[Webkit-unassigned] [Bug 287716] New: AX: performDeferredCacheUpdate needs to check document.hasPendingStyleRecalc

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Feb 14 10:51:16 PST 2025 

https://bugs.webkit.org/show_bug.cgi?id=287716

            Bug ID: 287716
           Summary: AX: performDeferredCacheUpdate needs to check
                    document.hasPendingStyleRecalc
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Accessibility
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: dm_mazzoni at apple.com
                CC: andresg_22 at apple.com,
                    webkit-bug-importer at group.apple.com

When AXObjectCache::performDeferredCacheUpdate is called, it checks to see if the document needs layout first before updating the accessibility tree. If this isn't done, walking the accessibility tree can trigger a layout in the middle, leading to inconsistencies and crashes.

I discovered this while debugging this ARIA example. I can trigger a crash using VoiceOver, but the repro steps are quite tricky and I didn't have any luck turning it into a layout test.

https://www.w3.org/WAI/ARIA/apg/patterns/combobox/examples/combobox-select-only/

The underlying issue was that the listbox was changing from display:none to display:block, but under some circumstances it was possible for AXObjectCache::performDeferredCacheUpdate to get called when style is dirty but needsLayout still returns false, so it wouldn't update layout, and that would lead to the listbox options getting created with the wrong parent id. VoiceOver wouldn't speak them, and in debug mode we'd get an assertion failure.

I did write a layout test that successfully triggers this scenario, however it also triggers a separate unrelated assertion failure so I can't merge it yet. I filed a separate bug for that one: https://bugs.webkit.org/show_bug.cgi?id=287715 (AX: attached layout test triggers assertion in AXIsolatedObject::children)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20250214/4bdb2465/attachment.htm>

More information about the webkit-unassigned mailing list