Bug 163999 - AX: WebView crashes app after opening VoiceOver context box menu from modal dialog
Summary: AX: WebView crashes app after opening VoiceOver context box menu from modal d...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Accessibility (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: chris fleizach
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2016-10-25 17:29 PDT by Dan Saunders
Modified: 2017-07-13 00:47 PDT (History)
11 users (show)

See Also:

Attachments
patch (1.28 KB, patch)
2017-07-10 01:18 PDT, chris fleizach 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dan Saunders 2016-10-25 17:29:56 PDT 
If WebView is hosted inside a modal dialog, a user with voiceover can try to use control + option + shift + M to open the context box menu. The menu never opens, and then after closing the dialog the application crashes. This consistently repros with WebView. It does not repro with WKWebView.

To prevent the crash we just need a nullptr check on m_object. detach is being called before the delayed selector gets performed. If we want the context box menu to show in this scenario, we need to modify the performSelector to still occur while modal dialog is running.

Something like this would fix both issues:
[self performSelector:@selector(accessibilityShowContextMenu) withObject:nil afterDelay:0.0 inModes:[NSArray arrayWithObjects: NSDefaultRunLoopMode, NSModalPanelRunLoopMode, nil]];

WebAccessibilityObjectWrapperMac.mm (crashing location m_object is nullptr)
- (void)accessibilityShowContextMenu
{
    Page* page = m_object->page();

#0	0x0000000107007190 in WebCore::AccessibilityObject::page() const at /*/Source/WebCore/accessibility/AccessibilityObject.cpp:1716
#1	0x00000001098b456a in -[WebAccessibilityObjectWrapper accessibilityShowContextMenu] at /*/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm:3675
#2	0x00007fff8a484ace in __NSFireDelayedPerform ()
#3	0x00007fff95c56b94 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ ()
#4	0x00007fff95c56823 in __CFRunLoopDoTimer ()
#5	0x00007fff95c5637a in __CFRunLoopDoTimers ()
#6	0x00007fff95c4d871 in __CFRunLoopRun ()
#7	0x00007fff95c4ced8 in CFRunLoopRunSpecific ()
#8	0x00007fff938cf935 in RunCurrentEventLoopInMode ()
#9	0x00007fff938cf677 in ReceiveNextEventCommon ()
#10	0x00007fff938cf5af in _BlockUntilNextEventMatchingListInModeWithFilter ()
#11	0x00007fff94af1efa in _DPSNextEvent ()
#12	0x00007fff94af132a in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] ()
#13	0x00007fff94ae5e84 in -[NSApplication run] ()
#14	0x00007fff94aaf46c in NSApplicationMain ()
#15	0x00000001000017d2 in main at
#16	0x00007fff9cea35ad in start ()
#17	0x00007fff9cea35ad in start ()
Comment 1 Radar WebKit Bug Importer 2016-10-25 17:30:19 PDT 
<rdar://problem/28949013>
Comment 2 chris fleizach 2017-07-10 01:18:18 PDT 
Created attachment 314968 [details]
patch
Comment 3 WebKit Commit Bot 2017-07-13 00:47:14 PDT 
Comment on attachment 314968 [details]
patch

Clearing flags on attachment: 314968

Committed r219444: <http://trac.webkit.org/changeset/219444>
Comment 4 WebKit Commit Bot 2017-07-13 00:47:16 PDT 
All reviewed patches have been landed.  Closing bug.