Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: e96d3a317b72d64942c1bb4bdb0895d99883233e
https://github.com/WebKit/WebKit/commit/e96d3a317b72d64942c1bb4bdb0895d99883233e
Author: Tyler Wilcock <[email protected]>
Date: 2026-03-03 (Tue, 03 Mar 2026)
Changed paths:
A Source/WebCore/accessibility/AXIsolatedTree.cpp
A Source/WebCore/accessibility/AXIsolatedTree.h
M Source/WebCore/accessibility/AXTreeStore.cpp
M Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.cpp
M Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp
M Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.h
M Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.mm
Log Message:
-----------
AX: With ENABLE(ACCESSIBILITY_LOCAL_FRAME), isolated trees associated with
iframes are never cleaned up unless a request goes to an object from the iframe
https://bugs.webkit.org/show_bug.cgi?id=309011
rdar://171560446
Reviewed by Joshua Hoffman.
With ENABLE(ACCESSIBILITY_LOCAL_FRAME), every frame gets its own AXObjectCache
and AXIsolatedTree. This exposes a
flaw in our logic for cleaning up isolated trees queued for destruction,
exposed by test
accessibility/mac/stale-textmarker-crash.html, which does the following:
1. Gets a text marker from within an iframe
2. Deletes the iframe, causing the corresponding tree to set
AXIsolatedTree::m_queuedForDestruction
3. Use an object outside the iframe to determine whether the text marker is
invalid. Normally
AXIsolatedTree::applyPendingChanges, which runs before each AT request,
would see m_queuedForDestruction
and destroy the tree. However, the iframes tree is not the one who gets to
applyPendingChanges() since we
made the is-textmarker-valid request on the object outside the iframe.
4. The iframe isolated tree never gets cleaned up.
Fix this by tracking process-wide whether any isolated tree needs to be cleaned
up (AXIsolatedTree::anyTreeNeedsTearDown),
and performing said clean-up on any tree even if it's not the one associated
with the object that just received the current request.
Fixes accessibility/mac/stale-textmarker-crash.html with
ENABLE(ACCESSIBILITY_LOCAL_FRAME).
* Source/WebCore/accessibility/AXIsolatedTree.cpp: Added.
* Source/WebCore/accessibility/AXIsolatedTree.h: Added.
* Source/WebCore/accessibility/AXTreeStore.cpp:
(WebCore::AXTreeStore<AXIsolatedTree>::applyPendingChangesForAllIsolatedTrees):
* Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.cpp:
(WebCore::AXIsolatedObject::updateBackingStore):
(WebCore::AXIsolatedObject::crossFrameChildObject const):
* Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:
(WebCore::AXIsolatedTree::queueForDestruction):
(WebCore::AXIsolatedTree::createEmptyContent):
(WebCore::AXIsolatedTree::focusedNodeID):
(WebCore::AXIsolatedTree::applyPendingChangesUnlessQueuedForDestruction):
(WebCore::AXIsolatedTree::applyPendingChangesOrTearDown):
(WebCore::AXIsolatedTree::clearTreeContentsLocked):
(WebCore::AXIsolatedTree::applyPendingChangesLocked):
* Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.h:
(WebCore::AXIsolatedTree::anyTreeNeedsTearDown):
(WebCore::AXIsolatedTree::clearAnyTreeNeedsTearDown):
* Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.mm:
(-[WebAccessibilityObjectWrapperBase attachIsolatedObject:]):
Canonical link: https://commits.webkit.org/308609@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
