[webkit-changes] [170026] trunk/Source/WebCore

Mon, 16 Jun 2014 14:01:59 -0700

Title: [170026] trunk/Source/WebCore
Revision
170026
Author
[email protected]
Date
2014-06-16 14:01:35 -0700 (Mon, 16 Jun 2014)

Log Message

AX: Crash at WebCore::AXObjectCache::textChanged
https://bugs.webkit.org/show_bug.cgi?id=133873

Reviewed by Enrica Casucci.

This looks like a very similar problem to
https://bugs.webkit.org/show_bug.cgi?id=133825

The object is being created and deallocated almost right away because calling accessibilityIsIgnored triggers
a deferred layout that invalidates the associated render element.

Despite my best efforts, I could not come up with a way to reproduce this in a layout test.

* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::getOrCreate):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (170025 => 170026)


--- trunk/Source/WebCore/ChangeLog	2014-06-16 20:33:46 UTC (rev 170025)
+++ trunk/Source/WebCore/ChangeLog	2014-06-16 21:01:35 UTC (rev 170026)
@@ -1,3 +1,21 @@
+2014-06-16  Chris Fleizach  <[email protected]>
+
+        AX: Crash at WebCore::AXObjectCache::textChanged
+        https://bugs.webkit.org/show_bug.cgi?id=133873
+
+        Reviewed by Enrica Casucci.
+
+        This looks like a very similar problem to 
+        https://bugs.webkit.org/show_bug.cgi?id=133825
+
+        The object is being created and deallocated almost right away because calling accessibilityIsIgnored triggers
+        a deferred layout that invalidates the associated render element.
+
+        Despite my best efforts, I could not come up with a way to reproduce this in a layout test.
+
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::getOrCreate):
+
 2014-06-15  Anders Carlsson  <[email protected]>
 
         Change ResourceRequestBase::addHTTPHeaderFields to setHTTPHeaderFields instead

Modified: trunk/Source/WebCore/accessibility/AXObjectCache.cpp (170025 => 170026)


--- trunk/Source/WebCore/accessibility/AXObjectCache.cpp	2014-06-16 20:33:46 UTC (rev 170025)
+++ trunk/Source/WebCore/accessibility/AXObjectCache.cpp	2014-06-16 21:01:35 UTC (rev 170026)
@@ -403,7 +403,11 @@
     newObj->init();
     attachWrapper(newObj.get());
     newObj->setLastKnownIsIgnoredValue(newObj->accessibilityIsIgnored());
-
+    // Sometimes asking accessibilityIsIgnored() will cause the newObject to be deallocated, and then
+    // it will disappear when this function is finished, leading to a use-after-free.
+    if (newObj->isDetached())
+        return nullptr;
+    
     return newObj.get();
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to