[webkit-changes] [WebKit/WebKit] 66bfe7: AX: Fix for crash in AXIsolatedTree::removeNode.
AndresGonzalezApple
noreply at github.com
Fri Jan 27 07:28:10 PST 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 66bfe7c6900e674a1758b4351642b3b13538e719
https://github.com/WebKit/WebKit/commit/66bfe7c6900e674a1758b4351642b3b13538e719
Author: Andres Gonzalez <andresg_22 at apple.com>
Date: 2023-01-27 (Fri, 27 Jan 2023)
Changed paths:
M Source/WebCore/accessibility/AXLogger.cpp
M Source/WebCore/accessibility/AXObjectCache.cpp
M Source/WebCore/accessibility/AXObjectCache.h
M Source/WebCore/rendering/updating/RenderTreeUpdater.cpp
Log Message:
-----------
AX: Fix for crash in AXIsolatedTree::removeNode.
https://bugs.webkit.org/show_bug.cgi?id=251045
rdar://103361530
Reviewed by Chris Fleizach.
Covered by existing tests.
The crash happens in ITM because AXObjectCache::remove updates the isolated tree by calling AXIsolatedTree::removeNode, that calls parentObjectUnignored(), which results in a call to textUnderElement which cannot be called during a layout. The solution in this patch is to make the removal of the object in question asynchronously.
Some code cleanup by splitting the handling of an element's renderer creation from AXObjectCache::get(Node*).
* Source/WebCore/accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::get):
(WebCore::AXObjectCache::onRendererCreated):
(WebCore::AXObjectCache::handleLiveRegionCreated):
(WebCore::AXObjectCache::performDeferredCacheUpdate):
(WebCore::AXObjectCache::updateCacheAfterNodeIsAttached): Deleted.
* Source/WebCore/accessibility/AXObjectCache.h:
(WebCore::AXObjectCache::onRendererCreated):
(WebCore::AXObjectCache::updateCacheAfterNodeIsAttached): Deleted.
* Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:
(WebCore::RenderTreeUpdater::createRenderer):
Canonical link: https://commits.webkit.org/259484@main
More information about the webkit-changes
mailing list