[Webkit-unassigned] [Bug 184366] crash when destroying a RenderObject with orca running
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Apr 11 19:47:18 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=184366
--- Comment #5 from Ryosuke Niwa <rniwa at webkit.org> ---
(In reply to Mike Gorse from comment #4)
> Created attachment 337704 [details]
> Patch.
>
> I'm submitting the attached patch for openSUSE. It's a partial revert of the
> commit from bug 182513. I'm not sure if this should be committed as-is, but
> it fixes the crash for me and shouldn't cause any functional change outside
> of accessibility.
This change simply removes the release assertion. We need to address the underlying issue which is that accessibility code in GTK+ port is updating layout in the middle of deleting render objects. That's never safe, and can lead to memory corruption. This crash is currently protecting you from having an exploitable security bug.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180412/ae9ca3a3/attachment-0002.html>
More information about the webkit-unassigned
mailing list