[webkit-changes] [WebKit/WebKit] b73f15: AX: Eagerly dirtying relations in AXObjectCache::d...

Sun, 15 Feb 2026 09:24:41 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b73f15088293cec470e0c2ceddd58bcd0b8480e5
      
https://github.com/WebKit/WebKit/commit/b73f15088293cec470e0c2ceddd58bcd0b8480e5
  Author: Tyler Wilcock <[email protected]>
  Date:   2026-02-15 (Sun, 15 Feb 2026)

  Changed paths:
    A 
LayoutTests/accessibility/focus-change-id-mutation-and-removal-crash-expected.txt
    A LayoutTests/accessibility/focus-change-id-mutation-and-removal-crash.html
    M LayoutTests/platform/glib/TestExpectations
    M Source/WebCore/accessibility/AXObjectCache.cpp

  Log Message:
  -----------
  AX: Eagerly dirtying relations in AXObjectCache::deferAttributeChangeIfNeeded 
can cause RELEASE_ASSERT to be hit
https://bugs.webkit.org/show_bug.cgi?id=307871
rdar://170357587

Reviewed by Joshua Hoffman.

It's possible for us to hit a RELEASE_ASSERT_WITH_SECURITY_IMPLICATION in 
TreeScopeOrderedMap::get given this sequence:

  1. An AT requests an element to be focused
  2. The page has a focus JS event handler that changes DOM IDs, moves elements 
with relations out of the shadow DOM, and
     removes any element.
  3. We handle the DOM ID attribute change and dirty relations in 
AXObjectCache::deferAttributeChangeIfNeeded
  4. We handle the node removal, which results in a call to parentObject() in 
AXIsolatedTree::queueNodeRemoval(),
     resulting in a call to ownerParentObject(), which tries to resolve the 
dirty relations.
  5. Because an element was moved out of the shadow DOM, it's treescope 
changed. When undirtying relations,
     TreeScopeOrderedMap::get is called, and we crash due to the treescope 
mismatch.

Solve this by changing AXObjectCache::deferAttributeChangeIfNeeded to never 
eagerly dirty relations — we will do so
in AXObjectCache::performDeferredCacheUpdate instead, which is a time when 
style and layout are guaranteed to be clean.

In the future, we can consider other improvements. e.g., can we simply change 
to eagerly updating relations in
AXObjectCache::performDeferredCacheUpdate() instead rather than updating 
relations lazily as we do today?

* 
LayoutTests/accessibility/focus-change-id-mutation-and-removal-crash-expected.txt:
 Added.
* LayoutTests/accessibility/focus-change-id-mutation-and-removal-crash.html: 
Added.
* Source/WebCore/accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::deferAttributeChangeIfNeeded):

Canonical link: https://commits.webkit.org/307618@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to