Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 6ce568ef2b3f3a10e6dfa355f6a457256ca59481
https://github.com/WebKit/WebKit/commit/6ce568ef2b3f3a10e6dfa355f6a457256ca59481
Author: Tyler Wilcock <[email protected]>
Date: 2025-06-07 (Sat, 07 Jun 2025)
Changed paths:
A
LayoutTests/accessibility/dynamic-font-change-dirty-style-and-relations-expected.txt
A
LayoutTests/accessibility/dynamic-font-change-dirty-style-and-relations.html
A
LayoutTests/accessibility/dynamic-text-color-change-dirty-style-and-relations-expected.txt
A
LayoutTests/accessibility/dynamic-text-color-change-dirty-style-and-relations.html
M LayoutTests/platform/ios/TestExpectations
M Source/WebCore/accessibility/AXObjectCache.cpp
M Source/WebCore/accessibility/AXObjectCache.h
Log Message:
-----------
AX: Eager tree updates done by AXObjectCache::{onFontChange,
onTextColorChange} can cause re-entrant style resolution, in turn causing a
crash
https://bugs.webkit.org/show_bug.cgi?id=294146
rdar://152742167
Reviewed by Joshua Hoffman.
Prior to this commit, AXObjectCache::onFontChange and
AXObjectCache::onTextColorChange eagerly updated the accessibility
tree via AXIsolatedTree::updatePropertiesForSelfAndDescendants, which is not
safe because the following sequence is possible:
1. Ensure relations are dirty, e.g. by adding a new node-only element (e.g.
one with display:contents) with a relation
(e.g. aria-describedby as seen in the real webpage where this bug
reproduced).
2. Change the font for an element
3. Force layout (e.g. via calling offsetParent on an element), which in turn
forces style resolution (Style::TreeResolver::resolve)
4. This calls AXObjectCache::onFontChange() (or
AXObjectCache::onTextColorChange for the `color` CSS property)
5. AXObjectCache::getOrCreate(WebCore::Node&) is called for our new
node-only, and we create it. Creating node-only
objects can resolve relations, which happens when this bug occurs.
6. Something calls isIgnored() as part of the creation, in turn calling
AccessibilityObject::style(), in turn trying
to resolve style. But we're already in style resolution from step 3. Crash
because we triggered re-entrant style
resolution.
This commit fixes the issue by not eagerly updating the tree in
AXObjectCache::{onFontChange, onTextColorChange}. Instead,
we post a notification, then handle that to update the tree asynchronously, at
which point we know layout and style are
clean.
*
LayoutTests/accessibility/dynamic-font-change-dirty-style-and-relations-expected.txt:
Added.
* LayoutTests/accessibility/dynamic-font-change-dirty-style-and-relations.html:
Added.
*
LayoutTests/accessibility/dynamic-text-color-change-dirty-style-and-relations-expected.txt:
Added.
*
LayoutTests/accessibility/dynamic-text-color-change-dirty-style-and-relations.html:
Added.
* LayoutTests/platform/ios/TestExpectations: Enable new tests.
* Source/WebCore/accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::onFontChange):
(WebCore::AXObjectCache::onTextColorChange):
(WebCore::AXObjectCache::updateIsolatedTree):
* Source/WebCore/accessibility/AXObjectCache.h:
Canonical link: https://commits.webkit.org/295960@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
