[webkit-changes] [263573] trunk/Source/WebCore

Fri, 26 Jun 2020 12:27:42 -0700

Title: [263573] trunk/Source/WebCore
Revision
263573
Author
andresg...@apple.com
Date
2020-06-26 12:26:22 -0700 (Fri, 26 Jun 2020)

Log Message

Fix for crash in AXIsolatedObject::relativeFrame.
https://bugs.webkit.org/show_bug.cgi?id=213363

Reviewed by Chris Fleizach.

Covered by existing testss.

Between the time an isolated object dispatches the method to the main
thread and the time the lambda is executed, the isolated object is
detached and hence its object ID becomes invalid. Thus, trying to get
the associated AX object results in an assert/crash.

* accessibility/isolatedtree/AXIsolatedObject.h:

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (263572 => 263573)


--- trunk/Source/WebCore/ChangeLog	2020-06-26 19:20:06 UTC (rev 263572)
+++ trunk/Source/WebCore/ChangeLog	2020-06-26 19:26:22 UTC (rev 263573)
@@ -1,5 +1,21 @@
 2020-06-26  Andres Gonzalez  <andresg...@apple.com>
 
+        Fix for crash in AXIsolatedObject::relativeFrame.
+        https://bugs.webkit.org/show_bug.cgi?id=213363
+
+        Reviewed by Chris Fleizach.
+
+        Covered by existing testss.
+
+        Between the time an isolated object dispatches the method to the main
+        thread and the time the lambda is executed, the isolated object is
+        detached and hence its object ID becomes invalid. Thus, trying to get
+        the associated AX object results in an assert/crash.
+
+        * accessibility/isolatedtree/AXIsolatedObject.h:
+
+2020-06-26  Andres Gonzalez  <andresg...@apple.com>
+
         Access to AXIsolatedTree:m_readerThreadNodeMap should happen only on the secondary AX thread.
         https://bugs.webkit.org/show_bug.cgi?id=213575

Modified: trunk/Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.h (263572 => 263573)


--- trunk/Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.h	2020-06-26 19:20:06 UTC (rev 263572)
+++ trunk/Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.h	2020-06-26 19:26:22 UTC (rev 263573)
@@ -84,7 +84,7 @@
     AXCoreObject* associatedAXObject() const
     {
         ASSERT(isMainThread());
-        return axObjectCache()->objectFromAXID(objectID());
+        return m_id != InvalidAXID ? axObjectCache()->objectFromAXID(m_id) : nullptr;
     }
 
     enum class AXPropertyName : uint16_t {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to