[Webkit-unassigned] [Bug 184366] [GTK] crash when destroying a RenderObject with orca running
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue May 15 09:06:09 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=184366
Michael Catanzaro <mcatanzaro at igalia.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |bugs-noreply at webkitgtk.org,
| |mcatanzaro at igalia.com
Summary|crash when destroying a |[GTK] crash when destroying
|RenderObject with orca |a RenderObject with orca
|running |running
--- Comment #8 from Michael Catanzaro <mcatanzaro at igalia.com> ---
(In reply to Ryosuke Niwa from comment #5)
> This change simply removes the release assertion. We need to address the
> underlying issue which is that accessibility code in GTK+ port is updating
> layout in the middle of deleting render objects. That's never safe, and can
> lead to memory corruption. This crash is currently protecting you from
> having an exploitable security bug.
There's a similar issue in bug #182257, where the a11y code is unsafe but we do not have a release assert to protect us.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180515/166d7fbb/attachment.html>
More information about the webkit-unassigned
mailing list