AXObjectCache::characterOffsetFromVisiblePosition creates an AX object from the node backing a VisiblePosition at the beginning of the method. Then, it does non-trivial work that could cause the renderer backing the AX object to be destroyed, and afterwards unconditionally deferences that AX object's node() at the end of the method. This can cause a null pointer dereference crash (because AccessibilityRenderObject::node() depends on a non-null renderer), and is generally poor pointer hygiene.
<rdar://problem/107459184>
rdar://103456792
Created attachment 465696 [details] Patch
Do we still want to check that this is NOT null first? deepPos.deprecatedNode();
(In reply to chris fleizach from comment #4) > Do we still want to check that this is NOT null first? > > deepPos.deprecatedNode(); We should be safe because if `deepPos.deprecatedNode()` were null, this check just above dereferencing it would return: if (visiblePos.isNull()) return CharacterOffset();
Committed 262432@main (7d93b07962d5): <https://commits.webkit.org/262432@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 465696 [details].