Skip to content
Permalink
Browse files
AX: web process crash with isolated tree mode enabled
https://bugs.webkit.org/show_bug.cgi?id=234739
<rdar://problem/86983058>

Reviewed by Chris Fleizach.

It can happen that a new node being added is removed by AXIsolatedObject constructor when initializing
ComputedLabel property, because AccessibilityObject::computedLabel() calls updateBackingStore() that can trigger
a layout. We don't really need ComputedLabel property for isolated objects because AccessibilityObject::computedLabel()
is only used by the inspector that uses AccessibilityObject directly.

* accessibility/isolatedtree/AXIsolatedObject.cpp:
(WebCore::AXIsolatedObject::initializeAttributeData): Remove ComputedLabel property initialization.
(WebCore::AXIsolatedObject::computedLabel): Assert if called.
* accessibility/isolatedtree/AXIsolatedObject.h:
* accessibility/isolatedtree/AXIsolatedTree.cpp:
(WebCore::AXIsolatedTree::createSubtree): Add an assert to ensure the wrapper is still valid after AXIsolatedObject::create().
* accessibility/isolatedtree/AXIsolatedTree.h:


Canonical link: https://commits.webkit.org/245668@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@287533 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
carlosgcampos committed Jan 3, 2022
1 parent c5579a9 commit 6906ca9792bdb12570d9906f475bb91987032a8d
Showing 5 changed files with 31 additions and 3 deletions.
@@ -1,3 +1,24 @@
2022-01-03 Carlos Garcia Campos <cgarcia@igalia.com>

AX: web process crash with isolated tree mode enabled
https://bugs.webkit.org/show_bug.cgi?id=234739
<rdar://problem/86983058>

Reviewed by Chris Fleizach.

It can happen that a new node being added is removed by AXIsolatedObject constructor when initializing
ComputedLabel property, because AccessibilityObject::computedLabel() calls updateBackingStore() that can trigger
a layout. We don't really need ComputedLabel property for isolated objects because AccessibilityObject::computedLabel()
is only used by the inspector that uses AccessibilityObject directly.

* accessibility/isolatedtree/AXIsolatedObject.cpp:
(WebCore::AXIsolatedObject::initializeAttributeData): Remove ComputedLabel property initialization.
(WebCore::AXIsolatedObject::computedLabel): Assert if called.
* accessibility/isolatedtree/AXIsolatedObject.h:
* accessibility/isolatedtree/AXIsolatedTree.cpp:
(WebCore::AXIsolatedTree::createSubtree): Add an assert to ensure the wrapper is still valid after AXIsolatedObject::create().
* accessibility/isolatedtree/AXIsolatedTree.h:

2022-01-03 Youenn Fablet <youenn@apple.com>

FetchRequest.clone does not need to be called with the current context
@@ -200,7 +200,6 @@ void AXIsolatedObject::initializeAttributeData(AXCoreObject& coreObject, bool is
setObjectProperty(AXPropertyName::VerticalScrollBar, object.scrollBar(AccessibilityOrientation::Vertical));
setObjectProperty(AXPropertyName::HorizontalScrollBar, object.scrollBar(AccessibilityOrientation::Horizontal));
setProperty(AXPropertyName::ARIARoleAttribute, static_cast<int>(object.ariaRoleAttribute()));
setProperty(AXPropertyName::ComputedLabel, object.computedLabel().isolatedCopy());
setProperty(AXPropertyName::PlaceholderValue, object.placeholderValue().isolatedCopy());
setProperty(AXPropertyName::ExpandedTextValue, object.expandedTextValue().isolatedCopy());
setProperty(AXPropertyName::SupportsExpandedTextValue, object.supportsExpandedTextValue());
@@ -799,6 +798,13 @@ void AXIsolatedObject::setCaretBrowsingEnabled(bool value)
}
#endif

String AXIsolatedObject::computedLabel()
{
// This is only used by the web inspector that calls AccessibilityObject::computedLabel().
ASSERT_NOT_REACHED();
return { };
}

SRGBA<uint8_t> AXIsolatedObject::colorValue() const
{
return colorAttributeValue(AXPropertyName::ColorValue).toSRGBALossy<uint8_t>();
@@ -261,7 +261,7 @@ class AXIsolatedObject final : public AXCoreObject {
AXCoreObject* titleUIElement() const override { return objectAttributeValue(AXPropertyName::TitleUIElement); }
AXCoreObject* scrollBar(AccessibilityOrientation) override;
AccessibilityRole ariaRoleAttribute() const override { return static_cast<AccessibilityRole>(intAttributeValue(AXPropertyName::ARIARoleAttribute)); }
String computedLabel() override { return stringAttributeValue(AXPropertyName::ComputedLabel); }
String computedLabel() override;
int textLength() const override { return intAttributeValue(AXPropertyName::TextLength); }
const String placeholderValue() const override { return stringAttributeValue(AXPropertyName::PlaceholderValue); }
String expandedTextValue() const override { return stringAttributeValue(AXPropertyName::ExpandedTextValue); }
@@ -209,6 +209,8 @@ Ref<AXIsolatedObject> AXIsolatedTree::createSubtree(AXCoreObject& axObject, AXID
return object;
}

ASSERT(axObject.wrapper());

NodeChange nodeChange { object, nullptr };
if (attachWrapper)
object->attachPlatformWrapper(axObject.wrapper());
@@ -96,7 +96,6 @@ enum class AXPropertyName : uint16_t {
ColumnHeaders,
ColumnIndex,
ColumnIndexRange,
ComputedLabel,
ComputedRoleString,
Contents,
CurrentState,

0 comments on commit 6906ca9

Please sign in to comment.