| # How Chrome Accessibility Works, Part 2 |
| |
| This document explains the technical details behind Chrome accessibility |
| code by starting at a high level and progressively adding more levels of |
| detail. |
| |
| See [Part 1](how_a11y_works.md) first. |
| |
| [TOC] |
| |
| ## A multi-process browser |
| |
| There are different ways that a web browser can be multi-process, so it's |
| important to first discuss the model Chromium uses. |
| |
| In Chromium, there's a single browser process. That process is the "main" |
| process that's launched by the user. It owns all of the windows and UI |
| elements, and it handles nearly all of the interaction with operating |
| system APIs. Then there are multiple render processes that handle running |
| each individual web page. Render processes are sandboxed - this means that |
| they're basically forbidden from directly talking to the operating system. |
| |
| Each renderer handles one web page. For now let's forget about iframes, |
| we'll deal with that added complexity down below. A renderer handles |
| the entire lifecycle of a page - managing the HTTP connection, parsing |
| the HTML, resolving CSS styles, executing the JavaScript, and figuring out |
| what to draw to the screen. |
| |
| Because the renderer is in a sandboxed process, it doesn't directly get user |
| input like key presses or mouse clicks, and it doesn't directly draw to the |
| screen. These things are all handled by communicating with the browser process. |
| The browser process owns the window; when there's a user input event like a |
| mouse click or key press, it forwards that event to the appropriate |
| renderer. The renderer figures out how to draw the webpage, but it doesn't draw |
| directly to the screen - because it's sandboxed - it either sends pixels (in |
| software rendering mode) or sends the drawing commands to Chromium's separate |
| gpu process. |
| |
| A simplified diagram of Chromium's multi-process architecture is shown here: |
| |
|  |
| |
| In most system diagrams we're only going to show a single web page, |
| because supporting multiple windows and tabs doesn't complicate the |
| accessibility architecture much. But, it's helpful to understand how |
| the system looks when the user has multiple windows and tabs open. |
| Notably: |
| |
| * The browser process owns all of the windows and the tabs within them. |
| * Each browser tab maintains a connection to a web page running in a |
| render process. |
| * There can be multiple render processes, but there's no correspondence |
| between browser windows, tabs, and render processes. The different |
| web page renderers might all be in one process, they might all be in |
| different processes, or they might be split across processes in any |
| arbitrary way, as shown in this diagram: |
| |
|  |
| |
| You can read more about Chromium's multi-process architecture here - note that |
| this document is old, so it's more Windows-centric and some of the details |
| are out of date, but the basic design is still quite similar to today: |
| |
| https://www.chromium.org/developers/design-documents/multi-process-architecture |
| |
| ### Blink (Rendering Engine). |
| |
| The majority of the code inside each web renderer is implemented in a module |
| called [Blink](https://www.chromium.org/blink) |
| (the Blink Rendering Engine). Historically, when Chromium was first released, |
| this module was WebKit, but it was forked and renamed Blink in 2013. |
| As described in [How Blink Works]( |
| https://docs.google.com/document/d/1aitSOucL0VHZa9Z2vbRJSyAIsAz24kX8LFByQ5xQnUg/view), |
| Blink implements everything that renders content inside a browser tab: |
| |
| * Implement the specs of the web platform (e.g., HTML standard), |
| including DOM, CSS and Web IDL |
| * Embed V8 and run JavaScript |
| * Request resources from the underlying network stack |
| * Build DOM trees |
| * Calculate style and layout |
| * Embed Chrome Compositor and draw graphics |
| |
| There are a few small layers in Chromium's render processes outside of Blink, |
| containing: |
| |
| * Handling the multi-process communication |
| * The renderer side of Chrome browser features (like spell check or autofill) |
| that aren't a core part of the web platform |
| |
| ### Other multi-process models |
| |
| There are other ways that a multi-process web browser could be implemented. |
| Another possible approach is that each tab could be in its own process, |
| but each tab still communicates directly with the operating system. |
| In this model, the operating system can send input events directly to |
| the active tab, and the tab can paint its own contents directly. |
| |
|  |
| |
| Both Apple Safari and Microsoft Edge Legacy (i.e. Edge before Chromium) use |
| variations of this multi-process model. They get some of these multi-process |
| advantages, shared with Chromium: |
| |
| * Stability: a stuck tab won't hang the whole browser, a crashed tab |
| won't crash the whole browser |
| * Performance: a slow tab won't prevent other tabs from being responsive |
| * Isolation: a compromised tab won't have access to user data from other tabs |
| |
| Chromium chose its multi-process model with sandboxed render processes because |
| it provides much stronger protection against exploits: |
| |
| * Security: a compromised sandboxed renderer has no access to the operating |
| system, so it can't compromise the user's system |
| |
| Unfortunately, Chromium's architecture makes accessibility more complex. |
| Accessibility APIs are operating system APIs. In a non-sandboxed |
| multi-process browser like in the diagram above, each tab can directly |
| handle its own accessibility. In Chromium, accessibility APIs need to be |
| handled by the browser process, even though most of the information about |
| the web page lives in one of the sandboxed render processes. |
| |
| ### A dead-end: proxying accessibility requests |
| |
| Under Chrome's architecture, operating system accessibility APIs |
| can only talk to the browser process. In fact, from the point of view |
| of assistive technology, they don't even know about other processes. |
| All of the windows are owned by the main browser process, so all of |
| the accessibility APIs get called in that process. |
| |
| Let's consider the following scenario: assistive technology has found |
| a node in the accessibility tree corresponding to a checkbox, and |
| wants to query it to find out its current state (enabled, checked, |
| focused, etc.). |
| |
| When we were first building accessibility support in Chromium, one approach we |
| tried was for the browser process to have a lightweight tree of proxy objects, |
| each one corresponding to a node in the accessibility tree in the render |
| process. Upon receiving a call to getState, the browser process would make a |
| blocking IPC to the render process, get the state of that particular node, then |
| reply to the accessibility API call with that result. |
| |
|  |
| |
| We discovered two problems with this approach. |
| |
| First, making blocking IPCs from the browser to renderer was highly |
| discouraged. It introduced "jankiness" into the browser and introduced |
| the possibility of deadlock. Unfortunately nearly all accessibility APIs |
| are synchronous method calls, so there's no easy way around this. |
| |
| Second, we discovered that some assistive technology was calling many thousands |
| of accessibility APIs in a row when loading a page. For example, both JAWS |
| and NVDA scanned the entire web page from top to bottom on first load in order |
| to build their virtual buffers. This proxy model was slowing things down |
| dramatically. Even though most calls only took a millisecond to return, |
| when accessing thousands of nodes sequentially that resulted in even |
| medium-sized web pages taking 10 seconds or more to load. |
| |
| In addition, while most calls would be fast, some blocking calls could take |
| much longer because they'd need to block until not only the render process's |
| main thread was free, but also until the document was in a clean layout |
| state (more on layout below under Blink). And if a renderer was hung |
| (long-running JavaScript or an endless loop), the blocking call might never |
| return or might be forced to time out. |
| |
| ### Caching the full accessibility tree |
| |
| Instead of the proxying approach, Chromium caches the full accessibility |
| tree for every web page in the browser process. When accessibility API |
| calls come in from the operating system or assistive technology, they're |
| handled immediately out of the cache, never blocking on a render process. |
| Separately, renderers send atomic updates to the browser process to keep |
| the accessibility tree up-to-date. |
| |
| Here's a diagram of this approach: |
| |
|  |
| |
| One advantage to this approach is that handling operating system accessibility |
| API calls is quite fast. In fact, this design leads to even faster performance |
| than a traditional single-process browser, where many API calls would be |
| handled by querying the DOM tree or Layout tree for details. |
| |
| This approach is also completely free from blocking IPCs or deadlocks. |
| |
| There are some drawbacks to this approach, though: |
| |
| Memory usage is higher. The cache necessarily duplicates information that |
| was already stored elsewhere, so this is unavoidable. We mitigate this in |
| part by ensuring that the data structure we use to store each accessibility |
| node is sparse and compact. |
| |
| Second, the accessibility tree can't be computed lazily. Whenever a web page |
| changes, updates have to be pushed to the browser process cache right away, |
| so that the cache is up-to-date as soon as possible. Now, when a large and |
| complex page loads and this page is immediately consumed by assistive |
| technology, then this approach is no worse - we're just shifting the burden |
| from providing the accessibility tree on-demand to precomputing it, but |
| essentially doing the same work. However, when assistive technology is not |
| actually consuming the changes, this approach can be inefficient. More work |
| is needed to mitigate this performance issue. |
| |
| One question that comes up is: isn't it a problem that the browser cache |
| is potentially "behind", showing a snapshot of the web page as it existed |
| a moment ago? This is true, but in practice it ends up being insignificant. |
| What's most important is that the cache always represents a complete and |
| consistent snapshot of the accessibility tree. Also, note that the visual |
| representation you see of a web page is also delayed slightly from the |
| "source of truth" in the DOM. A typical graphics frame is calculated every |
| ~17 ms (assuming a display refresh rate of 60 fps), and there's some |
| additional latency from when a graphics frame is computed and when it's |
| actually shown on the screen - so in a sense whenever a web page makes a |
| change to JavaScript, what you see on the screen is usually 10 - 20 ms |
| behind that. If you've ever clicked the mouse at the exact instant the |
| web page scrolled out from under you and you clicked on the wrong thing, |
| you've observed this phenomenon. |
| |
| Chromium's caching approach to multi-process accessibility has led to several |
| advantages or insights that were not immediately apparent in the initial design: |
| |
| * The cache can be anywhere, it doesn't have to be in the browser process. |
| On Chrome OS we put the accessibility cache in the process running the |
| assistive technology. On Windows we have explored the idea of making a |
| separate accessibility process for assistive technology to talk to, or |
| possibly pushing the cache to the assistive technology's process. |
| * It's all data. By design the accessibility cache is just data, it's a |
| serialization of what the accessibility tree looks like at any point in |
| time. This view ends up having a lot of nice advantages, described more |
| below. |
| |
| ### Push vs pull |
| |
| One way to think about different ways to architect an accessibility system |
| is to explore what triggers data to move in the system. |
| |
| Most operating system accessibility APIs are based around a "pull" model. |
| When assistive technology requests information from the accessibility tree, |
| it calls a method on the app to requests it. In a single-process browser or |
| in the proxy approach described above, the underlying data behind that node |
| is pulled from the source accessibility tree, which pulls from the underlying |
| data model (the DOM and layout trees). |
| |
| In contrast, Chrome's "push" model tracks changes that happen to the |
| accessibility tree and then pushes changes from the web directly to |
| the cached accessibility tree cache in the browser process. This incurs |
| from upfront cost when a page changes, but makes access to accessibility |
| APIs very fast. |
| |
| ### It's all data |
| |
| Most accessibility APIs are based around a functional API, where you override |
| methods in order to answer whatever queries assistive technology has about |
| any particular accessibility object. |
| |
| This approach is consistent with many common design principles, such as |
| DRY (don't repeat yourself) - that there should be a single source of truth |
| for any piece of information (like whether a control is visible or not), |
| rather than two copies of that information (which could get out of sync). |
| (This is harder to achieve in a multi-process app, though.) |
| |
| However, the functional approach has its downsides. |
| |
| To query the current state of an object, you end up calling basically all of its |
| methods. Even in a single process browser where there's no IPC overhead, every |
| single API might go through several layers of indirection in order to be |
| satisfied. |
| |
| For example, suppose the operating system calls the isEnabled() method on a |
| checkbox. The implementation might make a series of method calls that end up |
| querying the DOM or the Layout tree, before returning the result. Subsequent |
| calls to isVisible(), isFocused(), and isChecked() might go through the same |
| series of calls, unless the app specifically cached them temporarily. |
| |
| In comparison, if you ask that same checkbox to just fill in a simple |
| data structure with its accessibility state, it might be able to quickly |
| compute isEnabled, isVisible, isFocused, and isChecked all at the same time, |
| with no additional layers of indirection needed. |
| |
| Another advantage of this approach is that you can take advantage of default |
| values using a sparse data structure - think of a node in the accessibility |
| cache as a key/value store like a hash map. If the default value of isChecked |
| is false, then for any accessible object that isn't currently checked you don't |
| have to do anything. Only if it is checked do you add a "checked" attribute to |
| the map. |
| |
| Another advantage of the accessibility tree being data is that you can |
| save the complete state of the accessibility tree - either making a copy |
| in memory, or dumping a human-readable text version to a log file. We use |
| this concept extensively in accessibility browser tests. |
| |
| One powerful consequence of this approach is that an accessibility tree |
| doesn't need a backing web page in order to function. It's possible to save |
| an accessibility tree and a series of atomic mutations, and then "replay" |
| them later and get identical results, without any backing web page. |
| Chromium currently has some experimental support for recording changes to |
| a web page in the chrome://accessibility page, and we also take advantage |
| of this snapshotting in order to implement support for the Android |
| "freeze-dried tabs" feature where a frozen snapshot of the page is |
| displayed (with accessibility support) while the real page is being |
| fetched from a slow connection. |
| |
| ### Data structures used by the accessibility cache |
| |
| In this section we'll cover the data structures used in order to implement |
| the accessibility cache. For the moment, we'll ignore the render processes |
| and how this data is generated, in order to focus on what data is received |
| and how it's used. |
| |
| The key data structures used throughout accessibility code are found in the |
| [ui/accessibility]( |
| https://source.chromium.org/chromium/chromium/src/+/main:ui/accessibility/) |
| directory. |
| |
| The underlying data from one node is stored in AXNodeData. A simplified |
| version of this struct is: |
| |
| ```C++ |
| struct AXNodeData { |
| int id; |
| Role role; |
| vector<pair<StringAttribute, string>> string_attributes; |
| vector<pair<IntAttribute, int>> int_attributes; |
| vector<pair<FloatAttribute, float>> float_attributes; |
| ... |
| vector<int> child_ids; |
| AXRelativeBounds relative_bounds; |
| }; |
| ``` |
| |
| Every node has an ID, but IDs are only required to be unique within the |
| same web frame. The IDs are used to express the tree structure - each node |
| has a vector of its child IDs. |
| |
| Every node has a role, since that's a fundamental concept in accessibility |
| and every node needs one. Every node also has a bounding box (we'll go into |
| why it's a *relative* bounding box later). Nearly all of the other |
| attributes are stored as sparse vectors of (attribute type, attribute value) |
| pairs. There are currently over 100 different attributes that Chromium |
| can associate with a single accessible node, but most nodes only have |
| 5 - 10 of them set. Anything unset is treated as having the default value. |
| |
| An AXTreeUpdate is a pure-data snapshot of an accessibility tree or an |
| update to an existing tree. A slightly simplified version of that struct is: |
| |
| ```C++ |
| struct AXTreeUpdate { |
| AXTreeData tree_data; |
| int root_id; |
| vector<AXNodeData> nodes; |
| }; |
| ``` |
| |
| AXTreeData just has a few attributes that apply to the entire |
| tree rather than just one particular node. |
| |
| A valid AXTreeUpdate corresponding to a complete accessibility tree just has to |
| contain every node exactly once with no duplicates or redundant nodes. In other |
| words, root_id must contain the ID of one node; that node must have the IDs of |
| its children, and every node must either be the root or the child of some other |
| node. The nodes can come in any order. |
| |
| A valid AXTreeUpdate can also represent the changes needed to change an |
| existing accessibility tree. Any node that's unchanged can be completely |
| left out; only nodes that change need to be included. To insert a node, |
| just add its AXNodeData and be sure to update the child_ids in its parent. |
| To remove a node, remove it from its parent's child_ids. |
| |
| An AXTreeUpdate is *stateful* - if you're using it to update an existing |
| tree then the code that generated the update needs to understand the |
| state that the tree was in previously. |
| |
| There are two classes that represent a live node and a live tree, here |
| are the important details: |
| |
| ```C++ |
| class AXNode { |
| public: |
| ... |
| const AXNodeData& data(); |
| AXNode* GetParent() const; |
| vector<AXNode*>& GetAllChildren() const; |
| ... |
| }; |
| |
| class AXTree { |
| public: |
| AXTree(); |
| explicit AXTree(const AXTreeUpdate& initial_state); |
| bool Unserialize(const AXTreeUpdate& update); |
| AXNode* root() const; |
| AXNode* GetFromId(int id) const; |
| ... |
| }; |
| ``` |
| |
| You can construct an AXTree from an AXTreeUpdate directly, or create an |
| empty tree first. Then call Unserialize to take an AXTreeUpdate and |
| apply those changes to the current tree. It will return false if the |
| AXTreeUpdate is malformed or can't be applied to the current tree. |
| |
| Once you have an AXTree, you can get its root node, or look up nodes by ID. |
| Each node is just a thin wrapper around its underlying AXNodeData plus |
| some convenience functions to walk the tree. |
| |
| AXTree is essentially the underlying data model used to implement |
| accessibility in the browser process. As described in |
| [Part 1](how_a11y_works.md), there's a platform-specific accessibility |
| object for each node in the tree. When a platform accessibility API is |
| called on one of those nodes, it uses the corresponding AXNode's |
| AXNodeData to get the details of the node to satisfy that query. |
| |
| Nearly all accessibility APIs can be satisfied directly from AXNodeData: |
| for example a node's name, role, state, value, bounding box, allowed |
| actions, and relationships with other nodes. There are a few exceptions |
| that will be covered in [Part 3](how_a11y_works_3.md). |
| |
| BrowserAccessibilityManager is a layer on top of AXTree. It hooks up |
| the cross-platform accessibility data structures to the platform-specific |
| tree of native accessibility objects. That will be discussed in more |
| detail in [Part 3](how_a11y_works_3.md). |
| |
| ### Serializing the accessibility tree from the renderer |
| |
| The other half of the puzzle here is what happens on the renderer side. |
| Given a web page that's constantly changing, how do we serialize a |
| representation of the accessibility tree and send small, atomic updates |
| to the browser process to keep the cache in sync? |
| |
| See above for a reminder of Blink and how it fits into the render process. |
| Render accessibility consists of two main pieces: |
| |
| * A tree of lightweight accessibility nodes inside Blink that represent |
| the current state of the accessibility tree |
| * Code outside Blink that keeps track of nodes that need to be updated, |
| and periodically serializes updates to send to the browser process. |
| |
| #### The Blink Accessibility Tree |
| |
| Inside Blink, we use the following classes. |
| |
| AXObject is the base class representing one node in the accessibility |
| tree. Each AXObject is a wrapper, it either wraps a DOM Node (a blink::Node) |
| or a Blink layout object (a blink::LayoutObject). The AXObject contains |
| very little state; it caches a few attributes that are expensive to recompute |
| but otherwise doesn't store its full serialization. |
| |
| AXObjectCache is the class that represents all of the AXObjects for one |
| web page. It's owned by the Document class, only if accessibility is enabled. |
| |
| AXObjects are built lazily, on-demand. When an AXObject is added or deleted, |
| its parent marks its list of child objects as dirty so that the next time |
| it's queried it knows to compute them. |
| |
| The vast majority of the web-specific accessibility logic is in AXObject and |
| AXObjectCache. Besides just support for ARIA attributes and getting |
| accessibility information from DOM elements, here you'll find all of the code |
| that interprets the [ACCNAME](https://w3c.github.io/accname/) spec to compute |
| the accessible name and description for any HTML element, by checking |
| aria-labelledby, aria-label, and other relevant attributes, for example. |
| |
| In addition, the code in AXObject and AXObjectCache builds the structure of |
| the accessibility tree, especially in cases where it differs from the DOM tree, |
| such as CSS generated content, aria-hidden, or aria-owns. |
| |
| When the accessibility tree changes, AXObjectCache sends an event |
| notification to the render accessibility code outside of Blink indicating |
| that a node has changed and needs to be re-serialized. |
| |
| Blink does not currently have listener interfaces for all of the changes |
| that accessibility cares about. Rather, Blink code is generally |
| specifically instrumented for accessibility. So when a new DOM node is |
| inserted, or when the value of a form control changes, you'll see explicit |
| code in Blink to update the AXObjectCache. |
| |
| In earlier versions, Blink accessibility code used to post a lot of |
| specific event notifications indicating exactly what changed, for |
| example: NameChanged, ValueChanged, StateChanged, ChildrenChanged, etc. - but |
| over time we've moved away from that model. Now we usually just mark a |
| node as dirty - or the event notification is still there for historical |
| reasons but it's never consumed and only marking the node is dirty ends up |
| mattering. |
| |
| The reason for this was because we started adding code to automatically |
| generate events from tree mutations. This helped avoid entire classes of |
| problems like duplicate events. |
| |
| So in a nutshell, Blink is just responsible for notifying which nodes have |
| changed. It's more efficient to just re-serialize nodes that probably changed |
| (occasionally doing a bit of extra work) than it is to write very careful logic |
| to only update nodes that actually changed. |
| |
| #### Render Process Accessibility code (outside of Blink) |
| |
| The main render process accessibility code outside of Blink is in |
| [RenderAccessibilityImpl](https://source.chromium.org/chromium/chromium/src/+/main:content/renderer/accessibility/render_accessibility_impl.h). |
| That code maintains the connection with the browser accessibility |
| code and handles serializing updates to the accessibility tree. |
| |
| Updates to the accessibility tree are always batched. |
| |
| One important reason is because the accessibility tree can only be serialized |
| when the document's lifecycle state is *clean*. In a nutshell, every time a |
| change happens to a web page that could conceivably affect how it appears |
| on-screen, the document is dirty until Blink has had a chance to do CSS style |
| resolution and layout. Accessibility code will fail assertions if you try to |
| query certain properties when the document is in a dirty state, because |
| it could lead to inconsistent results or even crashes. |
| |
| So, accessibility changes are always queued up and then sent periodically |
| only after first ensuring that layout is complete. |
| |
| When it is time to send accessibility updates, we make use of an |
| abstraction called AXTreeSerializer. AXTreeSerializer is a class that |
| knows how to walk a tree of nodes and generate valid AXTreeUpdates that |
| incrementally update a remote AXTree. |
| |
| AXTreeSerializer is designed so that it doesn't know anything about Blink, |
| and it doesn't interpret any accessibility logic, it just knows how to |
| work with the AXNodeData and AXTreeUpdate data structures. In fact, we're |
| using AXTreeSerializer for other accessibility trees in Chromium outside |
| of Blink, and we have extensive unit tests for AXTreeSerializer that |
| serialize from one AXTree into another AXTree to test the logic in isolation. |
| |
| AXTreeSerializer is stateful; it keeps track of what nodes have been sent |
| to its counterpart. When walking the tree, if it encounters a node that |
| it hasn't serialized before, it automatically serializes it. If it |
| encounters a node that was previously serialized and wasn't marked as |
| dirty, it automatically skips it. |
| |
| AXTreeSerializer uses an interface called AXTreeSource to enable it to walk |
| any tree-like object without being tightly coupled to Blink or any other |
| specific tree. We use an implementation BlinkAXTreeSource that maps all |
| of the tree-walking and serialization calls into calls to Blink's |
| AXObject class. |
| |
| This figure shows the overall system diagram covered so far: |
| |
|  |
| |
| ## We must go deeper |
| |
| In the next section we'll explore some of the details that were |
| glossed over, including: |
| |
| * Abstracting platform-specific APIs |
| * Relative coordinates |
| * Text bounding boxes |
| * Hit testing |
| * Views and other non-web custom-drawn UI |
| |
| See [How Chrome Accessibility Works, Part 3](how_a11y_works_3.md) |
| |
| |
