<rdar://problem/88108412>

Created attachment 450094 [details] Patch

Comment on attachment 450094 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450094&action=review > Source/WebCore/ChangeLog:15 > + or AX secondary thread, is blocked. To acomplish this and still be accomplish > Source/WebCore/ChangeLog:18 > + happens on the main thread without blocking the AX thread, and thn do thn > then > Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:232 > + if (!parentID.isValid()) { do we need to handle this parentID.isValid() case separately? it seems like we could check if the !parentID we don't process the siblings then we won't have an early return in this function > Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:373 > + changes.reverse(); can you add a comment why we want to reverse this vector

Created attachment 450569 [details] Patch

(In reply to chris fleizach from comment #3) > Comment on attachment 450094 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=450094&action=review > > > Source/WebCore/ChangeLog:15 > > + or AX secondary thread, is blocked. To acomplish this and still be > > accomplish > > > Source/WebCore/ChangeLog:18 > > + happens on the main thread without blocking the AX thread, and thn do > > thn > then > > > Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:232 > > + if (!parentID.isValid()) { > > do we need to handle this parentID.isValid() case separately? it seems like > we could check if the !parentID we don't process the siblings > > then we won't have an early return in this function > > > Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:373 > > + changes.reverse(); > > can you add a comment why we want to reverse this vector All comments are addressed in latest revision. Thanks.

Comment on attachment 450569 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450569&action=review > Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:227 > ASSERT(isMainThread()); can we assert that the lock is held in here > Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:245 > +void AXIsolatedTree::queueChanges(const Vector<NodeChange>& changes, const Vector<AXID>& subtreeRemovals) should this be named queueChangesAndRemovals? > Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.h:392 > + Vector<NodeChange> addNodeAncestry(AXCoreObject&); this method might be better names as nodeAncestryChanges

Comment on attachment 450569 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450569&action=review > Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:404 > + AXLOG(makeString("removing subtree for object", axID.loggingString())); This log is not necessary. removeSubtreeFromNodeMap already logs this: AXLOG(makeString("Removing subtree for axID ", axID.loggingString()));

Comment on attachment 450569 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450569&action=review > Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:353 > + // Since the NodeChanges are added to the changes vector in a child -> parent traversal instead of the usual parent -> child traversal, we may need to reverse changes. "We may need to reverse changes" IMO, this language (and the underlying behavior) should be definite -- either we do need to do the reverse, or we don't. Based on the beginning of the comment, seems like it necessary?

When testing this patch in debug on YouTube, I hit this ASSERT: ASSERTION FAILED: m_nodeMap.contains(objectID) ./accessibility/isolatedtree/AXIsolatedTree.cpp(240) : void WebCore::AXIsolatedTree::queueChange(const WebCore::AXIsolatedTree::NodeChange &) 1 0x1330bd334 WTFCrash 2 0x147089344 WTFCrashWithInfo(int, char const*, char const*, int) 3 0x1493b88ac WebCore::AXIsolatedTree::queueChange(WebCore::AXIsolatedTree::NodeChange const&) 4 0x1493b7e44 WebCore::AXIsolatedTree::queueChanges(WTF::Vector<WebCore::AXIsolatedTree::NodeChange, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<WTF::ObjectIdentifier<WebCore::AXIDType>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) This is because this sequence of events is possible: 1. AXObjectCache::remove(AXID) 2. AXIsolatedTree::removeNode(AXID), which performs m_nodeMap.remove(axID) without also removing this AXIDs subtree from the node map 3. AXIsolatedTree::updateChildren(AXCoreObject& axObject) is called with the parent of AXID 4. auto oldChildrenIDs = m_nodeMap.get(axObject.objectID()); still contains this removed AXID 5. Because AXID is rightly considered removed (not part of newChildrenIDs), we call removeSubtreeFromNodeMap(AXID) and then hit this assert because it was already removed from the map in step 2 Maybe AXIsolatedTree::removeNode(AXID) needs to removeSubtreeFromNodeMap(AXID) and m_pendingSubtreeRemovals.append(axID)?

Nevermind, ignore that sequence after step 3 and my suggestion, they're wrong. The stacktrace shows the order of execution. I'll investigate some more.

Created attachment 450599 [details] Patch

(In reply to chris fleizach from comment #6) > Comment on attachment 450569 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=450569&action=review > > > Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:227 > > ASSERT(isMainThread()); > > can we assert that the lock is held in here Done. > > > Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:245 > > +void AXIsolatedTree::queueChanges(const Vector<NodeChange>& changes, const Vector<AXID>& subtreeRemovals) > > should this be named queueChangesAndRemovals? Renamed it. Was considering to rename it queueAdditionsAndRemovals, but then we have NodeChange which is an addition but we already named Change. So I opted for now for your suggestion. > > > Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.h:392 > > + Vector<NodeChange> addNodeAncestry(AXCoreObject&); > > this method might be better names as > > nodeAncestryChanges Yes, done. Thanks.

(In reply to Tyler Wilcock from comment #7) > Comment on attachment 450569 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=450569&action=review > > > Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:404 > > + AXLOG(makeString("removing subtree for object", axID.loggingString())); > > This log is not necessary. removeSubtreeFromNodeMap already logs this: > > AXLOG(makeString("Removing subtree for axID ", axID.loggingString())); Yes, removed it. Thanks.

(In reply to Tyler Wilcock from comment #8) > Comment on attachment 450569 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=450569&action=review > > > Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:353 > > + // Since the NodeChanges are added to the changes vector in a child -> parent traversal instead of the usual parent -> child traversal, we may need to reverse changes. > > "We may need to reverse changes" > > IMO, this language (and the underlying behavior) should be definite -- > either we do need to do the reverse, or we don't. Based on the beginning of > the comment, seems like it necessary? Made it assertive.

Committed r288963 (246692@main): <https://commits.webkit.org/246692@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 450599 [details].