[webkit-changes] [241511] branches/safari-607-branch/Source/WebCore

[bshafiei]

Title: [241511] branches/safari-607-branch/Source/WebCore

Revision

241511

Author

bshaf...@apple.com

Date

2019-02-14 00:34:54 -0800 (Thu, 14 Feb 2019)

Log Message

Cherry-pick r241494. rdar://problem/48065624

    AX: Crash in handleMenuOpen
    https://bugs.webkit.org/show_bug.cgi?id=194627

    Reviewed by Zalan Bujtas.

    Tests run under libGuardMalloc will cause crashes.

    This list of objects is a Node list, not an Element list, so we were
    not removing some nodes when they were being deallocated.

    * accessibility/AXObjectCache.cpp:
    (WebCore::AXObjectCache::remove):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@241494 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

• branches/safari-607-branch/Source/WebCore/ChangeLog
• branches/safari-607-branch/Source/WebCore/accessibility/AXObjectCache.cpp

Diff

Modified: branches/safari-607-branch/Source/WebCore/ChangeLog (241510 => 241511)

--- branches/safari-607-branch/Source/WebCore/ChangeLog	2019-02-14 08:34:51 UTC (rev 241510)
+++ branches/safari-607-branch/Source/WebCore/ChangeLog	2019-02-14 08:34:54 UTC (rev 241511)
@@ -1,5 +1,40 @@
 2019-02-13  Babak Shafiei  <bshaf...@apple.com>
 
+        Cherry-pick r241494. rdar://problem/48065624
+
+    AX: Crash in handleMenuOpen
+    https://bugs.webkit.org/show_bug.cgi?id=194627
+    
+    Reviewed by Zalan Bujtas.
+    
+    Tests run under libGuardMalloc will cause crashes.
+    
+    This list of objects is a Node list, not an Element list, so we were
+    not removing some nodes when they were being deallocated.
+    
+    * accessibility/AXObjectCache.cpp:
+    (WebCore::AXObjectCache::remove):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@241494 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-02-13  Chris Fleizach  <cfleiz...@apple.com>
+
+            AX: Crash in handleMenuOpen
+            https://bugs.webkit.org/show_bug.cgi?id=194627
+
+            Reviewed by Zalan Bujtas.
+
+            Tests run under libGuardMalloc will cause crashes.
+
+            This list of objects is a Node list, not an Element list, so we were
+            not removing some nodes when they were being deallocated.
+
+            * accessibility/AXObjectCache.cpp:
+            (WebCore::AXObjectCache::remove):
+
+2019-02-13  Babak Shafiei  <bshaf...@apple.com>
+
         Cherry-pick r241484. rdar://problem/48065620
 
     Entering fullscreen inside a shadow root will not set fullscreen pseudoclasses outside of root

Modified: branches/safari-607-branch/Source/WebCore/accessibility/AXObjectCache.cpp (241510 => 241511)

--- branches/safari-607-branch/Source/WebCore/accessibility/AXObjectCache.cpp	2019-02-14 08:34:51 UTC (rev 241510)
+++ branches/safari-607-branch/Source/WebCore/accessibility/AXObjectCache.cpp	2019-02-14 08:34:54 UTC (rev 241511)
@@ -739,10 +739,10 @@
     if (is<Element>(node)) {
         m_deferredRecomputeIsIgnoredList.remove(downcast<Element>(&node));
         m_deferredSelectedChildredChangedList.remove(downcast<Element>(&node));
-        m_deferredChildrenChangedNodeList.remove(&node);
         m_deferredTextFormControlValue.remove(downcast<Element>(&node));
         m_deferredAttributeChange.remove(downcast<Element>(&node));
     }
+    m_deferredChildrenChangedNodeList.remove(&node);
     m_deferredTextChangedList.remove(&node);
     // Remove the entry if the new focused node is being removed.
     m_deferredFocusedNodeChange.removeAllMatching([&node](auto& entry) -> bool {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes