Title: [289188] releases/WebKitGTK/webkit-2.34/Source/WebCore
- Revision
- 289188
- Author
- [email protected]
- Date
- 2022-02-06 16:16:59 -0800 (Sun, 06 Feb 2022)
Log Message
Merge r288937 - Check AccessibilityRenderObject::m_renderer for null before using it.
https://bugs.webkit.org/show_bug.cgi?id=235950
<rdar://problem/88326438>
Reviewed by Chris Fleizach.
AccessibilityRenderObject::m_renderer is a WeakPtr that can become null
due to a variety of changes in the render tree. This patch fixes a
number of cases where AccessibilityRenderObject::m_renderer was being
used without checking for null which leads to crashes such as:
https://bugs.webkit.org/show_bug.cgi?id=235945
https://bugs.webkit.org/show_bug.cgi?id=235827
* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::parentObjectIfExists const):
(WebCore::AccessibilityRenderObject::selection const):
(WebCore::AccessibilityRenderObject::setSelectedTextRange):
(WebCore::AccessibilityRenderObject::documentLinks):
(WebCore::AccessibilityRenderObject::setSelectedVisiblePositionRange const):
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog (289187 => 289188)
--- releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog 2022-02-07 00:16:54 UTC (rev 289187)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog 2022-02-07 00:16:59 UTC (rev 289188)
@@ -1,3 +1,25 @@
+2022-02-01 Andres Gonzalez <[email protected]>
+
+ Check AccessibilityRenderObject::m_renderer for null before using it.
+ https://bugs.webkit.org/show_bug.cgi?id=235950
+ <rdar://problem/88326438>
+
+ Reviewed by Chris Fleizach.
+
+ AccessibilityRenderObject::m_renderer is a WeakPtr that can become null
+ due to a variety of changes in the render tree. This patch fixes a
+ number of cases where AccessibilityRenderObject::m_renderer was being
+ used without checking for null which leads to crashes such as:
+ https://bugs.webkit.org/show_bug.cgi?id=235945
+ https://bugs.webkit.org/show_bug.cgi?id=235827
+
+ * accessibility/AccessibilityRenderObject.cpp:
+ (WebCore::AccessibilityRenderObject::parentObjectIfExists const):
+ (WebCore::AccessibilityRenderObject::selection const):
+ (WebCore::AccessibilityRenderObject::setSelectedTextRange):
+ (WebCore::AccessibilityRenderObject::documentLinks):
+ (WebCore::AccessibilityRenderObject::setSelectedVisiblePositionRange const):
+
2022-02-01 Antti Koivisto <[email protected]>
AX: nullptr crash under AccessibilityRenderObject::computeAccessibilityIsIgnored
Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/accessibility/AccessibilityRenderObject.cpp (289187 => 289188)
--- releases/WebKitGTK/webkit-2.34/Source/WebCore/accessibility/AccessibilityRenderObject.cpp 2022-02-07 00:16:54 UTC (rev 289187)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/accessibility/AccessibilityRenderObject.cpp 2022-02-07 00:16:59 UTC (rev 289188)
@@ -487,9 +487,9 @@
AXObjectCache* cache = axObjectCache();
if (!cache)
return nullptr;
-
+
// WebArea's parent should be the scroll view containing it.
- if (isWebArea())
+ if (m_renderer && isWebArea())
return cache->get(&m_renderer->view().frameView());
return cache->get(renderParentObject());
@@ -1647,7 +1647,7 @@
VisibleSelection AccessibilityRenderObject::selection() const
{
- return m_renderer->frame().selection().selection();
+ return m_renderer ? m_renderer->frame().selection().selection() : VisibleSelection();
}
PlainTextRange AccessibilityRenderObject::selectedTextRange() const
@@ -1717,13 +1717,14 @@
{
setTextSelectionIntent(axObjectCache(), range.length ? AXTextStateChangeTypeSelectionExtend : AXTextStateChangeTypeSelectionMove);
- if (auto client = m_renderer->document().editor().client())
+ auto* client = m_renderer ? m_renderer->document().editor().client() : nullptr;
+ if (client)
client->willChangeSelectionForAccessibility();
if (isNativeTextControl()) {
HTMLTextFormControlElement& textControl = downcast<RenderTextControl>(*m_renderer).textFormControlElement();
textControl.setSelectionRange(range.start, range.start + range.length);
- } else {
+ } else if (m_renderer) {
ASSERT(node());
auto& node = *this->node();
auto elementRange = this->elementRange();
@@ -1735,10 +1736,10 @@
end = makeContainerOffsetPosition(elementRange->start);
m_renderer->frame().selection().setSelection(VisibleSelection(start, end), FrameSelection::defaultSetSelectionOptions(UserTriggered));
}
-
+
clearTextSelectionIntent(axObjectCache());
- if (auto client = m_renderer->document().editor().client())
+ if (client)
client->didChangeSelectionForAccessibility();
}
@@ -2015,6 +2016,9 @@
AXCoreObject::AccessibilityChildrenVector AccessibilityRenderObject::documentLinks()
{
+ if (!m_renderer)
+ return { };
+
AccessibilityChildrenVector result;
Document& document = m_renderer->document();
Ref<HTMLCollection> links = document.links();
@@ -2293,7 +2297,8 @@
&& isVisiblePositionRangeInDifferentDocument(range))
return;
- if (auto client = m_renderer->document().editor().client())
+ auto* client = m_renderer ? m_renderer->document().editor().client() : nullptr;
+ if (client)
client->willChangeSelectionForAccessibility();
if (isNativeTextControl()) {
@@ -2322,7 +2327,7 @@
setTextSelectionIntent(axObjectCache(), start == end ? AXTextStateChangeTypeSelectionMove : AXTextStateChangeTypeSelectionExtend);
textControl->setSelectionRange(start, end);
- } else {
+ } else if (m_renderer) {
// Make selection and tell the document to use it. If it's zero length, then move to that position.
if (range.start == range.end) {
setTextSelectionIntent(axObjectCache(), AXTextStateChangeTypeSelectionMove);
@@ -2344,7 +2349,7 @@
clearTextSelectionIntent(axObjectCache());
- if (auto client = m_renderer->document().editor().client())
+ if (client)
client->didChangeSelectionForAccessibility();
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
