AX: Crash in handleMenuOpen
authorcfleizach@apple.com <cfleizach@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Feb 2019 03:27:13 +0000 (03:27 +0000)
committercfleizach@apple.com <cfleizach@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Feb 2019 03:27:13 +0000 (03:27 +0000)
https://bugs.webkit.org/show_bug.cgi?id=194627

Reviewed by Zalan Bujtas.

Tests run under libGuardMalloc will cause crashes.

This list of objects is a Node list, not an Element list, so we were
not removing some nodes when they were being deallocated.

* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::remove):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@241494 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/accessibility/AXObjectCache.cpp

index 2e00275..5146660 100644 (file)
@@ -1,3 +1,18 @@
+2019-02-13  Chris Fleizach  <cfleizach@apple.com>
+
+        AX: Crash in handleMenuOpen
+        https://bugs.webkit.org/show_bug.cgi?id=194627
+
+        Reviewed by Zalan Bujtas.
+
+        Tests run under libGuardMalloc will cause crashes.
+
+        This list of objects is a Node list, not an Element list, so we were
+        not removing some nodes when they were being deallocated.
+
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::remove):
+
 2019-02-13  Jer Noble  <jer.noble@apple.com>
 
         [Mac] PiP window can get "stuck" if PiP is closed while Safari window is minimized.
index f4225ee..1ffa8d6 100644 (file)
@@ -747,10 +747,10 @@ void AXObjectCache::remove(Node& node)
     if (is<Element>(node)) {
         m_deferredRecomputeIsIgnoredList.remove(downcast<Element>(&node));
         m_deferredSelectedChildredChangedList.remove(downcast<Element>(&node));
-        m_deferredChildrenChangedNodeList.remove(&node);
         m_deferredTextFormControlValue.remove(downcast<Element>(&node));
         m_deferredAttributeChange.remove(downcast<Element>(&node));
     }
+    m_deferredChildrenChangedNodeList.remove(&node);
     m_deferredTextChangedList.remove(&node);
     // Remove the entry if the new focused node is being removed.
     m_deferredFocusedNodeChange.removeAllMatching([&node](auto& entry) -> bool {