[Webkit-unassigned] [Bug 184366] crash when destroying a RenderObject with orca running

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Apr 12 11:35:58 PDT 2018


https://bugs.webkit.org/show_bug.cgi?id=184366

--- Comment #6 from Mike Gorse <mgorse at suse.com> ---
(In reply to Ryosuke Niwa from comment #5)
> (In reply to Mike Gorse from comment #4)
> > Created attachment 337704 [details]
> > Patch.
> > 
> > I'm submitting the attached patch for openSUSE. It's a partial revert of the
> > commit from bug 182513. I'm not sure if this should be committed as-is, but
> > it fixes the crash for me and shouldn't cause any functional change outside
> > of accessibility.
> 
> This change simply removes the release assertion. We need to address the
> underlying issue which is that accessibility code in GTK+ port is updating
> layout in the middle of deleting render objects. That's never safe, and can
> lead to memory corruption. This crash is currently protecting you from
> having an exploitable security bug.

I didn't remove any assert lines, but I changed the condition under which document->updateLayoutIgnorePendingStyleSheets is called, so I don't understand your comment. I altered a couple of asserts along with changing a prototype. That being said, I'm not necessarily arguing that what I attached is what should be committed.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180412/8be05b08/attachment-0002.html>


More information about the webkit-unassigned mailing list