Changeset 263573 in webkit

Timestamp:

Jun 26, 2020 12:26:22 PM (4 years ago)

Author:

Andres Gonzalez

Message:

Fix for crash in AXIsolatedObject::relativeFrame.
​https://bugs.webkit.org/show_bug.cgi?id=213363

Reviewed by Chris Fleizach.

Covered by existing testss.

Between the time an isolated object dispatches the method to the main
thread and the time the lambda is executed, the isolated object is
detached and hence its object ID becomes invalid. Thus, trying to get
the associated AX object results in an assert/crash.

• accessibility/isolatedtree/AXIsolatedObject.h:

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• accessibility/isolatedtree/AXIsolatedObject.h (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-06-26  Andres Gonzalez  <andresg_22@apple.com>
+
+        Fix for crash in AXIsolatedObject::relativeFrame.
+        https://bugs.webkit.org/show_bug.cgi?id=213363
+
+        Reviewed by Chris Fleizach.
+
+        Covered by existing testss.
+
+        Between the time an isolated object dispatches the method to the main
+        thread and the time the lambda is executed, the isolated object is
+        detached and hence its object ID becomes invalid. Thus, trying to get
+        the associated AX object results in an assert/crash.
+
+        * accessibility/isolatedtree/AXIsolatedObject.h:
+
 2020-06-26  Andres Gonzalez  <andresg_22@apple.com>
 

trunk/Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.h

@@ -85 +85 @@
     {
         ASSERT(isMainThread());
-        return axObjectCache()->objectFromAXID(objectID());
+        return m_id != InvalidAXID ? axObjectCache()->objectFromAXID(m_id) : nullptr;
     }