RESOLVED FIXED 163999
AX: WebView crashes app after opening VoiceOver context box menu from modal dialog 
https://bugs.webkit.org/show_bug.cgi?id=163999
Summary AX: WebView crashes app after opening VoiceOver context box menu from modal d...
Dan Saunders
Reported 2016-10-25 17:29:56 PDT
If WebView is hosted inside a modal dialog, a user with voiceover can try to use control + option + shift + M to open the context box menu. The menu never opens, and then after closing the dialog the application crashes. This consistently repros with WebView. It does not repro with WKWebView. To prevent the crash we just need a nullptr check on m_object. detach is being called before the delayed selector gets performed. If we want the context box menu to show in this scenario, we need to modify the performSelector to still occur while modal dialog is running. Something like this would fix both issues: [self performSelector:@selector(accessibilityShowContextMenu) withObject:nil afterDelay:0.0 inModes:[NSArray arrayWithObjects: NSDefaultRunLoopMode, NSModalPanelRunLoopMode, nil]]; WebAccessibilityObjectWrapperMac.mm (crashing location m_object is nullptr) - (void)accessibilityShowContextMenu { Page* page = m_object->page(); #0 0x0000000107007190 in WebCore::AccessibilityObject::page() const at /*/Source/WebCore/accessibility/AccessibilityObject.cpp:1716 #1 0x00000001098b456a in -[WebAccessibilityObjectWrapper accessibilityShowContextMenu] at /*/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm:3675 #2 0x00007fff8a484ace in __NSFireDelayedPerform () #3 0x00007fff95c56b94 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ () #4 0x00007fff95c56823 in __CFRunLoopDoTimer () #5 0x00007fff95c5637a in __CFRunLoopDoTimers () #6 0x00007fff95c4d871 in __CFRunLoopRun () #7 0x00007fff95c4ced8 in CFRunLoopRunSpecific () #8 0x00007fff938cf935 in RunCurrentEventLoopInMode () #9 0x00007fff938cf677 in ReceiveNextEventCommon () #10 0x00007fff938cf5af in _BlockUntilNextEventMatchingListInModeWithFilter () #11 0x00007fff94af1efa in _DPSNextEvent () #12 0x00007fff94af132a in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] () #13 0x00007fff94ae5e84 in -[NSApplication run] () #14 0x00007fff94aaf46c in NSApplicationMain () #15 0x00000001000017d2 in main at #16 0x00007fff9cea35ad in start () #17 0x00007fff9cea35ad in start ()
Attachments
patch (1.28 KB, patch)
2017-07-10 01:18 PDT, chris fleizach 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-10-25 17:30:19 PDT
<rdar://problem/28949013>
chris fleizach
Comment 2 2017-07-10 01:18:18 PDT
Created attachment 314968 [details] patch
WebKit Commit Bot
Comment 3 2017-07-13 00:47:14 PDT
Comment on attachment 314968 [details] patch Clearing flags on attachment: 314968 Committed r219444: <http://trac.webkit.org/changeset/219444>
WebKit Commit Bot
Comment 4 2017-07-13 00:47:16 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.