Bug 82745

Summary: AX: Crash at WebCore::renderObjectContainsPosition(WebCore::RenderObject*, WebCore::Position const&)
Product: WebKit Reporter: chris fleizach <cfleizach>
Component: AccessibilityAssignee: chris fleizach <cfleizach>
Status: RESOLVED FIXED    
Severity: Normal CC: bdakin
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch simon.fraser: review+

chris fleizach
Reported 2012-03-30 10:42:32 PDT
It looks like if AXRangeForPoint is given a point that results in a hit-test on a node that does not have a renderer, then we pass in a bad node to renderObjectContainsPosition, which leads to a crash
Attachments
patch (12.79 KB, patch)
2012-03-30 10:55 PDT, chris fleizach 		simon.fraser: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
chris fleizach
Comment 1 2012-03-30 10:42:47 PDT
rdar://11042320
chris fleizach
Comment 2 2012-03-30 10:55:50 PDT
Created attachment 134839 [details] patch
Simon Fraser (smfr)
Comment 3 2012-03-30 11:01:35 PDT
Comment on attachment 134839 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=134839&action=review > Tools/WebKitTestRunner/InjectedBundle/mac/AccessibilityUIElementMac.mm:860 > + if ([value isKindOfClass:[NSValue class]]) { > + return [NSStringFromRange([value rangeValue]) createJSStringRef]; > + } No need for braces here. > Tools/DumpRenderTree/mac/AccessibilityUIElementMac.mm:852 > + if ([value isKindOfClass:[NSValue class]]) { > + return [NSStringFromRange([value rangeValue]) createJSStringRef]; > + } No need for braces here.
chris fleizach
Comment 4 2012-03-30 11:07:49 PDT
http://trac.webkit.org/changeset/112694
Note You need to log in before you can comment on or make changes to this bug.