Skip to content
  • dmazzoni@google.com's avatar
    AX: Heap-use-after-free when deleting a ContainerNode with an AX object · a09b3cd4
    dmazzoni@google.com authored
    https://bugs.webkit.org/show_bug.cgi?id=98073
    
    Reviewed by Hajime Morita.
    
    Source/WebCore:
    
    Calls axObjectCache()->remove(this) in ~ContainerNode so that the AX tree
    doesn't try to access the container node while walking up the parent chain
    from one of the container node's children.
    
    Test: accessibility/container-node-delete-causes-crash.html
    
    * dom/ContainerNode.cpp:
    (WebCore::ContainerNode::~ContainerNode):
    * dom/Node.cpp:
    (WebCore::Node::~Node):
    * dom/Node.h:
    (WebCore::Node::document):
    (WebCore::Node::documentInternal):
    
    LayoutTests:
    
    Adds test for heap-use-after-free when container node with AX object is deleted.
    
    * accessibility/container-node-delete-causes-crash-expected.txt: Added.
    * accessibility/container-node-delete-causes-crash.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@130266 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    a09b3cd4