Title: [171271] branches/safari-537.78-branch/Source/WebCore
- Revision
- 171271
- Author
- [email protected]
- Date
- 2014-07-19 16:07:01 -0700 (Sat, 19 Jul 2014)
Log Message
Merged r170028. <rdar://problem/17689801>
Modified Paths
Diff
Modified: branches/safari-537.78-branch/Source/WebCore/ChangeLog (171270 => 171271)
--- branches/safari-537.78-branch/Source/WebCore/ChangeLog 2014-07-19 23:03:15 UTC (rev 171270)
+++ branches/safari-537.78-branch/Source/WebCore/ChangeLog 2014-07-19 23:07:01 UTC (rev 171271)
@@ -1,5 +1,28 @@
2014-07-19 Lucas Forschler <[email protected]>
+ Merge r170028
+
+ 2014-06-16 Chris Fleizach <[email protected]>
+
+ AX: Safari crashed once in WebCore::AccessibilityObject::ariaIsHidden
+ https://bugs.webkit.org/show_bug.cgi?id=133825
+
+ Reviewed by Enrica Casucci.
+
+ Sometimes asking accessibilityIsIgnored() will cause a newObject to be detached immediately after its created.
+ The creation function holds a reference with RefPtr as long as it lives, but when that method returns, the object goes away.
+
+ With that out of the way, I saw the same backtrace lead to updateLayoutIgnorePendingStylesheets being called while still inLayout.
+
+ I tried my best but could not create a reproducible layout test.
+
+ * accessibility/AXObjectCache.cpp:
+ (WebCore::AXObjectCache::getOrCreate):
+ * accessibility/AccessibilityObject.cpp:
+ (WebCore::AccessibilityObject::updateBackingStore):
+
+2014-07-19 Lucas Forschler <[email protected]>
+
Merge r170026
2014-06-16 Chris Fleizach <[email protected]>
Modified: branches/safari-537.78-branch/Source/WebCore/accessibility/AXObjectCache.cpp (171270 => 171271)
--- branches/safari-537.78-branch/Source/WebCore/accessibility/AXObjectCache.cpp 2014-07-19 23:03:15 UTC (rev 171270)
+++ branches/safari-537.78-branch/Source/WebCore/accessibility/AXObjectCache.cpp 2014-07-19 23:07:01 UTC (rev 171271)
@@ -407,7 +407,11 @@
newObj->init();
attachWrapper(newObj.get());
newObj->setLastKnownIsIgnoredValue(newObj->accessibilityIsIgnored());
-
+ // Sometimes asking accessibilityIsIgnored() will cause the newObject to be deallocated, and then
+ // it will disappear when this function is finished, leading to a use-after-free.
+ if (newObj->isDetached())
+ return nullptr;
+
return newObj.get();
}
Modified: branches/safari-537.78-branch/Source/WebCore/accessibility/AccessibilityObject.cpp (171270 => 171271)
--- branches/safari-537.78-branch/Source/WebCore/accessibility/AccessibilityObject.cpp 2014-07-19 23:03:15 UTC (rev 171270)
+++ branches/safari-537.78-branch/Source/WebCore/accessibility/AccessibilityObject.cpp 2014-07-19 23:07:01 UTC (rev 171271)
@@ -1200,8 +1200,10 @@
void AccessibilityObject::updateBackingStore()
{
// Updating the layout may delete this object.
- if (Document* document = this->document())
- document->updateLayoutIgnorePendingStylesheets();
+ if (Document* document = this->document()) {
+ if (!document->view()->isInLayout())
+ document->updateLayoutIgnorePendingStylesheets();
+ }
}
#endif
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
