-
dmazzoni@google.com authored
https://bugs.webkit.org/show_bug.cgi?id=98073 Reviewed by Hajime Morita. Source/WebCore: Calls axObjectCache()->remove(this) in ~ContainerNode so that the AX tree doesn't try to access the container node while walking up the parent chain from one of the container node's children. Test: accessibility/container-node-delete-causes-crash.html * dom/ContainerNode.cpp: (WebCore::ContainerNode::~ContainerNode): * dom/Node.cpp: (WebCore::Node::~Node): * dom/Node.h: (WebCore::Node::document): (WebCore::Node::documentInternal): LayoutTests: Adds test for heap-use-after-free when container node with AX object is deleted. * accessibility/container-node-delete-causes-crash-expected.txt: Added. * accessibility/container-node-delete-causes-crash.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@130266 268f45cc-cd09-0410-ab3c-d52691b4dbfc
a09b3cd4
