[webkit-changes] [WebKit/WebKit] b571ec: AX: Isolated object can be detached in the midst o...

Mon, 22 Jan 2024 16:44:40 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b571ec5131dcca906981b9a477d7b71e9605b6a6
      
https://github.com/WebKit/WebKit/commit/b571ec5131dcca906981b9a477d7b71e9605b6a6
  Author: Tyler Wilcock <tyle...@apple.com>
  Date:   2024-01-22 (Mon, 22 Jan 2024)

  Changed paths:
    M Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm

  Log Message:
  -----------
  AX: Isolated object can be detached in the midst of serving AXChildren, 
causing nullptr dereference
https://bugs.webkit.org/show_bug.cgi?id=267786
rdar://problem/121282648

Reviewed by Chris Fleizach.

The following sequence is possible:

  1. accessibilityAttributeValue begins, we protect the initial backingObject 
with a RefPtr
  2. We start handling the AXChildren branch
  3. We call childrenVectorSize in the middle of doing so
  4. This calls self.axBackingObject->children(), which in turn calls 
AXIsolatedObject::updateBackingStore, in turn
     calling AXIsolatedTree::applyPendingChanges
  5. For some reason, either self.axBackingObject or its ancestor is in 
m_pendingSubtreeRemovals, causing the wrapper
     to detach its m_isolatedObject
  6. We jump back out to accessibilityAttributeValue, and try to return 
self.childrenVectorArray at the very end. But
     our self.axBackingObject is nullptr now, and we dereference it without 
checking for nullptr, and crash

We can fix this by using the RefPtr protected `backingObject` we have at the 
top of every method rather than the
backing object associated with the wrapper, which can become detached. This 
patch addresses some, but not all
of self.axBackingObject dereferences (overall addressing the dereference for 
this specific crash, and others too).

* Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm:
(screenToContents):
(scrollViewParent):
(-[WebAccessibilityObjectWrapper accessibilityAttributeValue:]):
(-[WebAccessibilityObjectWrapper accessibilityAttributeValue:forParameter:]):
(-[WebAccessibilityObjectWrapper accessibilityArrayAttributeCount:]):
(-[WebAccessibilityObjectWrapper 
accessibilityArrayAttributeValues:index:maxCount:]):
(-[WebAccessibilityObjectWrapper screenToContents:]): Deleted.
(-[WebAccessibilityObjectWrapper childrenVectorSize]): Deleted.
(-[WebAccessibilityObjectWrapper childrenVectorArray]): Deleted.
(-[WebAccessibilityObjectWrapper _computedRoleString]): Deleted.
(-[WebAccessibilityObjectWrapper scrollViewParent]): Deleted.

Canonical link: https://commits.webkit.org/273328@main


_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to