Bug 241643

Summary: AX ITM: Should not build an isolated tree branch rooted at an object with invalid ID. Should not attempt to remove an object for an invalid ID.
Product: WebKit Reporter: Andres Gonzalez <andresg_22>
Component: AccessibilityAssignee: Andres Gonzalez <andresg_22>
Status: RESOLVED FIXED    
Severity: Normal CC: aboxhall, andresg_22, apinheiro, cfleizach, dmazzoni, ews-watchlist, jcraig, jdiggs, samuel_white, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch
none
Patch none

Description Andres Gonzalez 2022-06-15 12:36:12 PDT 
In some webpages we are hitting the following state where we are trying to build an isolated tree branch with a starting object that has invalid/null ID. This creates undefined problems since the ID is used as the key for HashMaps.

(lldb) f 7
frame #7: 0x000000014da57480 WebCore`WebCore::AXIsolatedTree::collectNodeChangesForSubtree(this=0x0000000105e2f500, axObject=0x0000000105d1d700) at AXIsolatedTree.cpp:311:32
   308 	    AXTRACE("AXIsolatedTree::collectNodeChangesForSubtree"_s);
   309 	    ASSERT(isMainThread());
   310 	    SetForScope collectingNodeChanges(m_isCollectingNodeChanges, true);
-> 311 	    m_unresolvedPendingAppends.set(axObject.objectID(), AttachWrapper::OnMainThread);
   312 	
   313 	    auto axChildrenCopy = axObject.children();
   314 	    auto axChildrenIDs = axChildrenCopy.map([&](auto& axChild) {
(lldb) v axObject.m_id
(WebCore::AXID) axObject.m_id = (m_identifier = 0)
Comment 1 Radar WebKit Bug Importer 2022-06-15 12:36:20 PDT 
<rdar://problem/95229695>
Comment 2 Andres Gonzalez 2022-06-15 12:39:19 PDT 
Created attachment 460259 [details]
Patch
Comment 3 Andres Gonzalez 2022-06-15 13:38:44 PDT 
Another example where trying to remove an isolated object for a null ID:

(lldb) f 8
frame #8: 0x000000014be8fc34 WebCore`WebCore::AXIsolatedTree::removeSubtreeFromNodeMap(this=0x0000000103e79300, objectID=(m_identifier = 0), axParent=0x0000000103d63d00) at AXIsolatedTree.cpp:638:20
   635 	    AXLOG(makeString("Removing subtree for objectID ", objectID.loggingString()));
   636 	    ASSERT(isMainThread());
   637 	
-> 638 	    if (!m_nodeMap.contains(objectID)) {
   639 	        AXLOG(makeString("Tried to remove AXID ", objectID.loggingString(), " that is no longer in m_nodeMap."));
   640 	        return;
   641 	    }
(lldb) v objectID
(WebCore::AXID) objectID = (m_identifier = 0)
Comment 4 Andres Gonzalez 2022-06-15 14:01:55 PDT 
Created attachment 460260 [details]
Patch
Comment 5 EWS 2022-06-15 19:18:32 PDT 
Committed r295582 (251587@main): <https://commits.webkit.org/251587@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 460260 [details].