Bug 267786

Summary: AX: Isolated object can be detached in the midst of serving AXChildren, causing nullptr dereference
Product: WebKit Reporter: Tyler Wilcock <tyler_w>
Component: AccessibilityAssignee: Tyler Wilcock <tyler_w>
Status: RESOLVED FIXED    
Severity: Normal CC: aboxhall, andresg_22, apinheiro, cfleizach, dmazzoni, ews-watchlist, jcraig, samuel_white, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Tyler Wilcock
Reported 2024-01-19 14:25:51 PST
...
Attachments
Patch (9.83 KB, patch)
2024-01-19 14:32 PST, Tyler Wilcock 		no flags
DetailsFormatted DiffDiff
Patch (10.05 KB, patch)
2024-01-22 10:05 PST, Tyler Wilcock 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-01-19 14:26:01 PST
<rdar://problem/121282648>
Tyler Wilcock
Comment 2 2024-01-19 14:32:28 PST
Created attachment 469472 [details] Patch
Andres Gonzalez
Comment 3 2024-01-22 08:39:20 PST
(In reply to Tyler Wilcock from comment #2) > Created attachment 469472 [details] > Patch @@ -1567,7 +1545,7 @@ ALLOW_DEPRECATED_IMPLEMENTATIONS_END } #endif - if (!self.childrenVectorSize) { + if (backingObject->children().isEmpty()) { if (NSArray *children = [self renderWidgetChildren]) return children; } @@ -1581,7 +1559,7 @@ ALLOW_DEPRECATED_IMPLEMENTATIONS_END if (backingObject->isTreeItem()) return makeNSArray(backingObject->ariaTreeItemContent()); - return self.childrenVectorArray; + return makeNSArray(backingObject->children()); AG: we should avoid calling backingObject->children() twice in this block, first for the size and down here for real.
Tyler Wilcock
Comment 4 2024-01-22 10:05:22 PST
Created attachment 469499 [details] Patch
Tyler Wilcock
Comment 5 2024-01-22 11:24:36 PST
(In reply to Andres Gonzalez from comment #3) > AG: we should avoid calling backingObject->children() twice in this block, > first for the size and down here for real. TW: Fixed!
EWS
Comment 6 2024-01-22 16:43:52 PST
Committed 273328@main (b571ec5131dc): <https://commits.webkit.org/273328@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 469499 [details].
Note You need to log in before you can comment on or make changes to this bug.