Bug 257894 - AX: Make the generation and update of isolated subtrees asynchronous.
Summary: AX: Make the generation and update of isolated subtrees asynchronous.
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Accessibility (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Andres Gonzalez
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-06-09 09:14 PDT by Andres Gonzalez
Modified: 2023-10-18 12:21 PDT (History)
11 users (show)

See Also:

Attachments
Patch (18.03 KB, patch)
2023-06-09 09:22 PDT, Andres Gonzalez 		no flags Details | Formatted Diff | Diff
Patch (21.03 KB, patch)
2023-06-12 07:52 PDT, Andres Gonzalez 		no flags Details | Formatted Diff | Diff
Patch (27.94 KB, patch)
2023-10-18 08:30 PDT, Andres Gonzalez 		no flags Details | Formatted Diff | Diff
Patch (30.95 KB, patch)
2023-10-18 12:21 PDT, Andres Gonzalez 		andresg_22: review?
Details | Formatted Diff | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andres Gonzalez 2023-06-09 09:14:41 PDT 
This synchronous method contributes to Safari becoming irresponsive to AT requests.
Comment 1 Radar WebKit Bug Importer 2023-06-09 09:14:53 PDT 
<rdar://problem/110532050>
Comment 2 Andres Gonzalez 2023-06-09 09:22:01 PDT 
Created attachment 466651 [details]
Patch
Comment 3 Tyler Wilcock 2023-06-09 16:51:31 PDT 
Comment on attachment 466651 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=466651&action=review

> Source/WebCore/accessibility/AXObjectCache.cpp:902
> +    auto tree = AXIsolatedTree::create(*this, [this] () {

When capturing `this` in the completion handler, we should be storing it in a `WeakPtr` or `CheckedPtr` (or RefPtr, but currently you can't make a ref-counted AXObjectCache) to avoid a UAF if the cache gets deleted before the completion handler runs.

> Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:362
> +    auto now = MonotonicTime::now();

I wonder if this should be called something like "start" or "startTime". It might make the comparison below more clear (which currently subtracts "MonotonicTome::now" from "now").
Comment 4 Andres Gonzalez 2023-06-12 07:52:23 PDT 
Created attachment 466669 [details]
Patch
Comment 5 Andres Gonzalez 2023-06-12 07:56:56 PDT 
(In reply to Tyler Wilcock from comment #3)
> Comment on attachment 466651 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=466651&action=review
> 
> > Source/WebCore/accessibility/AXObjectCache.cpp:902
> > +    auto tree = AXIsolatedTree::create(*this, [this] () {
> 
> When capturing `this` in the completion handler, we should be storing it in
> a `WeakPtr` or `CheckedPtr` (or RefPtr, but currently you can't make a
> ref-counted AXObjectCache) to avoid a UAF if the cache gets deleted before
> the completion handler runs.

Done.
> 
> > Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:362
> > +    auto now = MonotonicTime::now();
> 
> I wonder if this should be called something like "start" or "startTime". It
> might make the comparison below more clear (which currently subtracts
> "MonotonicTome::now" from "now").

Renamed.

Also added in the new revision the check for Accessibility::waitingForMainThread.
Comment 6 Andres Gonzalez 2023-10-18 08:30:08 PDT 
Created attachment 468261 [details]
Patch
Comment 7 Andres Gonzalez 2023-10-18 12:21:59 PDT 
Created attachment 468262 [details]
Patch

Updating expectation for glib test.