256403 – Defer AX object cache update as an event loop task instead of a post layout task

Bug 256403 - Defer AX object cache update as an event loop task instead of a post layout task

Summary: Defer AX object cache update as an event loop task instead of a post layout task

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Accessibility (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Ryosuke Niwa

URL:
Keywords:	InRadar

Depends on:
Blocks:	256354 256383
	Show dependency tree / graph

Reported:	2023-05-05 17:56 PDT by Ryosuke Niwa
Modified:	2023-05-08 16:35 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryosuke Niwa 2023-05-05 17:56:13 PDT

We currently update AX caches as a post layout task.
This is problematic because it can lead to arbitrary script execution:
e.g.

3   0x2836d4250 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&)
4   0x28376d6ac WebCore::Node::dispatchEvent(WebCore::Event&)
5   0x283699750 WebCore::Element::dispatchFocusEvent(WTF::RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element>>&&, WebCore::FocusOptions const&)
6   0x2835c477c WebCore::Document::setFocusedElement(WebCore::Element*, WebCore::FocusOptions const&)
7   0x2843b3b48 WebCore::FocusController::setFocusedElement(WebCore::Element*, WebCore::LocalFrame&, WebCore::FocusOptions const&)
8   0x283698d64 WebCore::Element::focus(WebCore::FocusOptions const&)
9   0x282b8b80c WebCore::AccessibilityNodeObject::setFocused(bool)
10  0x282af3d4c WebCore::AXObjectCache::focusCurrentModal()
11  0x282afeda4 WebCore::AXObjectCache::performDeferredCacheUpdate()
12  0x28441f0c4 WebCore::LocalFrameView::performPostLayoutTasks()
13  0x28442a760 WebCore::LocalFrameViewLayoutContext::runAsynchronousTasks()
14  0x28442b7e8 WebCore::LocalFrameViewLayoutContext::runOrScheduleAsynchronousTasks()
15  0x28442b110 WebCore::LocalFrameViewLayoutContext::performLayout()
16  0x28440969c WebCore::LocalFrameViewLayoutContext::layout()
17  0x28441cbb0 WebCore::LocalFrameView::updateContentsSize()
18  0x2846a2f90 WebCore::ScrollView::updateScrollbars(WebCore::IntPoint const&)
19  0x2846a4858 WebCore::ScrollView::setContentsSize(WebCore::IntSize const&)
20  0x28440cafc WebCore::LocalFrameView::setContentsSize(WebCore::IntSize const&)
21  0x284406f7c WebCore::LocalFrameView::adjustViewSize()
22  0x28442afc0 WebCore::LocalFrameViewLayoutContext::performLayout()
23  0x28440969c WebCore::LocalFrameViewLayoutContext::layout()
24  0x2835adde8 WebCore::Document::updateLayout()

Comment 1 Radar WebKit Bug Importer 2023-05-05 17:56:28 PDT

<rdar://problem/108974696>

Comment 2 Ryosuke Niwa 2023-05-05 18:06:20 PDT

Pull request: https://github.com/WebKit/WebKit/pull/13528

Comment 3 EWS 2023-05-08 15:46:11 PDT

Committed 263832@main (e8027f0de539): <https://commits.webkit.org/263832@main>

Reviewed commits have been landed. Closing PR #13528 and removing active labels.