| commit | d79f7faf1741e287395091ba9e177bbe8eb04d43 | |
| author | tyler_w@apple.com <tyler_w@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> | |
| Wed, 22 Jun 2022 04:11:35 +0000 (22 04:11 +0000) | ||
| committer | tyler_w@apple.com <tyler_w@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> | |
| Wed, 22 Jun 2022 04:11:35 +0000 (22 04:11 +0000) | ||
| tree | 95d612724558adac576354b582bb013f80dc9394 | treesnapshot (tar.gz zip) |
| parent | 1a79bee400eb09e4e61992ad877612506d12b02d | commitdiff |
AX: Live AX objects can be destroyed while building a node change for them
https://bugs.webkit.org/show_bug.cgi?id=241810
Reviewed by Chris Fleizach.
While building a node change in AXIsolatedTree::nodeChangeForObject,
the initialization of several different `AXPropertyName`s can cause layout,
which in turn can cause the backing live object to be deleted. This
causes a crash.
This patch fixes this by holding a `Ref` to the AccessibilityObject,
ensuring it stays alive for as long we need it.
I wasn't able to make a layout test for this, as the circumstances to
reproduce the issue are complex.
* Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.cpp:
(WebCore::AXIsolatedObject::AXIsolatedObject):
(WebCore::AXIsolatedObject::create):
(WebCore::AXIsolatedObject::initializeProperties):
* Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.h:
* Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:
(WebCore::AXIsolatedTree::nodeChangeForObject):
* Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.h:
* Source/WebCore/accessibility/isolatedtree/mac/AXIsolatedObjectMac.mm:
(WebCore::AXIsolatedObject::initializePlatformProperties):
link: https://commits.webkit.org/251726@main
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@295721 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=241810
Reviewed by Chris Fleizach.
While building a node change in AXIsolatedTree::nodeChangeForObject,
the initialization of several different `AXPropertyName`s can cause layout,
which in turn can cause the backing live object to be deleted. This
causes a crash.
This patch fixes this by holding a `Ref` to the AccessibilityObject,
ensuring it stays alive for as long we need it.
I wasn't able to make a layout test for this, as the circumstances to
reproduce the issue are complex.
* Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.cpp:
(WebCore::AXIsolatedObject::AXIsolatedObject):
(WebCore::AXIsolatedObject::create):
(WebCore::AXIsolatedObject::initializeProperties):
* Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.h:
* Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:
(WebCore::AXIsolatedTree::nodeChangeForObject):
* Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.h:
* Source/WebCore/accessibility/isolatedtree/mac/AXIsolatedObjectMac.mm:
(WebCore::AXIsolatedObject::initializePlatformProperties):
link: https://commits.webkit.org/251726@main
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@295721 268f45cc-cd09-0410-ab3c-d52691b4dbfc