Skip to site navigation (Press enter)

[webkit-changes] [241534] releases/WebKitGTK/webkit-2.24/Source/WebCore

carlosgc Thu, 14 Feb 2019 03:29:12 -0800

Title: [241534] releases/WebKitGTK/webkit-2.24/Source/WebCore

Revision: 241534
Author: [email protected]
Date: 2019-02-14 03:28:19 -0800 (Thu, 14 Feb 2019)

Log Message

Merge r241494 - AX: Crash in handleMenuOpen
https://bugs.webkit.org/show_bug.cgi?id=194627


Reviewed by Zalan Bujtas.

Tests run under libGuardMalloc will cause crashes.

This list of objects is a Node list, not an Element list, so we were
not removing some nodes when they were being deallocated.

* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::remove):

Modified Paths

releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog
releases/WebKitGTK/webkit-2.24/Source/WebCore/accessibility/AXObjectCache.cpp

Diff

Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog (241533 => 241534)


--- releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog	2019-02-14 11:28:14 UTC (rev 241533)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog	2019-02-14 11:28:19 UTC (rev 241534)
@@ -1,3 +1,18 @@
+2019-02-13  Chris Fleizach  <[email protected]>
+
+        AX: Crash in handleMenuOpen
+        https://bugs.webkit.org/show_bug.cgi?id=194627
+
+        Reviewed by Zalan Bujtas.
+
+        Tests run under libGuardMalloc will cause crashes.
+
+        This list of objects is a Node list, not an Element list, so we were
+        not removing some nodes when they were being deallocated.
+
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::remove):
+
 2019-02-13  Jer Noble  <[email protected]>
 
         Entering fullscreen inside a shadow root will not set fullscreen pseudoclasses outside of root

Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/accessibility/AXObjectCache.cpp (241533 => 241534)


--- releases/WebKitGTK/webkit-2.24/Source/WebCore/accessibility/AXObjectCache.cpp	2019-02-14 11:28:14 UTC (rev 241533)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/accessibility/AXObjectCache.cpp	2019-02-14 11:28:19 UTC (rev 241534)
@@ -747,10 +747,10 @@
     if (is<Element>(node)) {
         m_deferredRecomputeIsIgnoredList.remove(downcast<Element>(&node));
         m_deferredSelectedChildredChangedList.remove(downcast<Element>(&node));
-        m_deferredChildrenChangedNodeList.remove(&node);
         m_deferredTextFormControlValue.remove(downcast<Element>(&node));
         m_deferredAttributeChange.remove(downcast<Element>(&node));
     }
+    m_deferredChildrenChangedNodeList.remove(&node);
     m_deferredTextChangedList.remove(&node);
     // Remove the entry if the new focused node is being removed.
     m_deferredFocusedNodeChange.removeAllMatching([&node](auto& entry) -> bool {

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes