Title: [295582] trunk/Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp
- Revision
- 295582
- Author
- [email protected]
- Date
- 2022-06-15 19:18:24 -0700 (Wed, 15 Jun 2022)
Log Message
AX ITM: Should not build an isolated tree branch rooted at an object with invalid ID. Should not attempt to remove an object for an invalid ID.
https://bugs.webkit.org/show_bug.cgi?id=241643
Reviewed by Chris Fleizach.
Added check for valid object ID in AXIsolatedTree::collectNodeChangesForSubtree and in updateChildren since in both cases the ID is used as a key for HashMaps which cannot be null.
* Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:
(WebCore::AXIsolatedTree::collectNodeChangesForSubtree):
(WebCore::AXIsolatedTree::updateChildren):
Canonical link: https://commits.webkit.org/251587@main
Modified Paths
Diff
Modified: trunk/Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp (295581 => 295582)
--- trunk/Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp 2022-06-16 01:02:38 UTC (rev 295581)
+++ trunk/Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp 2022-06-16 02:18:24 UTC (rev 295582)
@@ -307,6 +307,12 @@
{
AXTRACE("AXIsolatedTree::collectNodeChangesForSubtree"_s);
ASSERT(isMainThread());
+
+ if (!axObject.objectID().isValid()) {
+ // Bail out here, we can't build an isolated tree branch rooted at an object with no ID.
+ return;
+ }
+
SetForScope collectingNodeChanges(m_isCollectingNodeChanges, true);
m_unresolvedPendingAppends.set(axObject.objectID(), AttachWrapper::OnMainThread);
@@ -545,13 +551,14 @@
// What is left in oldChildrenIDs are the IDs that are no longer children of axAncestor.
// Thus, remove them from m_nodeMap and queue them to be removed from the tree.
- for (AXID& axID : oldChildrenIDs) {
+ for (const AXID& axID : oldChildrenIDs) {
// However, we don't want to remove subtrees from the nodemap that are part of the to-be-queued node changes (i.e those in `idsBeingChanged`).
// This is important when a node moves to a different part of the tree rather than being deleted -- for example:
// 1. Object 123 is slated to be a child of this object (i.e. in newChildren), and we collect node changes for it.
// 2. Object 123 is currently a member of a subtree of some other object in oldChildrenIDs.
// 3. Thus, we don't want to delete Object 123 from the nodemap, instead allowing it to be moved.
- removeSubtreeFromNodeMap(axID, axAncestor);
+ if (axID.isValid())
+ removeSubtreeFromNodeMap(axID, axAncestor);
}
queueRemovalsAndUnresolvedChanges(oldChildrenIDs);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
