Crash under WebCore::AXObjectCache::handleMenuItemSelected
authorn_wang@apple.com <n_wang@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 30 Jun 2018 05:40:44 +0000 (05:40 +0000)
committern_wang@apple.com <n_wang@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 30 Jun 2018 05:40:44 +0000 (05:40 +0000)
commit5dbd436467dcd38248fdd4b8289a0cdeb5dd14a9
tree252dd3128f92ab14a33ac03f3a37a39e39c80264
parent2c2663585a8b691787381dfa230fdd92eac7d6d9
Crash under WebCore::AXObjectCache::handleMenuItemSelected
https://bugs.webkit.org/show_bug.cgi?id=186918
<rdar://problem/41365984>

Reviewed by Chris Fleizach.

Source/WebCore:

When a node is being destroyed, we deregister it from the AX cache through the Node's destructor.
But we did not remove the corresponding entry from the m_deferredFocusedNodeChange list. It would
then lead to a crash if we try to access the deleted node from m_deferredFocusedNodeChange.
Fixed it by removing the entry if the newly focused node is being destroyed.

Test: accessibility/accessibility-crash-focused-element-change.html

* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::remove):

LayoutTests:

* accessibility/accessibility-crash-focused-element-change-expected.txt: Added.
* accessibility/accessibility-crash-focused-element-change.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233390 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/accessibility/accessibility-crash-focused-element-change-expected.txt [new file with mode: 0644]
LayoutTests/accessibility/accessibility-crash-focused-element-change.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/accessibility/AXObjectCache.cpp