[webkit-changes] [WebKit/WebKit] d0b051: AX: Property updates can be lost from reentrant qu...

Tue, 03 Mar 2026 20:09:34 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: d0b051217fdc7d755f01e3ae08afb7b842cb2462
      
https://github.com/WebKit/WebKit/commit/d0b051217fdc7d755f01e3ae08afb7b842cb2462
  Author: Tyler Wilcock <[email protected]>
  Date:   2026-03-03 (Tue, 03 Mar 2026)

  Changed paths:
    M Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp

  Log Message:
  -----------
  AX: Property updates can be lost from reentrant queueNodeUpdate during 
processQueuedNodeUpdates
https://bugs.webkit.org/show_bug.cgi?id=309102
rdar://171660304

Reviewed by Joshua Hoffman.

Evaluating AXProperty::IsIgnored during the m_needsPropertyUpdates loop can
trigger isIgnoredWithoutCache(), which detects an ignored-state transition and
calls objectBecameUnignored -> objectChangedIgnoredState -> queueNodeUpdate,
inserting into m_needsPropertyUpdates while it is being iterated. This causes
undefined behavior (iterator invalidation from rehashing) and silently drops
the newly-queued update when the loop ends with m_needsPropertyUpdates.clear().

Use std::exchange to snapshot m_needsPropertyUpdates before iterating, matching
the existing pattern used by resolveAppends() for m_unresolvedPendingAppends.
New entries queued during iteration land in the fresh map and are picked up on
the next timer-fired processQueuedNodeUpdates call.

This fixes LayoutTests/accessibility/visible-elements.html under
--accessibility-isolated-tree. The test makes a hidden link visible and checks
that documentLinks updates from 1 to 2, but the DocumentLinks property update
queued during the IsIgnored evaluation was being cleared before it could be
processed. ENABLE(ACCESSIBILITY_LOCAL_FRAME) exposed this because
AXObjectCache::objectBecameUnignored now calls updateHostedFrameInheritedState,
which triggers recomputeIsIgnoredForDescendants — cascading a single
ignored-state change into reentrant queueNodeUpdate calls that the old code
could not handle.

* Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:
(WebCore::AXIsolatedTree::updateNodeProperties):
(WebCore::AXIsolatedTree::processQueuedNodeUpdates):

Canonical link: https://commits.webkit.org/308602@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to