[webkit-changes] [WebKit/WebKit] c22363: AXObjectCache::characterOffsetFromVisiblePosition ...

Tyler Wilcock noreply at github.com
Wed Jul 10 22:18:57 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: c223637aad47dceef3291a95636ceb9fc10ee1ab
      https://github.com/WebKit/WebKit/commit/c223637aad47dceef3291a95636ceb9fc10ee1ab
  Author: Tyler Wilcock <tyler_w at apple.com>
  Date:   2024-07-10 (Wed, 10 Jul 2024)

  Changed paths:
    A LayoutTests/accessibility/mac/role-img-selection-hang-expected.txt
    A LayoutTests/accessibility/mac/role-img-selection-hang.html
    M Source/WebCore/accessibility/AXObjectCache.cpp

  Log Message:
  -----------
  AXObjectCache::characterOffsetFromVisiblePosition can iterate infinitely when moving through role="img" container
https://bugs.webkit.org/show_bug.cgi?id=276464
rdar://problem/131502510

Reviewed by Ryosuke Niwa.

Given this markup:

<div role="img">
    <span style="position:absolute">X</span>
    <span>Y</span>
</div>

When we create a VisiblePosition from this Position:

(Position
  (anchor node: #text 0x159003ec0 length=1 "Y")
  (offset: 0)
  (anchor type: offset in anchor))

We get its `canonicalPosition` in the VisiblePosition constructor, which computes:

(Position
  (anchor node: DIV 0x159003c40)
  (offset: 0)
  (anchor type: before anchor))

This starts iteration for `nextVisuallyDistinctCandidate` back at the beginning of the div, repeating until we get back
to the "Y" position, in turn computing the before-anchor-div position, repeating forever.

This happens because the div is role="img", which was special cased to be `Element::canContainRangeEndPoint()` in:

https://bugs.webkit.org/attachment.cgi?id=229259&action=prettypatch (Find on Page can get stuck in a loop when the search string occurs in an input in a fieldset).

Making it `canContainRangeEndPoint` also makes it `editingIgnoresContent == true`, in turn making it `Position::isCandidate() == true`.

I tried to solve the core editing bug in https://github.com/WebKit/WebKit/pull/30614, but my approach (removing this
special role="img" logic in Element::canContainRangeEndPoint()) caused other undesirable effects (more details in
https://github.com/WebKit/WebKit/pull/30614#issuecomment-2221064954), so some other fix is needed (tracked by
https://bugs.webkit.org/show_bug.cgi?id=276460).

For now, this commit works around this foundational bug by changing `AXObjectCache::characterOffsetFromVisiblePosition`
to detect we've moved back to the start position, and breaking to prevent an infinite loop.

* LayoutTests/accessibility/mac/role-img-selection-hang-expected.txt: Added.
* LayoutTests/accessibility/mac/role-img-selection-hang.html: Added.
* Source/WebCore/accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::characterOffsetFromVisiblePosition):

Canonical link: https://commits.webkit.org/280847@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list