diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog index 48b10fb47db8db8fc06d5cc2de5e608d38ca2ffa..e5dd7360f3eb7461784d7176ccbd7346622392d5 100644 --- a/WebCore/ChangeLog +++ b/WebCore/ChangeLog @@ -1,3 +1,18 @@ +2009-07-30 Chris Fleizach + + Reviewed by Darin Adler. + + Bug 27854 - crash at WebCore::AXObjectCache::notificationPostTimerFired + https://bugs.webkit.org/show_bug.cgi?id=27854 + + AccessibilityObjects need to be retained while waiting to fire their notifications, otherwise + they can disappear and then lead to crashes. + + * accessibility/AXObjectCache.cpp: + (WebCore::AXObjectCache::notificationPostTimerFired): + (WebCore::AXObjectCache::postNotification): + * accessibility/AXObjectCache.h: + 2009-07-30 Simon Fraser Reviewed by Dan Bernstein. diff --git a/WebCore/accessibility/AXObjectCache.cpp b/WebCore/accessibility/AXObjectCache.cpp index 08aff487bf2949a82a0f119efd49620023ba46b6..1e3c55fe4e5983ac034254336325772b44d8e384 100644 --- a/WebCore/accessibility/AXObjectCache.cpp +++ b/WebCore/accessibility/AXObjectCache.cpp @@ -261,7 +261,7 @@ void AXObjectCache::notificationPostTimerFired(Timer*) unsigned i = 0, count = m_notificationsToPost.size(); for (i = 0; i < count; ++i) { - AccessibilityObject* obj = m_notificationsToPost[i].first; + AccessibilityObject* obj = m_notificationsToPost[i].first.get(); #ifndef NDEBUG // Make sure none of the render views are in the process of being layed out. // Notifications should only be sent after the renderer has finished @@ -308,7 +308,7 @@ void AXObjectCache::postNotification(RenderObject* renderer, const String& messa if (!obj) return; - m_notificationsToPost.append(make_pair(obj.get(), message)); + m_notificationsToPost.append(make_pair(obj, message)); if (!m_notificationPostTimer.isActive()) m_notificationPostTimer.startOneShot(0); } diff --git a/WebCore/accessibility/AXObjectCache.h b/WebCore/accessibility/AXObjectCache.h index b4d1564c9c892fbb413cf5bc66c0e95fde9ca515..7a808dd51f5ff189a691e9aa9b7d632590840612 100644 --- a/WebCore/accessibility/AXObjectCache.h +++ b/WebCore/accessibility/AXObjectCache.h @@ -108,7 +108,7 @@ namespace WebCore { HashSet m_idsInUse; Timer m_notificationPostTimer; - Vector > m_notificationsToPost; + Vector, const String> > m_notificationsToPost; void notificationPostTimerFired(Timer*); AXID getAXID(AccessibilityObject*);