<select id="menulist">
+    <option>1</option>
+    <script>
+        window.menulist = document.getElementById("menulist");
+        menulist.focus();
+        if (window.layoutTestController && window.accessibilityController) {
+            window.accessibleMenulist = accessibilityController.focusedElement;
+            window.accessiblePopup = accessibleMenulist.childAtIndex(0);
+            shouldBe("accessiblePopup.childrenCount", "1");
+        }
+    </script>
+    <script src="" selected>2');"></script>
+    <script>
+        if (window.layoutTestController && window.accessibilityController)
+            shouldBe("accessiblePopup.childrenCount", "2");
+    </script>
+    <script>
+        menulist.removeChild(menulist.selectedOptions[0]);
+        if (window.layoutTestController && window.accessibilityController)
+            shouldBe("accessiblePopup.childrenCount", "1");
+    </script>
+</select>
+
+<script src=""
+
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (117975 => 117976)


--- trunk/Source/WebCore/ChangeLog	2012-05-22 15:21:49 UTC (rev 117975)
+++ trunk/Source/WebCore/ChangeLog	2012-05-22 15:24:33 UTC (rev 117976)
@@ -1,3 +1,15 @@
+2012-05-22  Dominic Mazzoni  <dmazz...@google.com>
+
+        Chromium AX: Crash when menulist adds selected option via document.write
+        https://bugs.webkit.org/show_bug.cgi?id=87028
+
+        Reviewed by Chris Fleizach.
+
+        Test: platform/chromium/accessibility/add-to-menu-list-crashes.html
+
+        * rendering/RenderMenuList.cpp:
+        (WebCore::RenderMenuList::addChild):
+
 2012-05-22  Nikolas Zimmermann  <nzimmerm...@rim.com>
 
         Crash in WebCore::SVGTextLayoutAttributesBuilder::fillCharacterDataMap

Modified: trunk/Source/WebCore/rendering/RenderMenuList.cpp (117975 => 117976)


--- trunk/Source/WebCore/rendering/RenderMenuList.cpp	2012-05-22 15:21:49 UTC (rev 117975)
+++ trunk/Source/WebCore/rendering/RenderMenuList.cpp	2012-05-22 15:24:33 UTC (rev 117976)
@@ -119,6 +119,9 @@
     createInnerBlock();
     m_innerBlock->addChild(newChild, beforeChild);
     ASSERT(m_innerBlock == firstChild());
+
+    if (AXObjectCache::accessibilityEnabled())
+        document()->axObjectCache()->childrenChanged(this);
 }
 
 void RenderMenuList::removeChild(RenderObject* oldChild)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to