[webkit-changes] [WebKit/WebKit] fd6124: AX: Rare deadlocks can happen when resolving AXObj...

Tue, 02 Sep 2025 08:18:08 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: fd6124abeabf61de34bd045daf66f1e11082ce0b
      
https://github.com/WebKit/WebKit/commit/fd6124abeabf61de34bd045daf66f1e11082ce0b
  Author: Tyler Wilcock <tyle...@apple.com>
  Date:   2025-09-02 (Tue, 02 Sep 2025)

  Changed paths:
    M Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp

  Log Message:
  -----------
  AX: Rare deadlocks can happen when resolving 
AXObjectCache::mostRecentlyPaintedText inside of 
AXIsolatedTree::processQueuedNodeUpdates
https://bugs.webkit.org/show_bug.cgi?id=297991
rdar://159309500

Reviewed by Joshua Hoffman.

Resolving `mostRecentlyPaintedText()` in 
`AXIsolatedTree::processQueuedNodeUpdates` can result in this sequence:
  1. `AXObjectCache::getOrCreate`, which calls 
`AccessibilityObject::recomputeIsIgnored`
  2. If the ignored state changes, `AXObjectCache::objectBecameUnignored` may 
be called
  3. `AXIsolatedTree::treeForPageID()` will be called to try to inform the 
isolated tree
     of this change, which requires taking `AXTreeStore::s_storeLock`.

If the main-thread (as is the case for all executions of 
`AXIsolatedTree::processQueuedNodeUpdates`) held the
`m_changeLogLock` when the above sequence happened, we would deadlock if the 
accessibility thread was simultaneously
running `applyPendingChangesForAllIsolatedTrees()`, which holds the 
`s_storeLock` for the length of the function.
The main-thread would be waiting on the `s_storeLock`, and the accessibility 
thread would be waiting on the
`m_changeLogLock` to run `AXIsolatedTree::applyPendingChanges()` while holding 
the `s_storeLock`. Thus, a deadlock.

So it's crucial to resolve the `mostRecentlyPaintedText` structure before the 
`m_changeLogLock` critical section,
and only perform a move or copy while in the critical section to avoid a 
deadlock. This commit does exactly that,
preventing the deadlock.

* Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:
(WebCore::AXIsolatedTree::processQueuedNodeUpdates):

Canonical link: https://commits.webkit.org/299432@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to