-
schenney@chromium.org authored
https://bugs.webkit.org/show_bug.cgi?id=104171 Source/WebCore: The problem occurs when a label's corresponding element is a sibling that precedes it in the render tree, and the corresponding element is removed. The corresponding element's AX render object is removed, but then recreated when accessibilityIsIgnored() invokes correspondingControl() on the label. The corresponding renderer then has an AX render object that survives beyond the deleted renderer, leading to invalid memory accesses. The solution is to rearrange the calls to delete the renderer's AX render object only when we are sure it will no longer be required. Reviewed by Simon Fraser. Test: accessibility/corresponding-control-deleted-crash.html * rendering/RenderObject.cpp: (WebCore::RenderObject::willBeDestroyed): Move the call to remove the renderer from the AXCache to after the renderer is removed from the render tree. This means that the AXObject still exists during renderer removal, as we require. LayoutTests: Reviewed by Simon Fraser. New test which asserts with !m_hasAXObject in RenderObject::~RenderObject without the patch. Requires Shadow DOM enabled. * accessibility/corresponding-control-deleted-crash-expected.txt: Added. * accessibility/corresponding-control-deleted-crash.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139444 268f45cc-cd09-0410-ab3c-d52691b4dbfc
efcd4c1d