RESOLVED FIXED 241643
AX ITM: Should not build an isolated tree branch rooted at an object with invalid ID. Should not attempt to remove an object for an invalid ID. 
https://bugs.webkit.org/show_bug.cgi?id=241643
Summary AX ITM: Should not build an isolated tree branch rooted at an object with inv...
Andres Gonzalez
Reported 2022-06-15 12:36:12 PDT
In some webpages we are hitting the following state where we are trying to build an isolated tree branch with a starting object that has invalid/null ID. This creates undefined problems since the ID is used as the key for HashMaps. (lldb) f 7 frame #7: 0x000000014da57480 WebCore`WebCore::AXIsolatedTree::collectNodeChangesForSubtree(this=0x0000000105e2f500, axObject=0x0000000105d1d700) at AXIsolatedTree.cpp:311:32 308 AXTRACE("AXIsolatedTree::collectNodeChangesForSubtree"_s); 309 ASSERT(isMainThread()); 310 SetForScope collectingNodeChanges(m_isCollectingNodeChanges, true); -> 311 m_unresolvedPendingAppends.set(axObject.objectID(), AttachWrapper::OnMainThread); 312 313 auto axChildrenCopy = axObject.children(); 314 auto axChildrenIDs = axChildrenCopy.map([&](auto& axChild) { (lldb) v axObject.m_id (WebCore::AXID) axObject.m_id = (m_identifier = 0)
Attachments
Patch (1.44 KB, patch)
2022-06-15 12:39 PDT, Andres Gonzalez 		no flags
DetailsFormatted DiffDiff
Patch (2.80 KB, patch)
2022-06-15 14:01 PDT, Andres Gonzalez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-06-15 12:36:20 PDT
<rdar://problem/95229695>
Andres Gonzalez
Comment 2 2022-06-15 12:39:19 PDT
Created attachment 460259 [details] Patch
Andres Gonzalez
Comment 3 2022-06-15 13:38:44 PDT
Another example where trying to remove an isolated object for a null ID: (lldb) f 8 frame #8: 0x000000014be8fc34 WebCore`WebCore::AXIsolatedTree::removeSubtreeFromNodeMap(this=0x0000000103e79300, objectID=(m_identifier = 0), axParent=0x0000000103d63d00) at AXIsolatedTree.cpp:638:20 635 AXLOG(makeString("Removing subtree for objectID ", objectID.loggingString())); 636 ASSERT(isMainThread()); 637 -> 638 if (!m_nodeMap.contains(objectID)) { 639 AXLOG(makeString("Tried to remove AXID ", objectID.loggingString(), " that is no longer in m_nodeMap.")); 640 return; 641 } (lldb) v objectID (WebCore::AXID) objectID = (m_identifier = 0)
Andres Gonzalez
Comment 4 2022-06-15 14:01:55 PDT
Created attachment 460260 [details] Patch
EWS
Comment 5 2022-06-15 19:18:32 PDT
Committed r295582 (251587@main): <https://commits.webkit.org/251587@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 460260 [details].
Note You need to log in before you can comment on or make changes to this bug.