Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: e78c3391e4d1800990312f6f72aaec65c56fd2ff
https://github.com/WebKit/WebKit/commit/e78c3391e4d1800990312f6f72aaec65c56fd2ff
Author: Andres Gonzalez <[email protected]>
Date: 2023-10-17 (Tue, 17 Oct 2023)
Changed paths:
M Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp
M Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.h
Log Message:
-----------
AX: Isolated objects in the full tree may be accessed before the tree is
completely built.
https://bugs.webkit.org/show_bug.cgi?id=263248
<rdar://problem/117075862>
Reviewed by Tyler Wilcock.
When building the isolated tree for a given page, we first build a temporary
tree consisting only of the ScrollView and the WebArea objects. The purpose of
this temporary tree is to serve client's requests while the full tree is being
built, which will keep the main thread busy and client's requests that required
the main thread blocked. However that goal is not achieved in cases where the
following sequence of events occur:
1. Clients holds a reference to the ScrollView object wrapper from the
temporary tree. Let that wrapper be called W.
2. During building the full tree a new isolated object is created for the
ScrollView object and attached to W since it represents the same underlying
liveobject.
3. From that point on, all calls into W access the object that is part of the
full isolated tree, not the temporary tree object.
This happens during the construction of the full tree. This issue defeats the
purpose of the temporary tree. See comment in bugzilla for a log output showing
the problem.
This patch solves the problem by not attaching the wrappers to newly created
isolated objects immediately upon creation, but instead attaching all wrappers
once the entire tree is built and the temporary tree is about to be replaced by
the full tree. This apply to isolated objects whose wrappers were attached on
the main thread. The same principle is applied to tree updates.
* Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:
(WebCore::AXIsolatedTree::nodeChangeForObject):
(WebCore::AXIsolatedTree::queueAppendsAndRemovals):
(WebCore::AXIsolatedTree::applyPendingChanges):
* Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.h:
Canonical link: https://commits.webkit.org/269435@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
