AX: AXObjectCache::remove(Node&) can be called while performing a cache update causing m_deferred* vectors to be modified as we iterate over them

https://bugs.webkit.org/show_bug.cgi?id=244421
rdar://98729717

Reviewed by Chris Fleizach.

Handling certain attribute changes in AXObjectCache::handleAttributeChange
can cause AXObjectCache::remove(Node&) to be called as a side effect.
For example, this can happen as a result of a `role` attribute change.
When this happens, the Node is removed from m_deferredAttributeChanges while
we are iterating over this vector.

This patch prevents this by making AXObjectCache::remove(Node&) bail
early before modifying any m_deferred* vector if we detect that we're in
the middle of a cache update. If this is true, these vectors will be
cleared anyways upon completion of their processing.

* LayoutTests/accessibility/multiple-attribute-change-crash-expected.txt: Added.
* LayoutTests/accessibility/multiple-attribute-change-crash.html: Added.
* LayoutTests/platform/ios/TestExpectations: Enable new test.
* LayoutTests/platform/glib/accessibility/multiple-attribute-change-crash-expected.txt: Added
* LayoutTests/platform/ios/accessibility/multiple-attribute-change-crash-expected.txt: Added.
* LayoutTests/platform/win/TestExpectations: Disable new test.
* Source/WebCore/accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::remove):
(WebCore::AXObjectCache::handleAttributeChange):
Fix unchecked null dereference of the input Element* in an AXLOG.

Canonical link: https://commits.webkit.org/253871@main

Author: twilco

LayoutTests/accessibility/multiple-attribute-change-crash-expected.txt

@@ -0,0 +1,12 @@
+This test ensures that we don't crash when processing attribute changes after a deferred role attribute change.
+
+#grid element's initial role: AXRole: AXTable
+Changing #grid's role attribute to 'presentation', and its class to 'foo'.
+#grid element's new role after DOM changes: AXRole:
+
+No crash, so test passed.
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

LayoutTests/accessibility/multiple-attribute-change-crash.html

@@ -0,0 +1,52 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../resources/accessibility-helper.js"></script>
+<script src="../resources/js-test.js"></script>
+</head>
+<body>
+
+<div id="grid" role="grid">
+  <div role="row">
+    <div role="columnheader">header 1</div>
+    <div role="columnheader">header 2</div>
+  </div>
+  <div role="row">
+    <div role="gridcell">cell</div>
+    <div role="gridcell">cell</div>
+  </div>
+</div>
+
+<script>
+    var testOutput = "This test ensures that we don't crash when processing attribute changes after a deferred role attribute change.\n\n";
+
+    if (window.accessibilityController) {
+        window.jsTestIsAsync = true;
+
+        const axGrid = accessibilityController.accessibleElementById("grid");
+        const initialRole = axGrid.role;
+        testOutput += `#grid element's initial role: ${initialRole}\n`;
+
+        testOutput += "Changing #grid's role attribute to 'presentation', and its class to 'foo'.\n";
+        // Force dirty layout and style by moving this element and changing its color. This will cause
+        // AXObjectCache::rendererNeedsDeferredUpdate to be true for this element, deferring any
+        // subsequent attribute changes to be processed after a timer elapses.
+        document.getElementById("grid").setAttribute("style", "margin-left: 300px; background-color: red;");
+        // Change the element's role such that we attempt to remove and re-create the object.
+        document.getElementById("grid").setAttribute("role", "presentation");
+        // If we behave correctly, processing this 'class' attribute change should not cause a crash.
+        document.getElementById("grid").setAttribute("class", "foo");
+        setTimeout(async function() {
+            await waitFor(() => axGrid.role !== initialRole);
+            testOutput += `#grid element's new role after DOM changes: ${axGrid.role}\n`;
+            testOutput += `\nNo crash, so test passed.\n`;
+
+            debug(testOutput);
+            document.getElementById("grid").style.visibility = "hidden";
+            finishJSTest();
+        }, 0);
+    }
+</script>
+</body>
+</html>
+

LayoutTests/platform/glib/accessibility/multiple-attribute-change-crash-expected.txt

@@ -0,0 +1,12 @@
+This test ensures that we don't crash when processing attribute changes after a deferred role attribute change.
+
+#grid element's initial role: AXRole: AXTable
+Changing #grid's role attribute to 'presentation', and its class to 'foo'.
+#grid element's new role after DOM changes: AXRole: AXInvalid
+
+No crash, so test passed.
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

LayoutTests/platform/ios/TestExpectations

@@ -2141,6 +2141,7 @@ accessibility/insert-text-into-password-field.html [ Pass ]
 accessibility/list-with-dynamically-changing-content.html [ Pass ]
 accessibility/live-region-attributes-update-after-dynamic-change.html [ Pass ]
 accessibility/menu-list-crash2.html [ Pass ]
+accessibility/multiple-attribute-change-crash.html [ Pass ]
 accessibility/node-only-inert-object.html [ Pass ]
 accessibility/node-only-object-element-rect.html [ Pass ]
 accessibility/placeholder.html [ Pass ]

LayoutTests/platform/ios/accessibility/multiple-attribute-change-crash-expected.txt

@@ -0,0 +1,12 @@
+This test ensures that we don't crash when processing attribute changes after a deferred role attribute change.
+
+#grid element's initial role: Grid
+Changing #grid's role attribute to 'presentation', and its class to 'foo'.
+#grid element's new role after DOM changes: null
+
+No crash, so test passed.
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

LayoutTests/platform/win/TestExpectations

@@ -484,6 +484,9 @@ accessibility/aria-multiline.html [ Skip ]
 accessibility/list-with-dynamically-changing-content.html [ Skip ]
 accessibility/ignored-aria-role-description.html [ Skip ]
 
+# Failing since added in https://bugs.webkit.org/show_bug.cgi?id=244421.
+accessibility/multiple-attribute-change-crash.html [ Skip ]
+
 # Need to implement AccessibilityUIElement::clearSelectedChildren()
 accessibility/aria-listbox-clear-selection-crash.html [ Skip ]
 accessibility/listbox-clear-selection.html [ Skip ]

Source/WebCore/accessibility/AXObjectCache.cpp

@@ -924,6 +924,18 @@ void AXObjectCache::remove(RenderObject* renderer)
 void AXObjectCache::remove(Node& node)
 {
     AXTRACE(makeString("AXObjectCache::remove 0x"_s, hex(reinterpret_cast<uintptr_t>(this))));
+
+    removeNodeForUse(node);
+    remove(m_nodeObjectMapping.take(&node));
+    remove(node.renderer());
+
+    // If we're in the middle of a cache update, don't modify any of these vectors because we are currently
+    // iterating over them. They will be cleared at the end of the cache update, so not removing them here is fine.
+    if (m_performingDeferredCacheUpdate) {
+        AXLOG("Bailing out before removing node from m_deferred* vectors as we are in the middle of a cache update.");
+        return;
+    }
+
     if (is<Element>(node)) {
         m_deferredTextFormControlValue.remove(downcast<Element>(&node));
         m_deferredAttributeChange.removeAllMatching([&node] (const auto& entry) {
@@ -947,11 +959,6 @@ void AXObjectCache::remove(Node& node)
         if (entry.first == &node)
             entry.first = nullptr;
     });
-
-    removeNodeForUse(node);
-
-    remove(m_nodeObjectMapping.take(&node));
-    remove(node.renderer());
 }
 
 void AXObjectCache::remove(Widget* view)
@@ -1954,7 +1961,7 @@ bool AXObjectCache::shouldProcessAttributeChange(Element* element, const Qualifi
 void AXObjectCache::handleAttributeChange(Element* element, const QualifiedName& attrName)
 {
     AXTRACE(makeString("AXObjectCache::handleAttributeChange 0x"_s, hex(reinterpret_cast<uintptr_t>(this))));
-    AXLOG(makeString("attribute ", attrName.localName().string(), " for element ", element->debugDescription()));
+    AXLOG(makeString("attribute ", attrName.localName().string(), " for element ", element ? element->debugDescription() : String("nullptr"_s)));
 
     if (!shouldProcessAttributeChange(element, attrName))
         return;