163999 2016-10-25 17:29:56 -0700 AX: WebView crashes app after opening VoiceOver context box menu from modal dialog 2017-07-13 00:47:16 -0700 1 1 1 Unclassified WebKit Accessibility WebKit Nightly Build All All RESOLVED FIXED InRadar P2 Normal --- 1 dasau cfleizach aboxhall apinheiro ap buildbot cfleizach commit-queue dmazzoni jcraig jdiggs samuel_white webkit-bug-importer oldest_to_newest 1244570 0 dasau 2016-10-25 17:29:56 -0700 If WebView is hosted inside a modal dialog, a user with voiceover can try to use control + option + shift + M to open the context box menu. The menu never opens, and then after closing the dialog the application crashes. This consistently repros with WebView. It does not repro with WKWebView. To prevent the crash we just need a nullptr check on m_object. detach is being called before the delayed selector gets performed. If we want the context box menu to show in this scenario, we need to modify the performSelector to still occur while modal dialog is running. Something like this would fix both issues: [self performSelector:@selector(accessibilityShowContextMenu) withObject:nil afterDelay:0.0 inModes:[NSArray arrayWithObjects: NSDefaultRunLoopMode, NSModalPanelRunLoopMode, nil]]; WebAccessibilityObjectWrapperMac.mm (crashing location m_object is nullptr) - (void)accessibilityShowContextMenu { Page* page = m_object->page(); #0 0x0000000107007190 in WebCore::AccessibilityObject::page() const at /*/Source/WebCore/accessibility/AccessibilityObject.cpp:1716 #1 0x00000001098b456a in -[WebAccessibilityObjectWrapper accessibilityShowContextMenu] at /*/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm:3675 #2 0x00007fff8a484ace in __NSFireDelayedPerform () #3 0x00007fff95c56b94 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ () #4 0x00007fff95c56823 in __CFRunLoopDoTimer () #5 0x00007fff95c5637a in __CFRunLoopDoTimers () #6 0x00007fff95c4d871 in __CFRunLoopRun () #7 0x00007fff95c4ced8 in CFRunLoopRunSpecific () #8 0x00007fff938cf935 in RunCurrentEventLoopInMode () #9 0x00007fff938cf677 in ReceiveNextEventCommon () #10 0x00007fff938cf5af in _BlockUntilNextEventMatchingListInModeWithFilter () #11 0x00007fff94af1efa in _DPSNextEvent () #12 0x00007fff94af132a in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] () #13 0x00007fff94ae5e84 in -[NSApplication run] () #14 0x00007fff94aaf46c in NSApplicationMain () #15 0x00000001000017d2 in main at #16 0x00007fff9cea35ad in start () #17 0x00007fff9cea35ad in start () 1244571 1 webkit-bug-importer 2016-10-25 17:30:19 -0700 <rdar://problem/28949013> 1326949 2 314968 cfleizach 2017-07-10 01:18:18 -0700 Created attachment 314968 patch 1328396 3 314968 commit-queue 2017-07-13 00:47:14 -0700 Comment on attachment 314968 patch Clearing flags on attachment: 314968 Committed r219444: <http://trac.webkit.org/changeset/219444> 1328397 4 commit-queue 2017-07-13 00:47:16 -0700 All reviewed patches have been landed. Closing bug. 314968 2017-07-10 01:18:18 -0700 2017-07-13 00:47:14 -0700 patch patch text/plain 1307 cfleizach SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDIxOTI4NikKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE2IEBACisyMDE3LTA3LTEwICBDaHJpcyBG bGVpemFjaCAgPGNmbGVpemFjaEBhcHBsZS5jb20+CisKKyAgICAgICAgQVg6IFdlYlZpZXcgY3Jh c2hlcyBhcHAgYWZ0ZXIgb3BlbmluZyBWb2ljZU92ZXIgY29udGV4dCBib3ggbWVudSBmcm9tIG1v ZGFsIGRpYWxvZworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/ aWQ9MTYzOTk5CisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS8yODk0OTAxMz4KKworICAgICAgICBS ZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBQcm90ZWN0IHdoZW4gbV9vYmpl Y3QgZ29lcyBhd2F5LgorCisgICAgICAgICogYWNjZXNzaWJpbGl0eS9tYWMvV2ViQWNjZXNzaWJp bGl0eU9iamVjdFdyYXBwZXJNYWMubW06CisgICAgICAgICgtW1dlYkFjY2Vzc2liaWxpdHlPYmpl Y3RXcmFwcGVyIGFjY2Vzc2liaWxpdHlTaG93Q29udGV4dE1lbnVdKToKKwogMjAxNy0wNy0wOCAg Sm9obiBXaWxhbmRlciAgPHdpbGFuZGVyQGFwcGxlLmNvbT4KIAogICAgICAgICBSZXNvdXJjZSBM b2FkIFN0YXRpc3RpY3M6IFVzZXIgaW50ZXJhY3Rpb24gc2hvdWxkIGFsd2F5cyBnbyB0byB0b3Ag ZG9jdW1lbnQKSW5kZXg6IFNvdXJjZS9XZWJDb3JlL2FjY2Vzc2liaWxpdHkvbWFjL1dlYkFjY2Vz c2liaWxpdHlPYmplY3RXcmFwcGVyTWFjLm1tCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJDb3Jl L2FjY2Vzc2liaWxpdHkvbWFjL1dlYkFjY2Vzc2liaWxpdHlPYmplY3RXcmFwcGVyTWFjLm1tCShy ZXZpc2lvbiAyMTkyNTYpCisrKyBTb3VyY2UvV2ViQ29yZS9hY2Nlc3NpYmlsaXR5L21hYy9XZWJB Y2Nlc3NpYmlsaXR5T2JqZWN0V3JhcHBlck1hYy5tbQkod29ya2luZyBjb3B5KQpAQCAtMzQ2MSw2 ICszNDYxLDkgQEAKIAogLSAodm9pZClhY2Nlc3NpYmlsaXR5U2hvd0NvbnRleHRNZW51CiB7Cisg ICAgaWYgKCFtX29iamVjdCkKKyAgICAgICAgcmV0dXJuOworICAgIAogICAgIFBhZ2UqIHBhZ2Ug PSBtX29iamVjdC0+cGFnZSgpOwogICAgIGlmICghcGFnZSkKICAgICAgICAgcmV0dXJuOwo=