[Webkit-unassigned] [Bug 239398] New: Node changes created by AXIsolatedTree::updateNode are overwritten when performed during AXIsolatedTree::collectNodeChangesForSubtree

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Apr 15 11:56:02 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=239398

            Bug ID: 239398
           Summary: Node changes created by AXIsolatedTree::updateNode are
                    overwritten when performed during
                    AXIsolatedTree::collectNodeChangesForSubtree
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Accessibility
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: tyler_w at apple.com
                CC: andresg_22 at apple.com,
                    webkit-bug-importer at group.apple.com

We currently do the wrong thing in this scenario:

  1. A dynamic page change causes an element to be included on the page, so we create a node change for it and its subtree by calling collectNodeChangesForSubtree. This causes a call to children() on the live object

  2. In the process of (or after) updating the children of the live object, we perform some operation that triggers AXIsolatedTree::updateNode on said object. AccessibilityRenderObject::updateRoleAfterChildrenCreation would be an example of this if it were properly coded to update the isolated tree if the object's role changes (I'll address that in a separate patch). updateNode results in a node change with the correct properties being added to m_pendingAppends

  3. collectNodeChangesForSubtree (started in step 1) finishes, and queues a node change for the same object, but with the wrong properties (because it was created before step 2). Because it comes after the node change added in step 2 to m_pendingAppends, it wins, and we add an object with the wrong properties to the tree

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220415/7009da82/attachment.htm>

More information about the webkit-unassigned mailing list