Early return from WebAXContext::Root() if document is no longer active

It is an error to call AXContext::GetAXObjectCache() if the underlying document is no longer active, so early return in that case to prevent crashes that might otherwise happen in some cases, as the one detected by clusterfuzz in crbug.com/1094576. This method is used by AXTreeSnapshotterImpl::SnapshotContentTree(), which will behave correctly after receiving a default WebAXObject in these cases, since the root.UpdateLayoutAndCheckValidity() check will return false in that case and early return as well as in other cases that hit the same code path. Bug: 1094576 Change-Id: I5879b3637db0279d0fdd507c0916426ff459aeda Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2416370Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Mario Sanchez Prada <mario@igalia.com> Cr-Commit-Position: refs/heads/master@{#807895}

Early return from WebAXContext::Root() if document is no longer active
It is an error to call AXContext::GetAXObjectCache() if the underlying document is no longer active, so early return in that case to prevent crashes that might otherwise happen in some cases, as the one detected by clusterfuzz in crbug.com/1094576. This method is used by AXTreeSnapshotterImpl::SnapshotContentTree(), which will behave correctly after receiving a default WebAXObject in these cases, since the root.UpdateLayoutAndCheckValidity() check will return false in that case and early return as well as in other cases that hit the same code path. Bug: 1094576 Change-Id: I5879b3637db0279d0fdd507c0916426ff459aeda Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2416370Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Mario Sanchez Prada <mario@igalia.com> Cr-Commit-Position: refs/heads/master@{#807895}
c9eeb9df · Mario Sanchez Prada · Commit Bot · b2475e1b · c9eeb9df · c9eeb9df
Commit c9eeb9df authored Sep 17, 2020 by Mario Sanchez Prada Committed by Commit Bot Sep 17, 2020
3 changed files
--- a/third_party/blink/renderer/core/accessibility/ax_context.cc
+++ b/third_party/blink/renderer/core/accessibility/ax_context.cc
@@ -25,4 +25,8 @@ AXObjectCache& AXContext::GetAXObjectCache() {
  return *document_->ExistingAXObjectCache();
 }

+bool AXContext::HasActiveDocument() {
+  return document_ && document_->IsActive();
+}
+
 }  // namespace blink
--- a/third_party/blink/renderer/core/accessibility/ax_context.h
+++ b/third_party/blink/renderer/core/accessibility/ax_context.h
@@ -30,6 +30,10 @@ class CORE_EXPORT AXContext {
  // The caller should check this.
  AXObjectCache& GetAXObjectCache();

+  // Returns true if the |document| associated to this |AXContext| is active
+  // (i.e. document has been initialized and hasn't been detached yet).
+  bool HasActiveDocument();
+
 protected:
  WeakPersistent<Document> document_;
 };

--- a/third_party/blink/renderer/modules/exported/web_ax_context.cc
+++ b/third_party/blink/renderer/modules/exported/web_ax_context.cc
@@ -18,6 +18,12 @@ WebAXContext::WebAXContext(WebDocument root_document)
 WebAXContext::~WebAXContext() {}

 WebAXObject WebAXContext::Root() const {
+  // It is an error to call AXContext::GetAXObjectCache() if the underlying
+  // document is no longer active, so early return in that case to prevent
+  // crashes that might otherwise happen in some cases (see crbug.com/1094576).
+  if (!private_->HasActiveDocument())
+    return WebAXObject();
+
  return WebAXObject(
      static_cast<AXObjectCacheImpl*>(&private_->GetAXObjectCache())->Root());
 }