[webkit-changes] [289044] trunk/Source/WebCore

[andresg_22]

Title: [289044] trunk/Source/WebCore

Revision

289044

Author

andresg...@apple.com

Date

2022-02-03 05:23:42 -0800 (Thu, 03 Feb 2022)

Log Message

Crash in AXIsolatedObject::associatedAXObject.
https://bugs.webkit.org/show_bug.cgi?id=236053
<rdar://problem/88413232>

Reviewed by Darin Adler.

The crash occurs because we are using an axObject pointer after we call
updateBackingStore() which may destroy the object pointed to by axObject.
This was added as a fix for
https://bugs.webkit.org/show_bug.cgi?id=220446
So I will submit a follow up patch with the correct fix for that bug as well.

* accessibility/isolatedtree/AXIsolatedObject.cpp:
(WebCore::AXIsolatedObject::associatedAXObject const):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (289043 => 289044)

--- trunk/Source/WebCore/ChangeLog	2022-02-03 13:21:54 UTC (rev 289043)
+++ trunk/Source/WebCore/ChangeLog	2022-02-03 13:23:42 UTC (rev 289044)
@@ -1,3 +1,20 @@
+2022-02-03  Andres Gonzalez  <andresg...@apple.com>
+
+        Crash in AXIsolatedObject::associatedAXObject.
+        https://bugs.webkit.org/show_bug.cgi?id=236053
+        <rdar://problem/88413232>
+
+        Reviewed by Darin Adler.
+
+        The crash occurs because we are using an axObject pointer after we call
+        updateBackingStore() which may destroy the object pointed to by axObject.
+        This was added as a fix for
+        https://bugs.webkit.org/show_bug.cgi?id=220446
+        So I will submit a follow up patch with the correct fix for that bug as well.
+
+        * accessibility/isolatedtree/AXIsolatedObject.cpp:
+        (WebCore::AXIsolatedObject::associatedAXObject const):
+
 2022-02-03  Chris Lord  <cl...@igalia.com>
 
         Add specialize type traits to GLContext

Modified: trunk/Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.cpp (289043 => 289044)

--- trunk/Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.cpp	2022-02-03 13:21:54 UTC (rev 289043)
+++ trunk/Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.cpp	2022-02-03 13:23:42 UTC (rev 289044)
@@ -438,14 +438,8 @@
     if (!m_id.isValid())
         return nullptr;
 
-    if (auto* axObjectCache = this->axObjectCache()) {
-        if (auto* axObject = axObjectCache->objectFromAXID(m_id)) {
-            axObject->updateBackingStore();
-            return axObject;
-        }
-    }
-
-    return nullptr;
+    auto* axObjectCache = this->axObjectCache();
+    return axObjectCache ? axObjectCache->objectFromAXID(m_id) : nullptr;
 }
 
 void AXIsolatedObject::setMathscripts(AXPropertyName propertyName, AXCoreObject& object)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes