Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: dfb10d49e5435d8ec11e48c42c45404a8b20f72a
https://github.com/WebKit/WebKit/commit/dfb10d49e5435d8ec11e48c42c45404a8b20f72a
Author: Tyler Wilcock <[email protected]>
Date: 2025-11-11 (Tue, 11 Nov 2025)
Changed paths:
M Source/WebCore/accessibility/AccessibilityNodeObject.cpp
Log Message:
-----------
AX: Calling AccessibilityNodeObject::parentObject for objects with nodes that
are mid-destruction can cause a crash
https://bugs.webkit.org/show_bug.cgi?id=302291
rdar://164300595
Reviewed by Joshua Hoffman.
Calling is / downcast / dynamicDowncast<HTMLFooElement> on a node that is
mid-destruction can cause a nullptr-deref crash,
as its internal m_tagName field may have already been cleared. This can quite
easily in the following sequence:
1. ContainerNode::~ContainerNode()
2. Node::willBeDeletedFrom(Document&)
3. AXObjectCache::remove(AXID)
4. AXIsolatedTree::queueNodeRemoval(AccessibilityObject&)
5. AXCoreObject::parentInCoreTree()
6. AccessibilityNodeObject::parentObject()
7. dynamicDowncast<HTMLAreaElement>(*node)
Avoid this by leaning into the fact that a node in this state will have a null
parent node. Check for that before
doing any casting, thus preventing the crash.
* Source/WebCore/accessibility/AccessibilityNodeObject.cpp:
(WebCore::AccessibilityNodeObject::parentObject const):
Canonical link: https://commits.webkit.org/302848@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
