Changeset 202647 in webkit

Timestamp:

Jun 29, 2016 2:23:29 PM (8 years ago)

Author:

n_wang@apple.com

Message:

AX: Crash in WebCore::Document::focusNavigationStartingNode(WebCore::FocusDirection) const + 128
​https://bugs.webkit.org/show_bug.cgi?id=159240

Reviewed by Ryosuke Niwa.

Source/WebCore:

This crash is caused by passing an empty node to ElementTraversal::previous(Node&). When the
focusNavigationStartingNode has been removed and it has no next sibling, we should fallback
to itself for calculating the next focused element.

Test: fast/events/remove-focus-navigation-starting-point-crash.html

• dom/Document.cpp:

(WebCore::Document::focusNavigationStartingNode):

LayoutTests:

• fast/events/remove-focus-navigation-starting-point-crash-expected.txt: Added.
• fast/events/remove-focus-navigation-starting-point-crash.html: Added.
• platform/ios-simulator/TestExpectations:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/events/remove-focus-navigation-starting-point-crash-expected.txt (added)
• LayoutTests/fast/events/remove-focus-navigation-starting-point-crash.html (added)
• LayoutTests/platform/ios-simulator/TestExpectations (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/Document.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-06-29  Nan Wang  <n_wang@apple.com>
+
+        AX: Crash in WebCore::Document::focusNavigationStartingNode(WebCore::FocusDirection) const + 128
+        https://bugs.webkit.org/show_bug.cgi?id=159240
+
+        Reviewed by Ryosuke Niwa.
+
+        * fast/events/remove-focus-navigation-starting-point-crash-expected.txt: Added.
+        * fast/events/remove-focus-navigation-starting-point-crash.html: Added.
+        * platform/ios-simulator/TestExpectations:
+
 2016-06-29  Ryan Haddad  <ryanhaddad@apple.com>
 

trunk/LayoutTests/platform/ios-simulator/TestExpectations

@@ -276 +276 @@
 fast/shadow-dom/negative-tabindex-on-shadow-host.html [ Failure ]
 webkit.org/b/116046 fast/events/sequential-focus-navigation-starting-point.html [ Skip ]
+webkit.org/b/159240 fast/events/remove-focus-navigation-starting-point-crash.html [ Skip ]
 
 webkit.org/b/150225 fast/custom-elements [ Pass ]

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-06-29  Nan Wang  <n_wang@apple.com>
+
+        AX: Crash in WebCore::Document::focusNavigationStartingNode(WebCore::FocusDirection) const + 128
+        https://bugs.webkit.org/show_bug.cgi?id=159240
+
+        Reviewed by Ryosuke Niwa.
+
+        This crash is caused by passing an empty node to ElementTraversal::previous(Node&). When the
+        focusNavigationStartingNode has been removed and it has no next sibling, we should fallback
+        to itself for calculating the next focused element.
+
+        Test: fast/events/remove-focus-navigation-starting-point-crash.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::focusNavigationStartingNode):
+
 2016-06-29  Ryan Haddad  <ryanhaddad@apple.com>
 

trunk/Source/WebCore/dom/Document.cpp

@@ -3941 +3941 @@
     if (m_focusNavigationStartingNodeIsRemoved) {
         Node* nextNode = NodeTraversal::next(*node);
+        if (!nextNode)
+            nextNode = node;
         if (direction == FocusDirectionForward)
             return ElementTraversal::previous(*nextNode);