[Webkit-unassigned] [Bug 55883] [Gtk] Consistent crash from Google/ARIA combobox click

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 29 05:26:26 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=55883





--- Comment #3 from Mario Sanchez Prada <msanchez at igalia.com>  2011-03-29 05:26:26 PST ---
It looks like the problem is an infinite loop cause by the call to firstChild() in the following snipped of code:

  AccessibilityObjectInclusion AccessibilityObject::accessibilityPlatformIncludesObject() const
  {
      [...]

      if (isGroup()) {
          // When a list item is made up entirely of children (e.g. paragraphs)
          // the list item gets ignored. We need it.
          if (parent->isList())
              return IncludeObject;

          // We expect the parent of a table cell to be a table.
          AccessibilityObject* child = firstChild();
          if (child && child->roleValue() == CellRole)
              return IgnoreObject;
      }
      [...]
  }


This snippet is normally not troublesome, but when the 'first child' is something with an ARIA role established to either 'option' or 'menuitem' (as it happens in this case), at some point during the execution of firstChild(), the following code will be executed:

  AccessibilityRole AccessibilityRenderObject::determineAriaRoleAttribute() const
  {
      [...]
      // selects and listboxes both have options as child roles, but they map to different roles within WebCore
      if (equalIgnoringCase(ariaRole, "option")) {
          if (parentObjectUnignored()->ariaRoleAttribute() == MenuRole)
              return MenuItemRole;
          if (parentObjectUnignored()->ariaRoleAttribute() == ListBoxRole)
              return ListBoxOptionRole;
      }
      // an aria "menuitem" may map to MenuButton or MenuItem depending on its parent
      if (equalIgnoringCase(ariaRole, "menuitem")) {
          if (parentObjectUnignored()->ariaRoleAttribute() == GroupRole)
              return MenuButtonRole;
          if (parentObjectUnignored()->ariaRoleAttribute() == MenuRole)
              return MenuItemRole;
      }

      return UnknownRole;
  }

As you can see parentObjectUnignored() is executed before determining the actual ARIA role for that first child, and this happens before returning the instance when it's the first time it's accessed (while creating the AX object through AXObjectCache), resulting in calling again to accessibilityPlatformIncludesObject() over the same instance as done at the beginning, hence starting a new iteration of our beloved infinite loop :P

Perhaps a way to get this fixed would be to try to avoid calling to firstChild() in accessibilityPlatformIncludesObject() as a rule of thumb, or just removing completely this code:

   [...]
   // We expect the parent of a table cell to be a table.
   AccessibilityObject* child = firstChild();
   if (child && child->roleValue() == CellRole)
       return IgnoreObject;
   [...]

... and then trying to get some equivalent code for that in case we think it's really needed after all (which is something I currently have doubts about, since just removing that fixed the bug and doesn't get any unit/layout test failing).

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list