Bug 248451

Summary: AX: AXIsolatedObject::m_childrenIDs is cleared too early when processing AXIsolatedTree::m_pendingSubtreeRemovals
Product: WebKit Reporter: Tyler Wilcock <tyler_w>
Component: AccessibilityAssignee: Tyler Wilcock <tyler_w>
Status: RESOLVED FIXED    
Severity: Normal CC: aboxhall, andresg_22, apinheiro, cfleizach, dmazzoni, ews-watchlist, jcraig, jdiggs, samuel_white, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description Tyler Wilcock 2022-11-28 18:09:08 PST 
In AXIsolatedTree::applyPendingChanges(), when processing m_pendingSubtreeRemovals, we start by taking the last axID in the Vector and using it to get the associated nodeForID(). Then we call AXCoreObject::detach(AccessibilityDetachmentType::ElementDestroyed), which in turn calls AXIsolatedObject::detachRemoteParts. Currently, the implementation of this function loops over m_childrenIDs and detaches those children from `this`, and then clears m_childrenIDs.

Then, we jump back to AXIsolatedTree::applyPendingChanges() and run this line of code:

m_pendingSubtreeRemovals.appendVector(object->m_childrenIDs);

Which does nothing because we cleared m_childrenIDs as part of detachRemoteParts.
Comment 1 Radar WebKit Bug Importer 2022-11-28 18:09:34 PST 
<rdar://problem/102743478>
Comment 2 Tyler Wilcock 2022-11-28 19:09:14 PST 
Created attachment 463777 [details]
Patch
Comment 3 EWS 2022-11-30 20:03:26 PST 
Committed 257217@main (b095a6aaca26): <https://commits.webkit.org/257217@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 463777 [details].