- Revision
- 294672
- Author
- [email protected]
- Date
- 2022-05-23 12:52:55 -0700 (Mon, 23 May 2022)
Log Message
Cherry-pick r294186. rdar://problem/93213436
Infinite recursion caused by call to accessibilityIsIgnored in the midst of AccessibilityObject::ignoredFromModalPresence
https://bugs.webkit.org/show_bug.cgi?id=240365
Reviewed by Chris Fleizach.
Source/WebCore:
We can get infinite recursion when accessibilityIsIgnored is called as
part of computing AccessibilityObject::ignoredFromModalPresence. One
example of such a cycle:
AXObjectCache::currentModalNode() ->
AccessibilityRenderObject::computeAccessibilityIsIgnored() ->
AccessibilityRenderObject::parentObjectUnignored() ->
AccessibilityObject::accessibilityIsIgnored() ->
AccessibilityObject::ignoredFromModalPresence() ->
AXObjectCache::currentModalNode() ->
...repeat...
This patch fixes this by tracking when we start computing the current
modal node in the AXObjectCache. Then, in AccessibilityObject::accessibilityIsIgnored(),
we don't call AccessibilityObject::ignoredFromModalPresence() if this new state is true,
since in this context we only need to know if the object is inherently
ignored (i.e. ignored disregarding modal presence).
Test: accessibility/aria-modal-with-text-crash.html
* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::currentModalNode):
* accessibility/AXObjectCache.h:
Add m_isRetrievingCurrentModalNode.
(WebCore::AXObjectCache::isRetrievingCurrentModalNode): Added.
* accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::accessibilityIsIgnored const):
Don't call ignoredFromModalPresence if we're in the midst of computing the current modal.
LayoutTests:
* accessibility/aria-modal-with-text-crash-expected.txt: Added.
* accessibility/aria-modal-with-text-crash.html: Added.
* platform/glib/TestExpectations: Skip new test.
* platform/ios/TestExpectations: Enable new test.
* platform/win/TestExpectations: Skip new test.
Canonical link: https://commits.webkit.org/250552@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@294186 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-7613.3.1.0-branch/LayoutTests/ChangeLog (294671 => 294672)
--- branches/safari-7613.3.1.0-branch/LayoutTests/ChangeLog 2022-05-23 19:51:12 UTC (rev 294671)
+++ branches/safari-7613.3.1.0-branch/LayoutTests/ChangeLog 2022-05-23 19:52:55 UTC (rev 294672)
@@ -1,5 +1,69 @@
2022-05-23 Alan Coon <[email protected]>
+ Cherry-pick r294186. rdar://problem/93213436
+
+ Infinite recursion caused by call to accessibilityIsIgnored in the midst of AccessibilityObject::ignoredFromModalPresence
+ https://bugs.webkit.org/show_bug.cgi?id=240365
+
+ Reviewed by Chris Fleizach.
+
+ Source/WebCore:
+
+ We can get infinite recursion when accessibilityIsIgnored is called as
+ part of computing AccessibilityObject::ignoredFromModalPresence. One
+ example of such a cycle:
+
+ AXObjectCache::currentModalNode() ->
+ AccessibilityRenderObject::computeAccessibilityIsIgnored() ->
+ AccessibilityRenderObject::parentObjectUnignored() ->
+ AccessibilityObject::accessibilityIsIgnored() ->
+ AccessibilityObject::ignoredFromModalPresence() ->
+ AXObjectCache::currentModalNode() ->
+ ...repeat...
+
+ This patch fixes this by tracking when we start computing the current
+ modal node in the AXObjectCache. Then, in AccessibilityObject::accessibilityIsIgnored(),
+ we don't call AccessibilityObject::ignoredFromModalPresence() if this new state is true,
+ since in this context we only need to know if the object is inherently
+ ignored (i.e. ignored disregarding modal presence).
+
+ Test: accessibility/aria-modal-with-text-crash.html
+
+ * accessibility/AXObjectCache.cpp:
+ (WebCore::AXObjectCache::currentModalNode):
+ * accessibility/AXObjectCache.h:
+ Add m_isRetrievingCurrentModalNode.
+ (WebCore::AXObjectCache::isRetrievingCurrentModalNode): Added.
+ * accessibility/AccessibilityObject.cpp:
+ (WebCore::AccessibilityObject::accessibilityIsIgnored const):
+ Don't call ignoredFromModalPresence if we're in the midst of computing the current modal.
+
+ LayoutTests:
+
+ * accessibility/aria-modal-with-text-crash-expected.txt: Added.
+ * accessibility/aria-modal-with-text-crash.html: Added.
+ * platform/glib/TestExpectations: Skip new test.
+ * platform/ios/TestExpectations: Enable new test.
+ * platform/win/TestExpectations: Skip new test.
+
+ Canonical link: https://commits.webkit.org/250552@main
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@294186 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-05-13 Tyler Wilcock <[email protected]>
+
+ Infinite recursion caused by call to accessibilityIsIgnored in the midst of AccessibilityObject::ignoredFromModalPresence
+ https://bugs.webkit.org/show_bug.cgi?id=240365
+
+ Reviewed by Chris Fleizach.
+
+ * accessibility/aria-modal-with-text-crash-expected.txt: Added.
+ * accessibility/aria-modal-with-text-crash.html: Added.
+ * platform/glib/TestExpectations: Skip new test.
+ * platform/ios/TestExpectations: Enable new test.
+ * platform/win/TestExpectations: Skip new test.
+
+2022-05-23 Alan Coon <[email protected]>
+
Cherry-pick r289713. rdar://problem/93601919
Expose the correct role, subrole and role description properties for the <dialog> element.
Added: branches/safari-7613.3.1.0-branch/LayoutTests/accessibility/aria-modal-with-text-crash-expected.txt (0 => 294672)
--- branches/safari-7613.3.1.0-branch/LayoutTests/accessibility/aria-modal-with-text-crash-expected.txt (rev 0)
+++ branches/safari-7613.3.1.0-branch/LayoutTests/accessibility/aria-modal-with-text-crash-expected.txt 2022-05-23 19:52:55 UTC (rev 294672)
@@ -0,0 +1,10 @@
+This test ensures we don't crash when using search to traverse an aria-modal with text.
+
+
+AXRole: AXStaticText
+AXValue: Foo
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+Foo
Added: branches/safari-7613.3.1.0-branch/LayoutTests/accessibility/aria-modal-with-text-crash.html (0 => 294672)
--- branches/safari-7613.3.1.0-branch/LayoutTests/accessibility/aria-modal-with-text-crash.html (rev 0)
+++ branches/safari-7613.3.1.0-branch/LayoutTests/accessibility/aria-modal-with-text-crash.html 2022-05-23 19:52:55 UTC (rev 294672)
@@ -0,0 +1,37 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+<script src=""
+</head>
+<body>
+
+<div id="modal" role="dialog" aria-modal="true">
+ <span>Foo</span>
+</div>
+
+<script>
+ var testOutput = "This test ensures we don't crash when using search to traverse an aria-modal with text.\n\n";
+
+ if (window.accessibilityController) {
+ const modal = accessibilityController.accessibleElementById("modal");
+ let searchResult = null;
+ while (true) {
+ searchResult = modal.uiElementForSearchPredicate(searchResult, true, "AXAnyTypeSearchKey", "", false);
+ if (!searchResult)
+ break;
+ const role = searchResult.role;
+ testOutput += `\n${role}`;
+ if (role.includes("StaticText")) {
+ let textContent = accessibilityController.platformName === "ios" ? searchResult.description : searchResult.stringValue;
+ testOutput += `\n${textContent}`;
+ }
+ testOutput += "\n";
+ }
+ debug(testOutput);
+ }
+</script>
+</body>
+</html>
+
+
Modified: branches/safari-7613.3.1.0-branch/LayoutTests/platform/glib/TestExpectations (294671 => 294672)
--- branches/safari-7613.3.1.0-branch/LayoutTests/platform/glib/TestExpectations 2022-05-23 19:51:12 UTC (rev 294671)
+++ branches/safari-7613.3.1.0-branch/LayoutTests/platform/glib/TestExpectations 2022-05-23 19:52:55 UTC (rev 294672)
@@ -304,6 +304,9 @@
# Need to implement AccessibilityUIElement::domIdentifier() for this test to pass after webkit.org/b/234198.
accessibility/focusable-div.html [ Skip ]
+# Missing AccessibilityUIElement::uiElementForSearchPredicate implementation.
+accessibility/aria-modal-with-text-crash.html [ Skip ]
+
accessibility/ignore-modals-without-any-content.html [ Skip ]
webkit.org/b/212805 accessibility/svg-text.html [ Failure ]
Modified: branches/safari-7613.3.1.0-branch/LayoutTests/platform/ios/TestExpectations (294671 => 294672)
--- branches/safari-7613.3.1.0-branch/LayoutTests/platform/ios/TestExpectations 2022-05-23 19:51:12 UTC (rev 294671)
+++ branches/safari-7613.3.1.0-branch/LayoutTests/platform/ios/TestExpectations 2022-05-23 19:52:55 UTC (rev 294672)
@@ -2107,6 +2107,7 @@
# Enable "aria-table-attributes" test for iOS
webkit.org/b/150366 accessibility/aria-table-attributes.html [ Pass ]
+accessibility/aria-modal-with-text-crash.html [ Pass ]
accessibility/ignore-modals-without-any-content.html [ Pass ]
accessibility/selected-state-changed-notifications.html [ Pass ]
Modified: branches/safari-7613.3.1.0-branch/LayoutTests/platform/win/TestExpectations (294671 => 294672)
--- branches/safari-7613.3.1.0-branch/LayoutTests/platform/win/TestExpectations 2022-05-23 19:51:12 UTC (rev 294671)
+++ branches/safari-7613.3.1.0-branch/LayoutTests/platform/win/TestExpectations 2022-05-23 19:52:55 UTC (rev 294672)
@@ -286,6 +286,9 @@
# AccessibilityUIElement::isInCell().
accessibility/ancestor-computation.html [ Skip ]
+# Missing AccessibilityUIElement::uiElementForSearchPredicate implementation.
+accessibility/aria-modal-with-text-crash.html [ Skip ]
+
accessibility/ignore-modals-without-any-content.html [ Skip ]
# TODO Conic gradients
Modified: branches/safari-7613.3.1.0-branch/Source/WebCore/ChangeLog (294671 => 294672)
--- branches/safari-7613.3.1.0-branch/Source/WebCore/ChangeLog 2022-05-23 19:51:12 UTC (rev 294671)
+++ branches/safari-7613.3.1.0-branch/Source/WebCore/ChangeLog 2022-05-23 19:52:55 UTC (rev 294672)
@@ -1,5 +1,92 @@
2022-05-23 Alan Coon <[email protected]>
+ Cherry-pick r294186. rdar://problem/93213436
+
+ Infinite recursion caused by call to accessibilityIsIgnored in the midst of AccessibilityObject::ignoredFromModalPresence
+ https://bugs.webkit.org/show_bug.cgi?id=240365
+
+ Reviewed by Chris Fleizach.
+
+ Source/WebCore:
+
+ We can get infinite recursion when accessibilityIsIgnored is called as
+ part of computing AccessibilityObject::ignoredFromModalPresence. One
+ example of such a cycle:
+
+ AXObjectCache::currentModalNode() ->
+ AccessibilityRenderObject::computeAccessibilityIsIgnored() ->
+ AccessibilityRenderObject::parentObjectUnignored() ->
+ AccessibilityObject::accessibilityIsIgnored() ->
+ AccessibilityObject::ignoredFromModalPresence() ->
+ AXObjectCache::currentModalNode() ->
+ ...repeat...
+
+ This patch fixes this by tracking when we start computing the current
+ modal node in the AXObjectCache. Then, in AccessibilityObject::accessibilityIsIgnored(),
+ we don't call AccessibilityObject::ignoredFromModalPresence() if this new state is true,
+ since in this context we only need to know if the object is inherently
+ ignored (i.e. ignored disregarding modal presence).
+
+ Test: accessibility/aria-modal-with-text-crash.html
+
+ * accessibility/AXObjectCache.cpp:
+ (WebCore::AXObjectCache::currentModalNode):
+ * accessibility/AXObjectCache.h:
+ Add m_isRetrievingCurrentModalNode.
+ (WebCore::AXObjectCache::isRetrievingCurrentModalNode): Added.
+ * accessibility/AccessibilityObject.cpp:
+ (WebCore::AccessibilityObject::accessibilityIsIgnored const):
+ Don't call ignoredFromModalPresence if we're in the midst of computing the current modal.
+
+ LayoutTests:
+
+ * accessibility/aria-modal-with-text-crash-expected.txt: Added.
+ * accessibility/aria-modal-with-text-crash.html: Added.
+ * platform/glib/TestExpectations: Skip new test.
+ * platform/ios/TestExpectations: Enable new test.
+ * platform/win/TestExpectations: Skip new test.
+
+ Canonical link: https://commits.webkit.org/250552@main
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@294186 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-05-13 Tyler Wilcock <[email protected]>
+
+ Infinite recursion caused by call to accessibilityIsIgnored in the midst of AccessibilityObject::ignoredFromModalPresence
+ https://bugs.webkit.org/show_bug.cgi?id=240365
+
+ Reviewed by Chris Fleizach.
+
+ We can get infinite recursion when accessibilityIsIgnored is called as
+ part of computing AccessibilityObject::ignoredFromModalPresence. One
+ example of such a cycle:
+
+ AXObjectCache::currentModalNode() ->
+ AccessibilityRenderObject::computeAccessibilityIsIgnored() ->
+ AccessibilityRenderObject::parentObjectUnignored() ->
+ AccessibilityObject::accessibilityIsIgnored() ->
+ AccessibilityObject::ignoredFromModalPresence() ->
+ AXObjectCache::currentModalNode() ->
+ ...repeat...
+
+ This patch fixes this by tracking when we start computing the current
+ modal node in the AXObjectCache. Then, in AccessibilityObject::accessibilityIsIgnored(),
+ we don't call AccessibilityObject::ignoredFromModalPresence() if this new state is true,
+ since in this context we only need to know if the object is inherently
+ ignored (i.e. ignored disregarding modal presence).
+
+ Test: accessibility/aria-modal-with-text-crash.html
+
+ * accessibility/AXObjectCache.cpp:
+ (WebCore::AXObjectCache::currentModalNode):
+ * accessibility/AXObjectCache.h:
+ Add m_isRetrievingCurrentModalNode.
+ (WebCore::AXObjectCache::isRetrievingCurrentModalNode): Added.
+ * accessibility/AccessibilityObject.cpp:
+ (WebCore::AccessibilityObject::accessibilityIsIgnored const):
+ Don't call ignoredFromModalPresence if we're in the midst of computing the current modal.
+
+2022-05-23 Alan Coon <[email protected]>
+
Cherry-pick r294280. rdar://problem/87980543
REGRESSION(r249162): CanvasRenderingContext2DBase::drawImage() crashes if the image is animated and the first frame cannot be decoded
Modified: branches/safari-7613.3.1.0-branch/Source/WebCore/accessibility/AXObjectCache.cpp (294671 => 294672)
--- branches/safari-7613.3.1.0-branch/Source/WebCore/accessibility/AXObjectCache.cpp 2022-05-23 19:51:12 UTC (rev 294671)
+++ branches/safari-7613.3.1.0-branch/Source/WebCore/accessibility/AXObjectCache.cpp 2022-05-23 19:52:55 UTC (rev 294672)
@@ -300,6 +300,7 @@
return activeModalDialog;
}
+ SetForScope retrievingCurrentModalNode(m_isRetrievingCurrentModalNode, true);
// If any of the modal nodes contains the keyboard focus, we want to pick that one.
// If not, we want to pick the last visible dialog in the DOM.
RefPtr<Element> focusedElement = document().focusedElement();
Modified: branches/safari-7613.3.1.0-branch/Source/WebCore/accessibility/AXObjectCache.h (294671 => 294672)
--- branches/safari-7613.3.1.0-branch/Source/WebCore/accessibility/AXObjectCache.h 2022-05-23 19:51:12 UTC (rev 294671)
+++ branches/safari-7613.3.1.0-branch/Source/WebCore/accessibility/AXObjectCache.h 2022-05-23 19:52:55 UTC (rev 294672)
@@ -192,7 +192,8 @@
void deferMenuListValueChange(Element*);
void handleScrolledToAnchor(const Node* anchorNode);
void handleScrollbarUpdate(ScrollView*);
-
+
+ bool isRetrievingCurrentModalNode() { return m_isRetrievingCurrentModalNode; }
Node* modalNode();
void deferAttributeChangeIfNeeded(const QualifiedName&, Element*);
@@ -508,6 +509,7 @@
// If that changes to require only one aria-modal we could change this to a WeakHashSet, or discard the set completely.
ListHashSet<Element*> m_modalElementsSet;
bool m_modalNodesInitialized { false };
+ bool m_isRetrievingCurrentModalNode { false };
Timer m_performCacheUpdateTimer;
Modified: branches/safari-7613.3.1.0-branch/Source/WebCore/accessibility/AccessibilityObject.cpp (294671 => 294672)
--- branches/safari-7613.3.1.0-branch/Source/WebCore/accessibility/AccessibilityObject.cpp 2022-05-23 19:51:12 UTC (rev 294671)
+++ branches/safari-7613.3.1.0-branch/Source/WebCore/accessibility/AccessibilityObject.cpp 2022-05-23 19:52:55 UTC (rev 294672)
@@ -3578,7 +3578,10 @@
}
}
- bool ignored = ignoredFromModalPresence();
+ // If we are in the midst of retrieving the current modal node, we only need to consider whether the object
+ // is inherently ignored via computeAccessibilityIsIgnored. Also, calling ignoredFromModalPresence
+ // in this state would cause infinite recursion.
+ bool ignored = cache && cache->isRetrievingCurrentModalNode() ? false : ignoredFromModalPresence();
if (!ignored)
ignored = computeAccessibilityIsIgnored();
