[webkit-changes] [WebKit/WebKit] 1523cf: AX: frameLoadingEventNotification calls getOrCreat...

Thu, 06 Nov 2025 11:30:53 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 1523cf6f4b3c5d8ff2a5c65d2b83372135eeb66c
      
https://github.com/WebKit/WebKit/commit/1523cf6f4b3c5d8ff2a5c65d2b83372135eeb66c
  Author: Tyler Wilcock <[email protected]>
  Date:   2025-11-06 (Thu, 06 Nov 2025)

  Changed paths:
    M Source/WebCore/accessibility/AXObjectCache.cpp
    M Source/WebCore/accessibility/AXObjectCache.h
    M Source/WebCore/accessibility/atspi/AXObjectCacheAtspi.cpp
    M Source/WebCore/accessibility/ios/AXObjectCacheIOS.mm
    M Source/WebCore/accessibility/mac/AXObjectCacheMac.mm
    M Source/WebCore/accessibility/playstation/AXObjectCachePlayStation.cpp
    M Source/WebCore/accessibility/win/AXObjectCacheWin.cpp

  Log Message:
  -----------
  AX: frameLoadingEventNotification calls getOrCreate even when it's 
unnecessary and potentially unsafe (e.g. when layout is dirty)
https://bugs.webkit.org/show_bug.cgi?id=302035
rdar://164059225

Reviewed by Joshua Hoffman.

On Cocoa ports, we have found CheckedPtr crashes stemming from the 
getOrCreate(RenderObject&) performed by:

FrameLoader::prepareForLoadStart() -> 
AXObjectCache::frameLoadingEventNotification

This probably means layout is dirty when we're calling this getOrCreate, but I 
can't say for sure because I haven't been
able to reproduce this crash. Workaround the issue for now by avoiding the 
getOrCreate if the AXLoadingEvent type is
one that the platform is going to ignore anyways.

* Source/WebCore/accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::frameLoadingEventNotification):
* Source/WebCore/accessibility/AXObjectCache.h:
* Source/WebCore/accessibility/atspi/AXObjectCacheAtspi.cpp:
(WebCore::AXObjectCache::frameLoadingEventPlatformNotification):
* Source/WebCore/accessibility/ios/AXObjectCacheIOS.mm:
(WebCore::AXObjectCache::frameLoadingEventPlatformNotification):
* Source/WebCore/accessibility/mac/AXObjectCacheMac.mm:
(WebCore::AXObjectCache::frameLoadingEventPlatformNotification):
* Source/WebCore/accessibility/playstation/AXObjectCachePlayStation.cpp:
(WebCore::AXObjectCache::frameLoadingEventPlatformNotification):
* Source/WebCore/accessibility/win/AXObjectCacheWin.cpp:
(WebCore::AXObjectCache::frameLoadingEventPlatformNotification):

Canonical link: https://commits.webkit.org/302668@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to