Source/WebCore: Clicking on links while accessibility is enabled sometimes crashes
authormmaxfield@apple.com <mmaxfield@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 22 Jul 2014 17:50:31 +0000 (17:50 +0000)
committermmaxfield@apple.com <mmaxfield@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 22 Jul 2014 17:50:31 +0000 (17:50 +0000)
commit49a83deacfe75291c2b823c967d375b14147e555
treed55c9ce1c7235ff9f6a862784b4caba5cf617b75
parent1da1bb520c1b7795bad3a83c46cc394ebfd7be31
Source/WebCore: Clicking on links while accessibility is enabled sometimes crashes
https://bugs.webkit.org/show_bug.cgi?id=135074

Reviewed by Chris Fleizach.

When an accessibility request comes in from the system, we call updateBackingStore() on the
relevant AccessibilityObject, which triggers a relayout of the entire document. This relayout
might delete that accessibility node and its parent, which would cause the node to be deleted.
After the stack unwinds, we then call a member function on the node without checking for this
condition.

Test: accessibility/parent-delete.html

* accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::updateBackingStore): Retain the node for the duration of the
function.

LayoutTests: Clicking on links while accessibility is enabled does not render as expected
https://bugs.webkit.org/show_bug.cgi?id=135074

Reviewed by Chris Fleizach.

Delete a node and its parent, then call allAttributes() on the accessibility representation of
the deleted child and make sure there is no crash.

* accessibility/parent-delete-expected.txt: Added
* accessibility/parent-delete.html: Added

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@171347 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/accessibility/parent-delete-expected.txt [new file with mode: 0644]
LayoutTests/accessibility/parent-delete.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/accessibility/AccessibilityObject.cpp