Skip to content
Find file Blame History Permalink
  • cfleizach@apple.com's avatar
    Removing an element from an anonymous block causes crash · 0eed8a42
    cfleizach@apple.com authored 
    https://bugs.webkit.org/show_bug.cgi?id=42309

Reviewed by Dave Hyatt.

WebCore: 

There was a case where a continuation was added as a child, but if you asked
that child who is your parent, it would return the wrong answer.
   
The specific scenario was when a sibling of an element who was the start of a 
continuation was present. Retrieving the parent object had then follow the sibling
chain and then follow the originating continuation chain.

Test: accessibility/removed-anonymous-block-child-causes-crash.html

* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::nextSibling):
    Fix erroneous comment
(WebCore::nextContinuation):
(WebCore::AccessibilityRenderObject::renderParentObject):
    Handle unhandled continuation case.
(WebCore::AccessibilityRenderObject::addChildren):
    ASSERT that the parentObject() is the same when adding a new child.

LayoutTests: 

* accessibility/removed-anonymous-block-child-causes-crash-expected.txt: Added.
* accessibility/removed-anonymous-block-child-causes-crash.html: Added.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@65095 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    0eed8a42