| Summary: | AX: Isolated object can be detached in the midst of serving AXChildren, causing nullptr dereference | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Tyler Wilcock <tyler_w> | ||||||
| Component: | Accessibility | Assignee: | Tyler Wilcock <tyler_w> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | Normal | CC: | aboxhall, andresg_22, apinheiro, cfleizach, dmazzoni, ews-watchlist, jcraig, samuel_white, webkit-bug-importer | ||||||
| Priority: | P2 | Keywords: | InRadar | ||||||
| Version: | Other | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Attachments: |
|
||||||||
|
Description
Tyler Wilcock
2024-01-19 14:25:51 PST
Created attachment 469472 [details]
Patch
(In reply to Tyler Wilcock from comment #2) > Created attachment 469472 [details] > Patch @@ -1567,7 +1545,7 @@ ALLOW_DEPRECATED_IMPLEMENTATIONS_END } #endif - if (!self.childrenVectorSize) { + if (backingObject->children().isEmpty()) { if (NSArray *children = [self renderWidgetChildren]) return children; } @@ -1581,7 +1559,7 @@ ALLOW_DEPRECATED_IMPLEMENTATIONS_END if (backingObject->isTreeItem()) return makeNSArray(backingObject->ariaTreeItemContent()); - return self.childrenVectorArray; + return makeNSArray(backingObject->children()); AG: we should avoid calling backingObject->children() twice in this block, first for the size and down here for real. Created attachment 469499 [details]
Patch
(In reply to Andres Gonzalez from comment #3) > AG: we should avoid calling backingObject->children() twice in this block, > first for the size and down here for real. TW: Fixed! Committed 273328@main (b571ec5131dc): <https://commits.webkit.org/273328@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 469499 [details]. |