Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 653381a67bbf7bd39dd5ccff3c837cfe84793f5a
https://github.com/WebKit/WebKit/commit/653381a67bbf7bd39dd5ccff3c837cfe84793f5a
Author: Dominic Mazzoni <[email protected]>
Date: 2026-02-08 (Sun, 08 Feb 2026)
Changed paths:
M Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp
Log Message:
-----------
AX: Deadlock involving s_storeLock when ENABLE_ACCESSIBILITY_LOCAL_FRAME is
enabled
https://bugs.webkit.org/show_bug.cgi?id=307303
rdar://169934927
Reviewed by Tyler Wilcock.
WebProcess::accessibilityFocusedUIElement iterates over isolated trees
to see which one is focused, and it uses findAXTree, which acquires
s_storeLock.
When ENABLE_ACCESSIBILITY_LOCAL_FRAME is enabled, it also calls
typedTree->focusedNode() on each tree because it needs to check
whether that frame is the specific frame within a page that's focused
- the flags like ActivityState::IsFocused only tell us about the page,
not the frame.
This results in a call to AXIsolatedTree::focusedNodeID(), which calls
AXIsolatedTree::applyPendingChanges.
This is call fine so far, but if the tree happens to be queued for
destruction, then it calls AXTreeStore::remove(), which also needs
s_storeLock, leading to deadlock.
This manifests when running accessibility layout tests in parallel
with ENABLE_ACCESSIBILITY_LOCAL_FRAME enabled - even if the tests
don't involve iframes, sooner or later the deadlock occurs and causes
tests to timeout.
The simplest fix is to just call the existing
applyPendingChangesUnlessQueuedForDestruction method. We should also
consider if there's a safer time to trigger AXTreeStore::remove().
Fixes existing tests when ENABLE_ACCESSIBILITY_LOCAL_FRAME is enabled.
* Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:
(WebCore::AXIsolatedTree::focusedNodeID):
Canonical link: https://commits.webkit.org/307050@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
