diff --git a/webkit2gtk3-boo1088932-a11y-state-set.patch b/webkit2gtk3-boo1088932-a11y-state-set.patch
new file mode 100644
index 0000000..e2e9fb5
--- /dev/null
+++ b/webkit2gtk3-boo1088932-a11y-state-set.patch
@@ -0,0 +1,58 @@
+diff -urp webkitgtk-2.20.1.orig/Source/WebCore/accessibility/AccessibilityObject.cpp webkitgtk-2.20.1/Source/WebCore/accessibility/AccessibilityObject.cpp
+--- webkitgtk-2.20.1.orig/Source/WebCore/accessibility/AccessibilityObject.cpp	2018-04-09 07:00:57.000000000 -0500
++++ webkitgtk-2.20.1/Source/WebCore/accessibility/AccessibilityObject.cpp	2018-04-10 21:07:52.446048647 -0500
+@@ -1771,7 +1771,7 @@ void AccessibilityObject::updateBackingS
+     // Updating the layout may delete this object.
+     RefPtr<AccessibilityObject> protectedThis(this);
+     if (auto* document = this->document()) {
+-        if (!document->view()->layoutContext().isInRenderTreeLayout() && !document->inRenderTreeUpdate() && !document->inStyleRecalc())
++        if (!document->view()->layoutContext().isInRenderTreeLayout() && !document->inRenderTreeUpdate() && document->isSafeToUpdateStyleOrLayout())
+             document->updateLayoutIgnorePendingStylesheets();
+     }
+     updateChildrenIfNecessary();
+diff -urp webkitgtk-2.20.1.orig/Source/WebCore/dom/Document.cpp webkitgtk-2.20.1/Source/WebCore/dom/Document.cpp
+--- webkitgtk-2.20.1.orig/Source/WebCore/dom/Document.cpp	2018-03-05 05:36:37.000000000 -0600
++++ webkitgtk-2.20.1/Source/WebCore/dom/Document.cpp	2018-04-10 21:07:52.454048680 -0500
+@@ -1940,11 +1940,10 @@ bool Document::needsStyleRecalc() const
+     return false;
+ }
+ 
+-static bool isSafeToUpdateStyleOrLayout(const Document& document)
++bool Document::isSafeToUpdateStyleOrLayout() const
+ {
+     bool isSafeToExecuteScript = ScriptDisallowedScope::InMainThread::isScriptAllowed();
+-    auto* frameView = document.view();
+-    bool isInFrameFlattening = frameView && frameView->isInChildFrameWithFrameFlattening();
++    bool isInFrameFlattening = view() && view()->isInChildFrameWithFrameFlattening();
+     bool isAssertionDisabled = ScriptDisallowedScope::LayoutAssertionDisableScope::shouldDisable();
+     return isSafeToExecuteScript || isInFrameFlattening || !isInWebProcess() || isAssertionDisabled;
+ }
+@@ -1967,7 +1966,7 @@ bool Document::updateStyleIfNeeded()
+     }
+ 
+     // The early exit above for !needsStyleRecalc() is needed when updateWidgetPositions() is called in runOrScheduleAsynchronousTasks().
+-    RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(isSafeToUpdateStyleOrLayout(*this));
++    RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(isSafeToUpdateStyleOrLayout());
+ 
+     resolveStyle();
+     return true;
+@@ -1983,7 +1982,7 @@ void Document::updateLayout()
+         ASSERT_NOT_REACHED();
+         return;
+     }
+-    RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(isSafeToUpdateStyleOrLayout(*this));
++    RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(isSafeToUpdateStyleOrLayout());
+ 
+     RenderView::RepaintRegionAccumulator repaintRegionAccumulator(renderView());
+ 
+diff -urp webkitgtk-2.20.1.orig/Source/WebCore/dom/Document.h webkitgtk-2.20.1/Source/WebCore/dom/Document.h
+--- webkitgtk-2.20.1.orig/Source/WebCore/dom/Document.h	2018-03-05 04:11:41.000000000 -0600
++++ webkitgtk-2.20.1/Source/WebCore/dom/Document.h	2018-04-10 21:07:52.454048680 -0500
+@@ -1253,6 +1253,7 @@ public:
+ 
+     bool inStyleRecalc() const { return m_inStyleRecalc; }
+     bool inRenderTreeUpdate() const { return m_inRenderTreeUpdate; }
++    WEBCORE_EXPORT bool isSafeToUpdateStyleOrLayout() const;
+ 
+     void updateTextRenderer(Text&, unsigned offsetOfReplacedText, unsigned lengthOfReplacedText);
+ 
diff --git a/webkit2gtk3.changes b/webkit2gtk3.changes
index 5cb7d1d..b883ffb 100644
--- a/webkit2gtk3.changes
+++ b/webkit2gtk3.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Apr 11 15:53:22 UTC 2018 - mgorse@suse.com
+
+- Add webkit2gtk3-boo1088932-a11y-state-set.patch: fix crash when
+  atk_object_ref_state_set is called on an AtkObject that's being
+  destroyed (boo#1088932 webkit#184366).
+
 -------------------------------------------------------------------
 Tue Apr 10 10:23:30 UTC 2018 - bjorn.lie@gmail.com
 
diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec
index 271b3a7..c92f446 100644
--- a/webkit2gtk3.spec
+++ b/webkit2gtk3.spec
@@ -52,6 +52,8 @@ Source99:       webkit2gtk3.keyring
 Patch0:         webkitgtk-typelib-sharelib-link.patch
 # PATCH-FIX-UPSTREAM webkit2gtk3-python3.patch bsc#1079812 mgorse@suse.com -- port to Python 3.
 Patch1:         webkit2gtk3-python3.patch
+# PATCh-FIX-UPSTREAM webkit2gtk3-boo1088932-a11y-state-set.patch boo#1088932 webkit#184366 mgorse@suse.com -- fix crash when atk_object_ref_state_set is called on an AtkObject that's being destroyed.
+Patch2:         webkit2gtk3-boo1088932-a11y-state-set.patch
 BuildRequires:  Mesa-libEGL-devel
 BuildRequires:  Mesa-libGL-devel
 BuildRequires:  Mesa-libGLESv1_CM-devel
@@ -260,6 +262,7 @@ invoking a Perl or Python script.
 %if %{with python3}
 %patch1 -p1
 %endif
+%patch2 -p1
 
 %build
 # Here we must muzzle our dog so it doesn't eat all the memory