AccessibilityObject::FocusedUIElement should not call AXObjectCache::…

…focusedUIElementForPage that can return an isolated object. https://bugs.webkit.org/show_bug.cgi?id=219238 Reviewed by Chris Fleizach. Since AXObjectCache::focusedUIElementForPage can return an isolated object, AccessibilityObject::focusedUIElement should not use it to determine the focused object. This causes that isolated objects may be accessed on the main thread when they shouldn't, and even infinite recursion if this happens when the isolated tree is being built. This patch changes AccessibilityObject::focusedUIElement to call AXObjectCache::focusedObjectForPage that always returns another AccessibilityObject. * accessibility/AXObjectCache.cpp: (WebCore::AXObjectCache::focusedObjectForPage): (WebCore::AXObjectCache::focusedUIElementForPage): (WebCore::AXObjectCache::generateIsolatedTree): (WebCore::AXObjectCache::focusedObject): Deleted. * accessibility/AXObjectCache.h: * accessibility/AccessibilityObject.cpp: (WebCore::AccessibilityObject::focusedUIElement const): Canonical link: https://commits.webkit.org/231863@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@270154 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Nov 21, 2020 · a717593 · a717593
1 parent 1f30421
commit a717593
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 21 deletions.
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,27 @@
+2020-11-21  Andres Gonzalez  <andresg_22@apple.com>
+
+        AccessibilityObject::FocusedUIElement should not call AXObjectCache::focusedUIElementForPage that can return an isolated object.
+        https://bugs.webkit.org/show_bug.cgi?id=219238
+
+        Reviewed by Chris Fleizach.
+
+        Since AXObjectCache::focusedUIElementForPage can return an isolated
+        object, AccessibilityObject::focusedUIElement should not use it to
+        determine the focused object. This causes that isolated objects may be
+        accessed on the main thread when they shouldn't, and even infinite
+        recursion if this happens when the isolated tree is being built.
+        This patch changes AccessibilityObject::focusedUIElement to call
+        AXObjectCache::focusedObjectForPage that always returns another AccessibilityObject.
+
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::focusedObjectForPage):
+        (WebCore::AXObjectCache::focusedUIElementForPage):
+        (WebCore::AXObjectCache::generateIsolatedTree):
+        (WebCore::AXObjectCache::focusedObject): Deleted.
+        * accessibility/AXObjectCache.h:
+        * accessibility/AccessibilityObject.cpp:
+        (WebCore::AccessibilityObject::focusedUIElement const):
+
 2020-11-21  Zalan Bujtas  <zalan@apple.com>
 
         [LFC][IFC] Move current logicalLeft from ContinuousContent to LineStatus

diff --git a/Source/WebCore/accessibility/AXObjectCache.cpp b/Source/WebCore/accessibility/AXObjectCache.cpp
@@ -369,17 +369,29 @@ AccessibilityObject* AXObjectCache::focusedImageMapUIElement(HTMLAreaElement* ar
     return nullptr;
 }
 
-AXCoreObject* AXObjectCache::focusedObject(Document& document)
+AXCoreObject* AXObjectCache::focusedObjectForPage(const Page* page)
 {
-    Element* focusedElement = document.focusedElement();
+    ASSERT(isMainThread());
+
+    if (!gAccessibilityEnabled)
+        return nullptr;
+
+    // get the focused node in the page
+    Document* document = page->focusController().focusedOrMainFrame().document();
+    if (!document)
+        return nullptr;
+
+    document->updateStyleIfNeeded();
+
+    Element* focusedElement = document->focusedElement();
     if (is<HTMLAreaElement>(focusedElement))
         return focusedImageMapUIElement(downcast<HTMLAreaElement>(focusedElement));
 
-    auto* axObjectCache = document.axObjectCache();
+    auto* axObjectCache = document->axObjectCache();
     if (!axObjectCache)
         return nullptr;
 
-    AXCoreObject* focus = axObjectCache->getOrCreate(focusedElement ? focusedElement : static_cast<Node*>(&document));
+    AXCoreObject* focus = axObjectCache->getOrCreate(focusedElement ? focusedElement : static_cast<Node*>(document));
     if (!focus)
         return nullptr;
 
@@ -421,24 +433,12 @@ void AXObjectCache::setIsolatedTreeFocusedObject(Node* focusedNode)
 
 AXCoreObject* AXObjectCache::focusedUIElementForPage(const Page* page)
 {
-    ASSERT(isMainThread());
-    if (!gAccessibilityEnabled)
-        return nullptr;
-
-    // get the focused node in the page
-    Document* focusedDocument = page->focusController().focusedOrMainFrame().document();
-    if (!focusedDocument)
-        return nullptr;
-
-    // Call this before isolated or non-isolated cases so the document is up to do.
-    focusedDocument->updateStyleIfNeeded();
-
 #if ENABLE(ACCESSIBILITY_ISOLATED_TREE)
     if (isIsolatedTreeEnabled())
         return isolatedTreeFocusedObject();
 #endif
 
-    return focusedObject(*focusedDocument);
+    return focusedObjectForPage(page);
 }
 
 AccessibilityObject* AXObjectCache::get(Widget* widget)
@@ -3179,7 +3179,7 @@ Ref<AXIsolatedTree> AXObjectCache::generateIsolatedTree(PageIdentifier pageID, D
     if (axRoot)
         tree->generateSubtree(*axRoot, nullptr, true);
 
-    auto* axFocus = axObjectCache->focusedObject(document);
+    auto* axFocus = axObjectCache->focusedObjectForPage(document.page());
     if (axFocus)
         tree->setFocusedNodeID(axFocus->objectID());
 

diff --git a/Source/WebCore/accessibility/AXObjectCache.h b/Source/WebCore/accessibility/AXObjectCache.h
@@ -145,6 +145,7 @@ class AXObjectCache {
     ~AXObjectCache();
 
     WEBCORE_EXPORT AXCoreObject* focusedUIElementForPage(const Page*);
+    static AXCoreObject* focusedObjectForPage(const Page*);
 
     // Returns the root object for the entire document.
     WEBCORE_EXPORT AXCoreObject* rootObject();
@@ -431,7 +432,6 @@ class AXObjectCache {
     AccessibilityObject* rootWebArea();
 
     static AccessibilityObject* focusedImageMapUIElement(HTMLAreaElement*);
-    static AXCoreObject* focusedObject(Document&);
 
     AXID getAXID(AccessibilityObject*);
 

diff --git a/Source/WebCore/accessibility/AccessibilityObject.cpp b/Source/WebCore/accessibility/AccessibilityObject.cpp
@@ -2544,12 +2544,12 @@ AXObjectCache* AccessibilityObject::axObjectCache() const
     auto* document = this->document();
     return document ? document->axObjectCache() : nullptr;
 }
-    
+
 AXCoreObject* AccessibilityObject::focusedUIElement() const
 {
     auto* page = this->page();
     auto* axObjectCache = this->axObjectCache();
-    return page && axObjectCache ? axObjectCache->focusedUIElementForPage(page) : nullptr;
+    return page && axObjectCache ? axObjectCache->focusedObjectForPage(page) : nullptr;
 }
 
 AccessibilitySortDirection AccessibilityObject::sortDirection() const