Title: [140614] trunk/Source/WebCore
- Revision
- 140614
- Author
- [email protected]
- Date
- 2013-01-23 16:34:42 -0800 (Wed, 23 Jan 2013)
Log Message
AX: AXObjectCache should be initialized with topDocument
https://bugs.webkit.org/show_bug.cgi?id=107638
Reviewed by Chris Fleizach.
Initialize AXObjectCache with the top document, not the
document that axObjectCache happened to be called on, which
could be an iframe. Having an AXObjectCache with the wrong
document could cause a heap-use-after-free in
notificationPostTimerFired if the inner document was deleted
while notifications were pending.
* dom/Document.cpp:
(WebCore::Document::axObjectCache):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (140613 => 140614)
--- trunk/Source/WebCore/ChangeLog 2013-01-24 00:33:06 UTC (rev 140613)
+++ trunk/Source/WebCore/ChangeLog 2013-01-24 00:34:42 UTC (rev 140614)
@@ -1,3 +1,20 @@
+2013-01-23 Dominic Mazzoni <[email protected]>
+
+ AX: AXObjectCache should be initialized with topDocument
+ https://bugs.webkit.org/show_bug.cgi?id=107638
+
+ Reviewed by Chris Fleizach.
+
+ Initialize AXObjectCache with the top document, not the
+ document that axObjectCache happened to be called on, which
+ could be an iframe. Having an AXObjectCache with the wrong
+ document could cause a heap-use-after-free in
+ notificationPostTimerFired if the inner document was deleted
+ while notifications were pending.
+
+ * dom/Document.cpp:
+ (WebCore::Document::axObjectCache):
+
2012-12-12 Ryosuke Niwa <[email protected]>
REGRESSION: WebKit does not render selection in non-first ruby text nodes.
Modified: trunk/Source/WebCore/dom/Document.cpp (140613 => 140614)
--- trunk/Source/WebCore/dom/Document.cpp 2013-01-24 00:33:06 UTC (rev 140613)
+++ trunk/Source/WebCore/dom/Document.cpp 2013-01-24 00:34:42 UTC (rev 140614)
@@ -2159,7 +2159,7 @@
Document* topDocument = this->topDocument();
ASSERT(topDocument == this || !m_axObjectCache);
if (!topDocument->m_axObjectCache)
- topDocument->m_axObjectCache = adoptPtr(new AXObjectCache(this));
+ topDocument->m_axObjectCache = adoptPtr(new AXObjectCache(topDocument));
return topDocument->m_axObjectCache.get();
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
