[webkit-changes] [289044] trunk/Source/WebCore

Thu, 03 Feb 2022 05:24:31 -0800

Title: [289044] trunk/Source/WebCore
Revision
289044
Author
[email protected]
Date
2022-02-03 05:23:42 -0800 (Thu, 03 Feb 2022)

Log Message

Crash in AXIsolatedObject::associatedAXObject.
https://bugs.webkit.org/show_bug.cgi?id=236053
<rdar://problem/88413232>

Reviewed by Darin Adler.

The crash occurs because we are using an axObject pointer after we call
updateBackingStore() which may destroy the object pointed to by axObject.
This was added as a fix for
https://bugs.webkit.org/show_bug.cgi?id=220446
So I will submit a follow up patch with the correct fix for that bug as well.

* accessibility/isolatedtree/AXIsolatedObject.cpp:
(WebCore::AXIsolatedObject::associatedAXObject const):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (289043 => 289044)


--- trunk/Source/WebCore/ChangeLog	2022-02-03 13:21:54 UTC (rev 289043)
+++ trunk/Source/WebCore/ChangeLog	2022-02-03 13:23:42 UTC (rev 289044)
@@ -1,3 +1,20 @@
+2022-02-03  Andres Gonzalez  <[email protected]>
+
+        Crash in AXIsolatedObject::associatedAXObject.
+        https://bugs.webkit.org/show_bug.cgi?id=236053
+        <rdar://problem/88413232>
+
+        Reviewed by Darin Adler.
+
+        The crash occurs because we are using an axObject pointer after we call
+        updateBackingStore() which may destroy the object pointed to by axObject.
+        This was added as a fix for
+        https://bugs.webkit.org/show_bug.cgi?id=220446
+        So I will submit a follow up patch with the correct fix for that bug as well.
+
+        * accessibility/isolatedtree/AXIsolatedObject.cpp:
+        (WebCore::AXIsolatedObject::associatedAXObject const):
+
 2022-02-03  Chris Lord  <[email protected]>
 
         Add specialize type traits to GLContext

Modified: trunk/Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.cpp (289043 => 289044)


--- trunk/Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.cpp	2022-02-03 13:21:54 UTC (rev 289043)
+++ trunk/Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.cpp	2022-02-03 13:23:42 UTC (rev 289044)
@@ -438,14 +438,8 @@
     if (!m_id.isValid())
         return nullptr;
 
-    if (auto* axObjectCache = this->axObjectCache()) {
-        if (auto* axObject = axObjectCache->objectFromAXID(m_id)) {
-            axObject->updateBackingStore();
-            return axObject;
-        }
-    }
-
-    return nullptr;
+    auto* axObjectCache = this->axObjectCache();
+    return axObjectCache ? axObjectCache->objectFromAXID(m_id) : nullptr;
 }
 
 void AXIsolatedObject::setMathscripts(AXPropertyName propertyName, AXCoreObject& object)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to