[webkit-changes] [270154] trunk/Source/WebCore

Sat, 21 Nov 2020 15:04:15 -0800

Title: [270154] trunk/Source/WebCore
Revision
270154
Author
[email protected]
Date
2020-11-21 15:03:28 -0800 (Sat, 21 Nov 2020)

Log Message

AccessibilityObject::FocusedUIElement should not call AXObjectCache::focusedUIElementForPage that can return an isolated object.
https://bugs.webkit.org/show_bug.cgi?id=219238

Reviewed by Chris Fleizach.

Since AXObjectCache::focusedUIElementForPage can return an isolated
object, AccessibilityObject::focusedUIElement should not use it to
determine the focused object. This causes that isolated objects may be
accessed on the main thread when they shouldn't, and even infinite
recursion if this happens when the isolated tree is being built.
This patch changes AccessibilityObject::focusedUIElement to call
AXObjectCache::focusedObjectForPage that always returns another AccessibilityObject.

* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::focusedObjectForPage):
(WebCore::AXObjectCache::focusedUIElementForPage):
(WebCore::AXObjectCache::generateIsolatedTree):
(WebCore::AXObjectCache::focusedObject): Deleted.
* accessibility/AXObjectCache.h:
* accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::focusedUIElement const):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (270153 => 270154)


--- trunk/Source/WebCore/ChangeLog	2020-11-21 20:46:25 UTC (rev 270153)
+++ trunk/Source/WebCore/ChangeLog	2020-11-21 23:03:28 UTC (rev 270154)
@@ -1,3 +1,27 @@
+2020-11-21  Andres Gonzalez  <[email protected]>
+
+        AccessibilityObject::FocusedUIElement should not call AXObjectCache::focusedUIElementForPage that can return an isolated object.
+        https://bugs.webkit.org/show_bug.cgi?id=219238
+
+        Reviewed by Chris Fleizach.
+
+        Since AXObjectCache::focusedUIElementForPage can return an isolated
+        object, AccessibilityObject::focusedUIElement should not use it to
+        determine the focused object. This causes that isolated objects may be
+        accessed on the main thread when they shouldn't, and even infinite
+        recursion if this happens when the isolated tree is being built.
+        This patch changes AccessibilityObject::focusedUIElement to call
+        AXObjectCache::focusedObjectForPage that always returns another AccessibilityObject.
+
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::focusedObjectForPage):
+        (WebCore::AXObjectCache::focusedUIElementForPage):
+        (WebCore::AXObjectCache::generateIsolatedTree):
+        (WebCore::AXObjectCache::focusedObject): Deleted.
+        * accessibility/AXObjectCache.h:
+        * accessibility/AccessibilityObject.cpp:
+        (WebCore::AccessibilityObject::focusedUIElement const):
+
 2020-11-21  Zalan Bujtas  <[email protected]>
 
         [LFC][IFC] Move current logicalLeft from ContinuousContent to LineStatus

Modified: trunk/Source/WebCore/accessibility/AXObjectCache.cpp (270153 => 270154)


--- trunk/Source/WebCore/accessibility/AXObjectCache.cpp	2020-11-21 20:46:25 UTC (rev 270153)
+++ trunk/Source/WebCore/accessibility/AXObjectCache.cpp	2020-11-21 23:03:28 UTC (rev 270154)
@@ -369,17 +369,29 @@
     return nullptr;
 }
 
-AXCoreObject* AXObjectCache::focusedObject(Document& document)
+AXCoreObject* AXObjectCache::focusedObjectForPage(const Page* page)
 {
-    Element* focusedElement = document.focusedElement();
+    ASSERT(isMainThread());
+
+    if (!gAccessibilityEnabled)
+        return nullptr;
+
+    // get the focused node in the page
+    Document* document = page->focusController().focusedOrMainFrame().document();
+    if (!document)
+        return nullptr;
+
+    document->updateStyleIfNeeded();
+
+    Element* focusedElement = document->focusedElement();
     if (is<HTMLAreaElement>(focusedElement))
         return focusedImageMapUIElement(downcast<HTMLAreaElement>(focusedElement));
 
-    auto* axObjectCache = document.axObjectCache();
+    auto* axObjectCache = document->axObjectCache();
     if (!axObjectCache)
         return nullptr;
 
-    AXCoreObject* focus = axObjectCache->getOrCreate(focusedElement ? focusedElement : static_cast<Node*>(&document));
+    AXCoreObject* focus = axObjectCache->getOrCreate(focusedElement ? focusedElement : static_cast<Node*>(document));
     if (!focus)
         return nullptr;
 
@@ -421,24 +433,12 @@
 
 AXCoreObject* AXObjectCache::focusedUIElementForPage(const Page* page)
 {
-    ASSERT(isMainThread());
-    if (!gAccessibilityEnabled)
-        return nullptr;
-
-    // get the focused node in the page
-    Document* focusedDocument = page->focusController().focusedOrMainFrame().document();
-    if (!focusedDocument)
-        return nullptr;
-
-    // Call this before isolated or non-isolated cases so the document is up to do.
-    focusedDocument->updateStyleIfNeeded();
-    
 #if ENABLE(ACCESSIBILITY_ISOLATED_TREE)
     if (isIsolatedTreeEnabled())
         return isolatedTreeFocusedObject();
 #endif
 
-    return focusedObject(*focusedDocument);
+    return focusedObjectForPage(page);
 }
 
 AccessibilityObject* AXObjectCache::get(Widget* widget)
@@ -3179,7 +3179,7 @@
     if (axRoot)
         tree->generateSubtree(*axRoot, nullptr, true);
 
-    auto* axFocus = axObjectCache->focusedObject(document);
+    auto* axFocus = axObjectCache->focusedObjectForPage(document.page());
     if (axFocus)
         tree->setFocusedNodeID(axFocus->objectID());

Modified: trunk/Source/WebCore/accessibility/AXObjectCache.h (270153 => 270154)


--- trunk/Source/WebCore/accessibility/AXObjectCache.h	2020-11-21 20:46:25 UTC (rev 270153)
+++ trunk/Source/WebCore/accessibility/AXObjectCache.h	2020-11-21 23:03:28 UTC (rev 270154)
@@ -145,6 +145,7 @@
     ~AXObjectCache();
 
     WEBCORE_EXPORT AXCoreObject* focusedUIElementForPage(const Page*);
+    static AXCoreObject* focusedObjectForPage(const Page*);
 
     // Returns the root object for the entire document.
     WEBCORE_EXPORT AXCoreObject* rootObject();
@@ -431,7 +432,6 @@
     AccessibilityObject* rootWebArea();
 
     static AccessibilityObject* focusedImageMapUIElement(HTMLAreaElement*);
-    static AXCoreObject* focusedObject(Document&);
 
     AXID getAXID(AccessibilityObject*);

Modified: trunk/Source/WebCore/accessibility/AccessibilityObject.cpp (270153 => 270154)


--- trunk/Source/WebCore/accessibility/AccessibilityObject.cpp	2020-11-21 20:46:25 UTC (rev 270153)
+++ trunk/Source/WebCore/accessibility/AccessibilityObject.cpp	2020-11-21 23:03:28 UTC (rev 270154)
@@ -2544,12 +2544,12 @@
     auto* document = this->document();
     return document ? document->axObjectCache() : nullptr;
 }
-    
+
 AXCoreObject* AccessibilityObject::focusedUIElement() const
 {
     auto* page = this->page();
     auto* axObjectCache = this->axObjectCache();
-    return page && axObjectCache ? axObjectCache->focusedUIElementForPage(page) : nullptr;
+    return page && axObjectCache ? axObjectCache->focusedObjectForPage(page) : nullptr;
 }
     
 AccessibilitySortDirection AccessibilityObject::sortDirection() const

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to