[Webkit-unassigned] [Bug 163999] New: AX: WebView crashes app after opening VoiceOver context box menu from modal dialog

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Oct 25 17:29:56 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=163999

            Bug ID: 163999
           Summary: AX: WebView crashes app after opening VoiceOver
                    context box menu from modal dialog
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Accessibility
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: dasau at microsoft.com
                CC: webkit-bug-importer at group.apple.com

If WebView is hosted inside a modal dialog, a user with voiceover can try to use control + option + shift + M to open the context box menu. The menu never opens, and then after closing the dialog the application crashes. This consistently repros with WebView. It does not repro with WKWebView.

To prevent the crash we just need a nullptr check on m_object. detach is being called before the delayed selector gets performed. If we want the context box menu to show in this scenario, we need to modify the performSelector to still occur while modal dialog is running.

Something like this would fix both issues:
[self performSelector:@selector(accessibilityShowContextMenu) withObject:nil afterDelay:0.0 inModes:[NSArray arrayWithObjects: NSDefaultRunLoopMode, NSModalPanelRunLoopMode, nil]];

WebAccessibilityObjectWrapperMac.mm (crashing location m_object is nullptr)
- (void)accessibilityShowContextMenu
{
    Page* page = m_object->page();

#0    0x0000000107007190 in WebCore::AccessibilityObject::page() const at /*/Source/WebCore/accessibility/AccessibilityObject.cpp:1716
#1    0x00000001098b456a in -[WebAccessibilityObjectWrapper accessibilityShowContextMenu] at /*/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm:3675
#2    0x00007fff8a484ace in __NSFireDelayedPerform ()
#3    0x00007fff95c56b94 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ ()
#4    0x00007fff95c56823 in __CFRunLoopDoTimer ()
#5    0x00007fff95c5637a in __CFRunLoopDoTimers ()
#6    0x00007fff95c4d871 in __CFRunLoopRun ()
#7    0x00007fff95c4ced8 in CFRunLoopRunSpecific ()
#8    0x00007fff938cf935 in RunCurrentEventLoopInMode ()
#9    0x00007fff938cf677 in ReceiveNextEventCommon ()
#10    0x00007fff938cf5af in _BlockUntilNextEventMatchingListInModeWithFilter ()
#11    0x00007fff94af1efa in _DPSNextEvent ()
#12    0x00007fff94af132a in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] ()
#13    0x00007fff94ae5e84 in -[NSApplication run] ()
#14    0x00007fff94aaf46c in NSApplicationMain ()
#15    0x00000001000017d2 in main at
#16    0x00007fff9cea35ad in start ()
#17    0x00007fff9cea35ad in start ()

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161026/a409aa01/attachment-0001.html>

More information about the webkit-unassigned mailing list