When AXObjectCache::performDeferredCacheUpdate is called, it checks to see if the document needs layout first before updating the accessibility tree. If this isn't done, walking the accessibility tree can trigger a layout in the middle, leading to inconsistencies and crashes. I discovered this while debugging this ARIA example. I can trigger a crash using VoiceOver, but the repro steps are quite tricky and I didn't have any luck turning it into a layout test. https://www.w3.org/WAI/ARIA/apg/patterns/combobox/examples/combobox-select-only/ The underlying issue was that the listbox was changing from display:none to display:block, but under some circumstances it was possible for AXObjectCache::performDeferredCacheUpdate to get called when style is dirty but needsLayout still returns false, so it wouldn't update layout, and that would lead to the listbox options getting created with the wrong parent id. VoiceOver wouldn't speak them, and in debug mode we'd get an assertion failure. I did write a layout test that successfully triggers this scenario, however it also triggers a separate unrelated assertion failure so I can't merge it yet. I filed a separate bug for that one: https://bugs.webkit.org/show_bug.cgi?id=287715 (AX: attached layout test triggers assertion in AXIsolatedObject::children)