Changeset 270154 in webkit

Timestamp:

Nov 21, 2020 3:03:28 PM (3 years ago)

Author:

Andres Gonzalez

Message:

AccessibilityObject::FocusedUIElement should not call AXObjectCache::focusedUIElementForPage that can return an isolated object.
​https://bugs.webkit.org/show_bug.cgi?id=219238

Reviewed by Chris Fleizach.

Since AXObjectCache::focusedUIElementForPage can return an isolated
object, AccessibilityObject::focusedUIElement should not use it to
determine the focused object. This causes that isolated objects may be
accessed on the main thread when they shouldn't, and even infinite
recursion if this happens when the isolated tree is being built.
This patch changes AccessibilityObject::focusedUIElement to call
AXObjectCache::focusedObjectForPage that always returns another AccessibilityObject.

• accessibility/AXObjectCache.cpp:

(WebCore::AXObjectCache::focusedObjectForPage):
(WebCore::AXObjectCache::focusedUIElementForPage):
(WebCore::AXObjectCache::generateIsolatedTree):
(WebCore::AXObjectCache::focusedObject): Deleted.

• accessibility/AXObjectCache.h:
• accessibility/AccessibilityObject.cpp:

(WebCore::AccessibilityObject::focusedUIElement const):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• accessibility/AXObjectCache.cpp (modified) (4 diffs)
• accessibility/AXObjectCache.h (modified) (2 diffs)
• accessibility/AccessibilityObject.cpp (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-11-21  Andres Gonzalez  <andresg_22@apple.com>
+
+        AccessibilityObject::FocusedUIElement should not call AXObjectCache::focusedUIElementForPage that can return an isolated object.
+        https://bugs.webkit.org/show_bug.cgi?id=219238
+
+        Reviewed by Chris Fleizach.
+
+        Since AXObjectCache::focusedUIElementForPage can return an isolated
+        object, AccessibilityObject::focusedUIElement should not use it to
+        determine the focused object. This causes that isolated objects may be
+        accessed on the main thread when they shouldn't, and even infinite
+        recursion if this happens when the isolated tree is being built.
+        This patch changes AccessibilityObject::focusedUIElement to call
+        AXObjectCache::focusedObjectForPage that always returns another AccessibilityObject.
+
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::focusedObjectForPage):
+        (WebCore::AXObjectCache::focusedUIElementForPage):
+        (WebCore::AXObjectCache::generateIsolatedTree):
+        (WebCore::AXObjectCache::focusedObject): Deleted.
+        * accessibility/AXObjectCache.h:
+        * accessibility/AccessibilityObject.cpp:
+        (WebCore::AccessibilityObject::focusedUIElement const):
+
 2020-11-21  Zalan Bujtas  <zalan@apple.com>
 

trunk/Source/WebCore/accessibility/AXObjectCache.cpp

@@ -370 +370 @@
 }
 
-AXCoreObject* AXObjectCache::focusedObject(Document& document)
-{
-    Element* focusedElement = document.focusedElement();
+AXCoreObject* AXObjectCache::focusedObjectForPage(const Page* page)
+{
+    ASSERT(isMainThread());
+
+    if (!gAccessibilityEnabled)
+        return nullptr;
+
+    // get the focused node in the page
+    Document* document = page->focusController().focusedOrMainFrame().document();
+    if (!document)
+        return nullptr;
+
+    document->updateStyleIfNeeded();
+
+    Element* focusedElement = document->focusedElement();
     if (is<HTMLAreaElement>(focusedElement))
         return focusedImageMapUIElement(downcast<HTMLAreaElement>(focusedElement));
 
-    auto* axObjectCache = document.axObjectCache();
+    auto* axObjectCache = document->axObjectCache();
     if (!axObjectCache)
         return nullptr;
 
-    AXCoreObject* focus = axObjectCache->getOrCreate(focusedElement ? focusedElement : static_cast<Node*>(&document));
+    AXCoreObject* focus = axObjectCache->getOrCreate(focusedElement ? focusedElement : static_cast<Node*>(document));
     if (!focus)
         return nullptr;
@@ -422 +434 @@
 AXCoreObject* AXObjectCache::focusedUIElementForPage(const Page* page)
 {
-    ASSERT(isMainThread());
-    if (!gAccessibilityEnabled)
-        return nullptr;
-
-    // get the focused node in the page
-    Document* focusedDocument = page->focusController().focusedOrMainFrame().document();
-    if (!focusedDocument)
-        return nullptr;
-
-    // Call this before isolated or non-isolated cases so the document is up to do.
-    focusedDocument->updateStyleIfNeeded();
-    
 #if ENABLE(ACCESSIBILITY_ISOLATED_TREE)
     if (isIsolatedTreeEnabled())
@@ -439 +439 @@
 #endif
 
-    return focusedObject(*focusedDocument);
+    return focusedObjectForPage(page);
 }
 
@@ -3180 +3180 @@
         tree->generateSubtree(*axRoot, nullptr, true);
 
-    auto* axFocus = axObjectCache->focusedObject(document);
+    auto* axFocus = axObjectCache->focusedObjectForPage(document.page());
     if (axFocus)
         tree->setFocusedNodeID(axFocus->objectID());

trunk/Source/WebCore/accessibility/AXObjectCache.h

@@ -146 +146 @@
 
     WEBCORE_EXPORT AXCoreObject* focusedUIElementForPage(const Page*);
+    static AXCoreObject* focusedObjectForPage(const Page*);
 
     // Returns the root object for the entire document.
@@ -432 +433 @@
 
     static AccessibilityObject* focusedImageMapUIElement(HTMLAreaElement*);
-    static AXCoreObject* focusedObject(Document&);
 
     AXID getAXID(AccessibilityObject*);

trunk/Source/WebCore/accessibility/AccessibilityObject.cpp

@@ -2545 +2545 @@
     return document ? document->axObjectCache() : nullptr;
 }
-    
+
 AXCoreObject* AccessibilityObject::focusedUIElement() const
 {
     auto* page = this->page();
     auto* axObjectCache = this->axObjectCache();
-    return page && axObjectCache ? axObjectCache->focusedUIElementForPage(page) : nullptr;
+    return page && axObjectCache ? axObjectCache->focusedObjectForPage(page) : nullptr;
 }