[webkit-changes] [WebKit/WebKit] e78c33: AX: Isolated objects in the full tree may be acces...
AndresGonzalezApple
noreply at github.com
Tue Oct 17 17:01:00 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: e78c3391e4d1800990312f6f72aaec65c56fd2ff
https://github.com/WebKit/WebKit/commit/e78c3391e4d1800990312f6f72aaec65c56fd2ff
Author: Andres Gonzalez <andresg_22 at apple.com>
Date: 2023-10-17 (Tue, 17 Oct 2023)
Changed paths:
M Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp
M Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.h
Log Message:
-----------
AX: Isolated objects in the full tree may be accessed before the tree is completely built.
https://bugs.webkit.org/show_bug.cgi?id=263248
<rdar://problem/117075862>
Reviewed by Tyler Wilcock.
When building the isolated tree for a given page, we first build a temporary tree consisting only of the ScrollView and the WebArea objects. The purpose of this temporary tree is to serve client's requests while the full tree is being built, which will keep the main thread busy and client's requests that required the main thread blocked. However that goal is not achieved in cases where the following sequence of events occur:
1. Clients holds a reference to the ScrollView object wrapper from the temporary tree. Let that wrapper be called W.
2. During building the full tree a new isolated object is created for the ScrollView object and attached to W since it represents the same underlying liveobject.
3. From that point on, all calls into W access the object that is part of the full isolated tree, not the temporary tree object.
This happens during the construction of the full tree. This issue defeats the purpose of the temporary tree. See comment in bugzilla for a log output showing the problem.
This patch solves the problem by not attaching the wrappers to newly created isolated objects immediately upon creation, but instead attaching all wrappers once the entire tree is built and the temporary tree is about to be replaced by the full tree. This apply to isolated objects whose wrappers were attached on the main thread. The same principle is applied to tree updates.
* Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:
(WebCore::AXIsolatedTree::nodeChangeForObject):
(WebCore::AXIsolatedTree::queueAppendsAndRemovals):
(WebCore::AXIsolatedTree::applyPendingChanges):
* Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.h:
Canonical link: https://commits.webkit.org/269435@main
More information about the webkit-changes
mailing list