Merge r170026 - AX: Crash at WebCore::AXObjectCache::textChanged

https://bugs.webkit.org/show_bug.cgi?id=133873

Reviewed by Enrica Casucci.

This looks like a very similar problem to
https://bugs.webkit.org/show_bug.cgi?id=133825

The object is being created and deallocated almost right away because calling accessibilityIsIgnored triggers
a deferred layout that invalidates the associated render element.

Despite my best efforts, I could not come up with a way to reproduce this in a layout test.

* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::getOrCreate):

Source/WebCore/ChangeLog

@@ -1,3 +1,21 @@
+2014-06-16  Chris Fleizach  <cfleizach@apple.com>
+
+        AX: Crash at WebCore::AXObjectCache::textChanged
+        https://bugs.webkit.org/show_bug.cgi?id=133873
+
+        Reviewed by Enrica Casucci.
+
+        This looks like a very similar problem to 
+        https://bugs.webkit.org/show_bug.cgi?id=133825
+
+        The object is being created and deallocated almost right away because calling accessibilityIsIgnored triggers
+        a deferred layout that invalidates the associated render element.
+
+        Despite my best efforts, I could not come up with a way to reproduce this in a layout test.
+
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::getOrCreate):
+
 2014-06-09  Alexey Proskuryakov  <ap@apple.com>
 
         Properly reset UStringSearch object in SearchBuffer constructor.

Source/WebCore/accessibility/AXObjectCache.cpp

@@ -394,7 +394,11 @@ AccessibilityObject* AXObjectCache::getOrCreate(Node* node)
     newObj->init();
     attachWrapper(newObj.get());
     newObj->setLastKnownIsIgnoredValue(newObj->accessibilityIsIgnored());
-
+    // Sometimes asking accessibilityIsIgnored() will cause the newObject to be deallocated, and then
+    // it will disappear when this function is finished, leading to a use-after-free.
+    if (newObj->isDetached())
+        return nullptr;
+
     return newObj.get();
 }