Title: [255936] releases/WebKitGTK/webkit-2.28/Source/WebCore
- Revision
- 255936
- Author
- carlo...@webkit.org
- Date
- 2020-02-06 07:10:57 -0800 (Thu, 06 Feb 2020)
Log Message
Merge r255884 - Check for null return from AXIsolatedTree::nodeForID.
https://bugs.webkit.org/show_bug.cgi?id=207300
Reviewed by Chris Fleizach.
- As the IsolatedTree is updated, AXIsolatedTree::nodeForID may return
nullptr for objects that have been removed from the tree. Thus,
IsolatedObjects must check the returned value when updating children
and any other operations involving cached IDs.
- Tidying up use of auto on for and if statements.
* accessibility/isolatedtree/AXIsolatedObject.cpp:
(WebCore::AXIsolatedObject::detachRemoteParts):
(WebCore::AXIsolatedObject::children):
(WebCore::AXIsolatedObject::accessibilityText const):
(WebCore::AXIsolatedObject::insertMathPairs):
(WebCore::AXIsolatedObject::objectAttributeValue const):
(WebCore::AXIsolatedObject::fillChildrenVectorForProperty const):
(WebCore::AXIsolatedObject::tree const): Deleted, moved inline to the header.
* accessibility/isolatedtree/AXIsolatedObject.h:
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog (255935 => 255936)
--- releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog 2020-02-06 15:10:53 UTC (rev 255935)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog 2020-02-06 15:10:57 UTC (rev 255936)
@@ -1,3 +1,26 @@
+2020-02-05 Andres Gonzalez <andresg...@apple.com>
+
+ Check for null return from AXIsolatedTree::nodeForID.
+ https://bugs.webkit.org/show_bug.cgi?id=207300
+
+ Reviewed by Chris Fleizach.
+
+ - As the IsolatedTree is updated, AXIsolatedTree::nodeForID may return
+ nullptr for objects that have been removed from the tree. Thus,
+ IsolatedObjects must check the returned value when updating children
+ and any other operations involving cached IDs.
+ - Tidying up use of auto on for and if statements.
+
+ * accessibility/isolatedtree/AXIsolatedObject.cpp:
+ (WebCore::AXIsolatedObject::detachRemoteParts):
+ (WebCore::AXIsolatedObject::children):
+ (WebCore::AXIsolatedObject::accessibilityText const):
+ (WebCore::AXIsolatedObject::insertMathPairs):
+ (WebCore::AXIsolatedObject::objectAttributeValue const):
+ (WebCore::AXIsolatedObject::fillChildrenVectorForProperty const):
+ (WebCore::AXIsolatedObject::tree const): Deleted, moved inline to the header.
+ * accessibility/isolatedtree/AXIsolatedObject.h:
+
2020-02-05 Chris Dumez <cdu...@apple.com>
[IPC hardening] Fail IPC decoding of invalid ClientOrigin objects
Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.cpp (255935 => 255936)
--- releases/WebKitGTK/webkit-2.28/Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.cpp 2020-02-06 15:10:53 UTC (rev 255935)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.cpp 2020-02-06 15:10:57 UTC (rev 255936)
@@ -410,9 +410,10 @@
void AXIsolatedObject::detachRemoteParts(AccessibilityDetachmentType detachmentType)
{
ASSERT_UNUSED(detachmentType, isMainThread() ? detachmentType == AccessibilityDetachmentType::CacheDestroyed : detachmentType != AccessibilityDetachmentType::CacheDestroyed);
- for (const auto& childID : m_childrenIDs)
- tree()->nodeForID(childID)->detachFromParent();
-
+ for (const auto& childID : m_childrenIDs) {
+ if (auto child = tree()->nodeForID(childID))
+ child->detachFromParent();
+ }
m_childrenIDs.clear();
}
@@ -439,9 +440,10 @@
if (!isMainThread()) {
m_children.clear();
m_children.reserveInitialCapacity(m_childrenIDs.size());
- auto tree = this->tree();
- for (auto childID : m_childrenIDs)
- m_children.uncheckedAppend(tree->nodeForID(childID));
+ for (const auto& childID : m_childrenIDs) {
+ if (auto child = tree()->nodeForID(childID))
+ m_children.uncheckedAppend(child);
+ }
}
return m_children;
}
@@ -460,9 +462,9 @@
void AXIsolatedObject::accessibilityText(Vector<AccessibilityText>& texts) const
{
auto isolatedTexts = vectorAttributeValue<AccessibilityIsolatedTreeText>(AXPropertyName::AccessibilityText);
- for (auto isolatedText : isolatedTexts) {
+ for (const auto& isolatedText : isolatedTexts) {
AccessibilityText text(isolatedText.text, isolatedText.textSource);
- for (auto axID : isolatedText.textElements) {
+ for (const auto& axID : isolatedText.textElements) {
if (auto object = tree()->nodeForID(axID))
text.textElements.append(object);
}
@@ -506,11 +508,11 @@
void AXIsolatedObject::insertMathPairs(Vector<AccessibilityIsolatedTreeMathMultiscriptPair>& isolatedPairs, AccessibilityMathMultiscriptPairs& pairs)
{
- for (auto pair : isolatedPairs) {
+ for (const auto& pair : isolatedPairs) {
AccessibilityMathMultiscriptPair prescriptPair;
- if (auto* coreObject = tree()->nodeForID(pair.first).get())
+ if (auto coreObject = tree()->nodeForID(pair.first).get())
prescriptPair.first = coreObject;
- if (auto* coreObject = tree()->nodeForID(pair.second).get())
+ if (auto coreObject = tree()->nodeForID(pair.second).get())
prescriptPair.second = coreObject;
pairs.append(prescriptPair);
}
@@ -652,11 +654,6 @@
return const_cast<AXIsolatedObject*>(this);
}
-AXIsolatedTree* AXIsolatedObject::tree() const
-{
- return m_cachedTree.get();
-}
-
IntPoint AXIsolatedObject::intPointAttributeValue(AXPropertyName propertyName) const
{
auto value = m_attributeMap.get(propertyName);
@@ -673,7 +670,7 @@
[] (AXID& typedValue) { return typedValue; },
[] (auto&) { return InvalidAXID; }
);
-
+
return tree()->nodeForID(nodeID).get();
}
@@ -792,7 +789,7 @@
{
Vector<AXID> childIDs = vectorAttributeValue<AXID>(propertyName);
children.reserveCapacity(childIDs.size());
- for (auto childID : childIDs) {
+ for (const auto& childID : childIDs) {
if (auto object = tree()->nodeForID(childID))
children.uncheckedAppend(object);
}
Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.h (255935 => 255936)
--- releases/WebKitGTK/webkit-2.28/Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.h 2020-02-06 15:10:53 UTC (rev 255935)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.h 2020-02-06 15:10:57 UTC (rev 255936)
@@ -65,10 +65,10 @@
void detachPlatformWrapper(AccessibilityDetachmentType) override;
AXID parent() const { return m_parent; }
-
+
AXIsolatedTreeID treeIdentifier() const { return m_treeIdentifier; }
- AXIsolatedTree* tree() const;
-
+ AXIsolatedTree* tree() const { return m_cachedTree.get(); }
+
AXIsolatedObject() = default;
AXIsolatedObject(AXCoreObject&, bool isRoot);
void initializeAttributeData(AXCoreObject&, bool isRoot);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
