AX: AXObjectCache should be initialized with topDocument
authordmazzoni@google.com <dmazzoni@google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 24 Jan 2013 00:34:42 +0000 (00:34 +0000)
committerdmazzoni@google.com <dmazzoni@google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 24 Jan 2013 00:34:42 +0000 (00:34 +0000)
commit6a0e554323239b0965a83719a3db4b6df2a26e31
tree1fa8bf8693da345c2443622cec5b26367e4a79e2
parent5684abafdd752b20664f9c2f8b3b0d30f6118c11
AX: AXObjectCache should be initialized with topDocument
https://bugs.webkit.org/show_bug.cgi?id=107638

Reviewed by Chris Fleizach.

Initialize AXObjectCache with the top document, not the
document that axObjectCache happened to be called on, which
could be an iframe. Having an AXObjectCache with the wrong
document could cause a heap-use-after-free in
notificationPostTimerFired if the inner document was deleted
while notifications were pending.

* dom/Document.cpp:
(WebCore::Document::axObjectCache):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@140614 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp