[webkit-changes] [WebKit/WebKit] 7d93b0: AXObjectCache::characterOffsetFromVisiblePosition ...

[Tyler Wilcock]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 7d93b07962d543ef64c35852350eceef1fd40260
      https://github.com/WebKit/WebKit/commit/7d93b07962d543ef64c35852350eceef1fd40260
  Author: Tyler Wilcock <tyler_w at apple.com>
  Date:   2023-03-31 (Fri, 31 Mar 2023)

  Changed paths:
    M Source/WebCore/accessibility/AXObjectCache.cpp

  Log Message:
  -----------
  AXObjectCache::characterOffsetFromVisiblePosition can deref a nullptr when underlying renderer is destroyed
https://bugs.webkit.org/show_bug.cgi?id=254798
rdar://103456792

Reviewed by Chris Fleizach.

AXObjectCache::characterOffsetFromVisiblePosition creates an AX object from the node backing a VisiblePosition
at the beginning of the method. Then, it does non-trivial work that could cause the renderer backing the AX object
to be destroyed, and afterwards unconditionally deferences that AX object's node() at the end of the method. This
can cause a null pointer dereference crash (because AccessibilityRenderObject::node() depends on a non-null renderer),
and is generally poor pointer hygiene.

With this patch, we now keep the VisiblePosition's node in a `Ref<Node>` and re-use it at the end of the method to prevent a crash.

I could not reproduce this crash myself in the browser or in a testcase, so this is a speculative fix based on crash reports.

* Source/WebCore/accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::characterOffsetFromVisiblePosition):

Canonical link: https://commits.webkit.org/262432@main