Skip to content
  • schenney@chromium.org's avatar
    Objects can be re-added to the AXObjectCache during removal · efcd4c1d
    schenney@chromium.org authored
    https://bugs.webkit.org/show_bug.cgi?id=104171
    
    Source/WebCore:
    
    The problem occurs when a label's corresponding element is a sibling
    that precedes it in the render tree, and the corresponding element is
    removed. The corresponding element's AX render object is removed, but
    then recreated when accessibilityIsIgnored() invokes correspondingControl()
    on the label. The corresponding renderer then has an AX render object
    that survives beyond the deleted renderer, leading to invalid memory
    accesses.
    
    The solution is to rearrange the calls to delete the renderer's AX
    render object only when we are sure it will no longer be required.
    
    Reviewed by Simon Fraser.
    
    Test: accessibility/corresponding-control-deleted-crash.html
    
    * rendering/RenderObject.cpp:
    (WebCore::RenderObject::willBeDestroyed): Move the call to remove the
    renderer from the AXCache to after the renderer is removed from the
    render tree. This means that the AXObject still exists during renderer
    removal, as we require.
    
    LayoutTests:
    
    Reviewed by Simon Fraser.
    
    New test which asserts with !m_hasAXObject in RenderObject::~RenderObject without the patch. Requires Shadow DOM enabled.
    
    * accessibility/corresponding-control-deleted-crash-expected.txt: Added.
    * accessibility/corresponding-control-deleted-crash.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139444 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    efcd4c1d