Somewhat obscure, but this happened "in the wild" - if you add a selected option inside of a <select> element using document.write, AccessibilityMenuListPopup::didUpdateActiveOption gets called with the new index before the children of the AccessibilityMenuListPopup get updated, leading to a crash. I can only reproduce on Chromium because on Mac, the AccessibilityMenuListPopup is ignored if the pop-up is closed. Should repro on Windows in theory, maybe GTK. Here's the repro - the crash only happens if the AccessibilityMenuListPopup is actually created before the script runs; I can trigger this on Chromium by adding a delay to the JavaScript and tabbing to the control (while accessibility is on) before the script runs. When the script does run it triggers the crash. <select id="menulist"> <option>1</option> <script src="data:text/javascript,document.write('<option selected>2');"></script> </select>
Created attachment 143063 [details] Patch
Comment on attachment 143063 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=143063&action=review > Source/WebCore/rendering/RenderMenuList.cpp:124 > + document()->axObjectCache()->childrenChanged(this); what about removeChild?
Created attachment 143074 [details] Patch
(In reply to comment #2) > what about removeChild? Good thought, but I couldn't come up with an case where removeChild didn't work. I updated the test to cover removeChild, but it already worked correctly so no more code changes were needed.
Comment on attachment 143074 [details] Patch looks good
Comment on attachment 143074 [details] Patch Clearing flags on attachment: 143074 Committed r117976: <http://trac.webkit.org/changeset/117976>
All reviewed patches have been landed. Closing bug.