<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - AX: WebView crashes app after opening VoiceOver context box menu from modal dialog"
href="https://bugs.webkit.org/show_bug.cgi?id=163999">163999</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>AX: WebView crashes app after opening VoiceOver context box menu from modal dialog
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>Accessibility
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>dasau@microsoft.com
</td>
</tr>
<tr>
<th>CC</th>
<td>webkit-bug-importer@group.apple.com
</td>
</tr></table>
<p>
<div>
<pre>If WebView is hosted inside a modal dialog, a user with voiceover can try to use control + option + shift + M to open the context box menu. The menu never opens, and then after closing the dialog the application crashes. This consistently repros with WebView. It does not repro with WKWebView.
To prevent the crash we just need a nullptr check on m_object. detach is being called before the delayed selector gets performed. If we want the context box menu to show in this scenario, we need to modify the performSelector to still occur while modal dialog is running.
Something like this would fix both issues:
[self performSelector:@selector(accessibilityShowContextMenu) withObject:nil afterDelay:0.0 inModes:[NSArray arrayWithObjects: NSDefaultRunLoopMode, NSModalPanelRunLoopMode, nil]];
WebAccessibilityObjectWrapperMac.mm (crashing location m_object is nullptr)
- (void)accessibilityShowContextMenu
{
Page* page = m_object->page();
#0 0x0000000107007190 in WebCore::AccessibilityObject::page() const at /*/Source/WebCore/accessibility/AccessibilityObject.cpp:1716
#1 0x00000001098b456a in -[WebAccessibilityObjectWrapper accessibilityShowContextMenu] at /*/Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperMac.mm:3675
#2 0x00007fff8a484ace in __NSFireDelayedPerform ()
#3 0x00007fff95c56b94 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ ()
#4 0x00007fff95c56823 in __CFRunLoopDoTimer ()
#5 0x00007fff95c5637a in __CFRunLoopDoTimers ()
#6 0x00007fff95c4d871 in __CFRunLoopRun ()
#7 0x00007fff95c4ced8 in CFRunLoopRunSpecific ()
#8 0x00007fff938cf935 in RunCurrentEventLoopInMode ()
#9 0x00007fff938cf677 in ReceiveNextEventCommon ()
#10 0x00007fff938cf5af in _BlockUntilNextEventMatchingListInModeWithFilter ()
#11 0x00007fff94af1efa in _DPSNextEvent ()
#12 0x00007fff94af132a in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] ()
#13 0x00007fff94ae5e84 in -[NSApplication run] ()
#14 0x00007fff94aaf46c in NSApplicationMain ()
#15 0x00000001000017d2 in main at
#16 0x00007fff9cea35ad in start ()
#17 0x00007fff9cea35ad in start ()</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>