[Backport] Security bug 1025740 1/2

Do not cause lifecycle change during AX serialization

Calling Document::UpdateStyleAndLayoutTree() can cause keyframe
animations to update, and send the document life cycle to an earlier,
unsafe stage. There is no need to call this before getting the computed
style, as layout is already clean.

Bug: 1025740
Change-Id: I422d5b78721085b0dcf72e3d710e037bcd153506
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

3 files changed, 4 insertions, 23 deletions

diff --git a/chromium/content/renderer/accessibility/blink_ax_tree_source.cc b/chromium/content/renderer/accessibility/blink_ax_tree_source.cc
index f43d7214fd2..3a10eaff5da 100644
--- a/chromium/content/renderer/accessibility/blink_ax_tree_source.cc
+++ b/chromium/content/renderer/accessibility/blink_ax_tree_source.cc
@@ -660,9 +660,10 @@ void BlinkAXTreeSource::SerializeNode(WebAXObject src,
       dst->SetDefaultActionVerb(AXDefaultActionVerbFromBlink(src.Action()));
     }
 
-    if (src.HasComputedStyle()) {
+    blink::WebString display_style = src.ComputedStyleDisplay();
+    if (!display_style.IsEmpty()) {
       TruncateAndAddStringAttribute(dst, ax::mojom::StringAttribute::kDisplay,
-                                    src.ComputedStyleDisplay().Utf8());
+                                    display_style.Utf8());
     }
 
     if (src.Language().length()) {
diff --git a/chromium/third_party/blink/public/web/web_ax_object.h b/chromium/third_party/blink/public/web/web_ax_object.h
index 88b229a9a8e..af7b6332c12 100644
--- a/chromium/third_party/blink/public/web/web_ax_object.h
+++ b/chromium/third_party/blink/public/web/web_ax_object.h
@@ -255,7 +255,6 @@ class WebAXObject {
 
   BLINK_EXPORT WebNode GetNode() const;
   BLINK_EXPORT WebDocument GetDocument() const;
-  BLINK_EXPORT bool HasComputedStyle() const;
   BLINK_EXPORT WebString ComputedStyleDisplay() const;
   BLINK_EXPORT bool AccessibilityIsIgnored() const;
   BLINK_EXPORT bool LineBreaks(WebVector<int>&) const;
diff --git a/chromium/third_party/blink/renderer/modules/exported/web_ax_object.cc b/chromium/third_party/blink/renderer/modules/exported/web_ax_object.cc
index d998979df5c..16f02670285 100644
--- a/chromium/third_party/blink/renderer/modules/exported/web_ax_object.cc
+++ b/chromium/third_party/blink/renderer/modules/exported/web_ax_object.cc
@@ -1025,28 +1025,11 @@ WebDocument WebAXObject::GetDocument() const {
   return WebDocument(document);
 }
 
-bool WebAXObject::HasComputedStyle() const {
-  if (IsDetached())
-    return false;
-
-  Document* document = private_->GetDocument();
-  if (document)
-    document->UpdateStyleAndLayoutTree();
-
-  Node* node = private_->GetNode();
-  if (!node)
-    return false;
-
-  return node->EnsureComputedStyle();
-}
-
 WebString WebAXObject::ComputedStyleDisplay() const {
   if (IsDetached())
     return WebString();
 
-  Document* document = private_->GetDocument();
-  if (document)
-    document->UpdateStyleAndLayoutTree();
+  DCHECK(IsLayoutClean(private_->GetDocument()));
 
   Node* node = private_->GetNode();
   if (!node)
@@ -1381,9 +1364,7 @@ void WebAXObject::GetRelativeBounds(WebAXObject& offset_container,
   if (IsDetached())
     return;
 
-#if DCHECK_IS_ON()
   DCHECK(IsLayoutClean(private_->GetDocument()));
-#endif
 
   AXObject* container = nullptr;
   FloatRect bounds;