[webkit-changes] [WebKit/WebKit] b571ec: AX: Isolated object can be detached in the midst o...

Tyler Wilcock noreply at github.com
Mon Jan 22 16:44:02 PST 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b571ec5131dcca906981b9a477d7b71e9605b6a6
      https://github.com/WebKit/WebKit/commit/b571ec5131dcca906981b9a477d7b71e9605b6a6
  Author: Tyler Wilcock <tyler_w at apple.com>
  Date:   2024-01-22 (Mon, 22 Jan 2024)

  Changed paths:
    M Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm

  Log Message:
  -----------
  AX: Isolated object can be detached in the midst of serving AXChildren, causing nullptr dereference
https://bugs.webkit.org/show_bug.cgi?id=267786
rdar://problem/121282648

Reviewed by Chris Fleizach.

The following sequence is possible:

  1. accessibilityAttributeValue begins, we protect the initial backingObject with a RefPtr
  2. We start handling the AXChildren branch
  3. We call childrenVectorSize in the middle of doing so
  4. This calls self.axBackingObject->children(), which in turn calls AXIsolatedObject::updateBackingStore, in turn
     calling AXIsolatedTree::applyPendingChanges
  5. For some reason, either self.axBackingObject or its ancestor is in m_pendingSubtreeRemovals, causing the wrapper
     to detach its m_isolatedObject
  6. We jump back out to accessibilityAttributeValue, and try to return self.childrenVectorArray at the very end. But
     our self.axBackingObject is nullptr now, and we dereference it without checking for nullptr, and crash

We can fix this by using the RefPtr protected `backingObject` we have at the top of every method rather than the
backing object associated with the wrapper, which can become detached. This patch addresses some, but not all
of self.axBackingObject dereferences (overall addressing the dereference for this specific crash, and others too).

* Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm:
(screenToContents):
(scrollViewParent):
(-[WebAccessibilityObjectWrapper accessibilityAttributeValue:]):
(-[WebAccessibilityObjectWrapper accessibilityAttributeValue:forParameter:]):
(-[WebAccessibilityObjectWrapper accessibilityArrayAttributeCount:]):
(-[WebAccessibilityObjectWrapper accessibilityArrayAttributeValues:index:maxCount:]):
(-[WebAccessibilityObjectWrapper screenToContents:]): Deleted.
(-[WebAccessibilityObjectWrapper childrenVectorSize]): Deleted.
(-[WebAccessibilityObjectWrapper childrenVectorArray]): Deleted.
(-[WebAccessibilityObjectWrapper _computedRoleString]): Deleted.
(-[WebAccessibilityObjectWrapper scrollViewParent]): Deleted.

Canonical link: https://commits.webkit.org/273328@main

More information about the webkit-changes mailing list