In http://commits.webkit.org/281440@main, we prevented a bug where AXIsolatedTree::m_protectedFromDeletionIDs was cleared too early, which in turn caused objects to be incorrectly removed from AXIsolatedTree::m_nodeMap, eventually breaking the accessibility tree. We fixed this by moving: m_pendingProtectedFromDeletionIDs.formUnion(std::exchange(m_protectedFromDeletionIDs, { })); from queueRemovalsLocked to queueAppendsAndRemovals (which should happen once per tree-update cycle, making it the right time to clear this list). This caused a new bug, however, in this sequence: 1. The main-thread starts a tree update via AXIsolatedTree::updateChildren 2. In doing so, we call queueRemovalsLocked, i.e. because an object lost a child (but that child isn't deleted, just has a different parent, so we mark it as protected on the main-thread in m_protectedFromDeletionIDs) 3. We call queueRemovalsLocked for that child and any others no longer children of the original object. After 281440@main, we no longer sync protected IDs in this function. 4. Before the full main-thread tree-update (AXIsolatedTree::updateChildren) is finished, resulting in a call to queueAppendsAndRemovals, the secondary thread processes a request from an AT, causing AXIsolatedTree::applyPendingChanges to run on the secondary thread (as expected to ensure we service the request with the most up-to-date information) 5. We delete the re-parented child, and any of its descendants, from the accessibility thread data structures because we failed to protect it 6. queueAppendsAndRemovals eventually finishes on the main-thread, and we sync the protected objects to the secondary thread, but at that point it's too late. 7. The accessibility tree is now broken, with random objects missing entirely.