Bug 267786 - AX: Isolated object can be detached in the midst of serving AXChildren, causing nullptr dereference
Summary: AX: Isolated object can be detached in the midst of serving AXChildren, causi...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Accessibility (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Tyler Wilcock
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2024-01-19 14:25 PST by Tyler Wilcock
Modified: 2024-01-22 16:43 PST (History)
9 users (show)

See Also:

Attachments
Patch (9.83 KB, patch)
2024-01-19 14:32 PST, Tyler Wilcock 		no flags Details | Formatted Diff | Diff
Patch (10.05 KB, patch)
2024-01-22 10:05 PST, Tyler Wilcock 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tyler Wilcock 2024-01-19 14:25:51 PST 
...
Comment 1 Radar WebKit Bug Importer 2024-01-19 14:26:01 PST 
<rdar://problem/121282648>
Comment 2 Tyler Wilcock 2024-01-19 14:32:28 PST 
Created attachment 469472 [details]
Patch
Comment 3 Andres Gonzalez 2024-01-22 08:39:20 PST 
(In reply to Tyler Wilcock from comment #2)
> Created attachment 469472 [details]
> Patch

@@ -1567,7 +1545,7 @@ ALLOW_DEPRECATED_IMPLEMENTATIONS_END
         }
 #endif

-        if (!self.childrenVectorSize) {
+        if (backingObject->children().isEmpty()) {
             if (NSArray *children = [self renderWidgetChildren])
                 return children;
         }
@@ -1581,7 +1559,7 @@ ALLOW_DEPRECATED_IMPLEMENTATIONS_END
         if (backingObject->isTreeItem())
             return makeNSArray(backingObject->ariaTreeItemContent());

-        return self.childrenVectorArray;
+        return makeNSArray(backingObject->children());

AG: we should avoid calling backingObject->children() twice in this block, first for the size and down here for real.
Comment 4 Tyler Wilcock 2024-01-22 10:05:22 PST 
Created attachment 469499 [details]
Patch
Comment 5 Tyler Wilcock 2024-01-22 11:24:36 PST 
(In reply to Andres Gonzalez from comment #3)
> AG: we should avoid calling backingObject->children() twice in this block,
> first for the size and down here for real.
TW: Fixed!
Comment 6 EWS 2024-01-22 16:43:52 PST 
Committed 273328@main (b571ec5131dc): <https://commits.webkit.org/273328@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 469499 [details].