- Revision
- 295329
- Author
- [email protected]
- Date
- 2022-06-06 22:47:29 -0700 (Mon, 06 Jun 2022)
Log Message
Cherry-pick r294186. rdar://problem/93805727
Infinite recursion caused by call to accessibilityIsIgnored in the midst of AccessibilityObject::ignoredFromModalPresence
https://bugs.webkit.org/show_bug.cgi?id=240365
Reviewed by Chris Fleizach.
Source/WebCore:
We can get infinite recursion when accessibilityIsIgnored is called as
part of computing AccessibilityObject::ignoredFromModalPresence. One
example of such a cycle:
AXObjectCache::currentModalNode() ->
AccessibilityRenderObject::computeAccessibilityIsIgnored() ->
AccessibilityRenderObject::parentObjectUnignored() ->
AccessibilityObject::accessibilityIsIgnored() ->
AccessibilityObject::ignoredFromModalPresence() ->
AXObjectCache::currentModalNode() ->
...repeat...
This patch fixes this by tracking when we start computing the current
modal node in the AXObjectCache. Then, in AccessibilityObject::accessibilityIsIgnored(),
we don't call AccessibilityObject::ignoredFromModalPresence() if this new state is true,
since in this context we only need to know if the object is inherently
ignored (i.e. ignored disregarding modal presence).
Test: accessibility/aria-modal-with-text-crash.html
* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::currentModalNode):
* accessibility/AXObjectCache.h:
Add m_isRetrievingCurrentModalNode.
(WebCore::AXObjectCache::isRetrievingCurrentModalNode): Added.
* accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::accessibilityIsIgnored const):
Don't call ignoredFromModalPresence if we're in the midst of computing the current modal.
LayoutTests:
* accessibility/aria-modal-with-text-crash-expected.txt: Added.
* accessibility/aria-modal-with-text-crash.html: Added.
* platform/glib/TestExpectations: Skip new test.
* platform/ios/TestExpectations: Enable new test.
* platform/win/TestExpectations: Skip new test.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@294186 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-7614.1.14.10-branch/LayoutTests/ChangeLog (295328 => 295329)
--- branches/safari-7614.1.14.10-branch/LayoutTests/ChangeLog 2022-06-07 05:37:39 UTC (rev 295328)
+++ branches/safari-7614.1.14.10-branch/LayoutTests/ChangeLog 2022-06-07 05:47:29 UTC (rev 295329)
@@ -1,3 +1,67 @@
+2022-06-06 Alan Coon <[email protected]>
+
+ Cherry-pick r294186. rdar://problem/93805727
+
+ Infinite recursion caused by call to accessibilityIsIgnored in the midst of AccessibilityObject::ignoredFromModalPresence
+ https://bugs.webkit.org/show_bug.cgi?id=240365
+
+ Reviewed by Chris Fleizach.
+
+ Source/WebCore:
+
+ We can get infinite recursion when accessibilityIsIgnored is called as
+ part of computing AccessibilityObject::ignoredFromModalPresence. One
+ example of such a cycle:
+
+ AXObjectCache::currentModalNode() ->
+ AccessibilityRenderObject::computeAccessibilityIsIgnored() ->
+ AccessibilityRenderObject::parentObjectUnignored() ->
+ AccessibilityObject::accessibilityIsIgnored() ->
+ AccessibilityObject::ignoredFromModalPresence() ->
+ AXObjectCache::currentModalNode() ->
+ ...repeat...
+
+ This patch fixes this by tracking when we start computing the current
+ modal node in the AXObjectCache. Then, in AccessibilityObject::accessibilityIsIgnored(),
+ we don't call AccessibilityObject::ignoredFromModalPresence() if this new state is true,
+ since in this context we only need to know if the object is inherently
+ ignored (i.e. ignored disregarding modal presence).
+
+ Test: accessibility/aria-modal-with-text-crash.html
+
+ * accessibility/AXObjectCache.cpp:
+ (WebCore::AXObjectCache::currentModalNode):
+ * accessibility/AXObjectCache.h:
+ Add m_isRetrievingCurrentModalNode.
+ (WebCore::AXObjectCache::isRetrievingCurrentModalNode): Added.
+ * accessibility/AccessibilityObject.cpp:
+ (WebCore::AccessibilityObject::accessibilityIsIgnored const):
+ Don't call ignoredFromModalPresence if we're in the midst of computing the current modal.
+
+ LayoutTests:
+
+ * accessibility/aria-modal-with-text-crash-expected.txt: Added.
+ * accessibility/aria-modal-with-text-crash.html: Added.
+ * platform/glib/TestExpectations: Skip new test.
+ * platform/ios/TestExpectations: Enable new test.
+ * platform/win/TestExpectations: Skip new test.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@294186 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-05-13 Tyler Wilcock <[email protected]>
+
+ Infinite recursion caused by call to accessibilityIsIgnored in the midst of AccessibilityObject::ignoredFromModalPresence
+ https://bugs.webkit.org/show_bug.cgi?id=240365
+
+ Reviewed by Chris Fleizach.
+
+ * accessibility/aria-modal-with-text-crash-expected.txt: Added.
+ * accessibility/aria-modal-with-text-crash.html: Added.
+ * platform/glib/TestExpectations: Skip new test.
+ * platform/ios/TestExpectations: Enable new test.
+ * platform/win/TestExpectations: Skip new test.
+
2022-05-12 Russell Epstein <[email protected]>
Cherry-pick r293951. rdar://problem/92635604
Added: branches/safari-7614.1.14.10-branch/LayoutTests/accessibility/aria-modal-with-text-crash-expected.txt (0 => 295329)
--- branches/safari-7614.1.14.10-branch/LayoutTests/accessibility/aria-modal-with-text-crash-expected.txt (rev 0)
+++ branches/safari-7614.1.14.10-branch/LayoutTests/accessibility/aria-modal-with-text-crash-expected.txt 2022-06-07 05:47:29 UTC (rev 295329)
@@ -0,0 +1,10 @@
+This test ensures we don't crash when using search to traverse an aria-modal with text.
+
+
+AXRole: AXStaticText
+AXValue: Foo
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+Foo
Added: branches/safari-7614.1.14.10-branch/LayoutTests/accessibility/aria-modal-with-text-crash.html (0 => 295329)
--- branches/safari-7614.1.14.10-branch/LayoutTests/accessibility/aria-modal-with-text-crash.html (rev 0)
+++ branches/safari-7614.1.14.10-branch/LayoutTests/accessibility/aria-modal-with-text-crash.html 2022-06-07 05:47:29 UTC (rev 295329)
@@ -0,0 +1,37 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+<script src=""
+</head>
+<body>
+
+<div id="modal" role="dialog" aria-modal="true">
+ <span>Foo</span>
+</div>
+
+<script>
+ var testOutput = "This test ensures we don't crash when using search to traverse an aria-modal with text.\n\n";
+
+ if (window.accessibilityController) {
+ const modal = accessibilityController.accessibleElementById("modal");
+ let searchResult = null;
+ while (true) {
+ searchResult = modal.uiElementForSearchPredicate(searchResult, true, "AXAnyTypeSearchKey", "", false);
+ if (!searchResult)
+ break;
+ const role = searchResult.role;
+ testOutput += `\n${role}`;
+ if (role.includes("StaticText")) {
+ let textContent = accessibilityController.platformName === "ios" ? searchResult.description : searchResult.stringValue;
+ testOutput += `\n${textContent}`;
+ }
+ testOutput += "\n";
+ }
+ debug(testOutput);
+ }
+</script>
+</body>
+</html>
+
+
Modified: branches/safari-7614.1.14.10-branch/LayoutTests/platform/glib/TestExpectations (295328 => 295329)
--- branches/safari-7614.1.14.10-branch/LayoutTests/platform/glib/TestExpectations 2022-06-07 05:37:39 UTC (rev 295328)
+++ branches/safari-7614.1.14.10-branch/LayoutTests/platform/glib/TestExpectations 2022-06-07 05:47:29 UTC (rev 295329)
@@ -351,6 +351,7 @@
accessibility/text-updates-after-dynamic-change.html [ Skip ]
# Missing AccessibilityUIElement::uiElementForSearchPredicate implementation.
+accessibility/aria-modal-with-text-crash.html [ Skip ]
accessibility/display-contents-search-traversal.html [ Skip ]
accessibility/search-traversal-after-role-change.html [ Skip ]
accessibility/table-search-traversal.html [ Skip ]
Modified: branches/safari-7614.1.14.10-branch/LayoutTests/platform/ios/TestExpectations (295328 => 295329)
--- branches/safari-7614.1.14.10-branch/LayoutTests/platform/ios/TestExpectations 2022-06-07 05:37:39 UTC (rev 295328)
+++ branches/safari-7614.1.14.10-branch/LayoutTests/platform/ios/TestExpectations 2022-06-07 05:47:29 UTC (rev 295329)
@@ -2135,6 +2135,7 @@
# Enable "aria-table-attributes" test for iOS
webkit.org/b/150366 accessibility/aria-table-attributes.html [ Pass ]
+accessibility/aria-modal-with-text-crash.html [ Pass ]
accessibility/display-contents-search-traversal.html [ Pass ]
accessibility/search-traversal-after-role-change.html [ Pass ]
accessibility/table-search-traversal.html [ Pass ]
Modified: branches/safari-7614.1.14.10-branch/LayoutTests/platform/win/TestExpectations (295328 => 295329)
--- branches/safari-7614.1.14.10-branch/LayoutTests/platform/win/TestExpectations 2022-06-07 05:37:39 UTC (rev 295328)
+++ branches/safari-7614.1.14.10-branch/LayoutTests/platform/win/TestExpectations 2022-06-07 05:47:29 UTC (rev 295329)
@@ -483,6 +483,7 @@
accessibility/ancestor-computation.html [ Skip ]
# Missing AccessibilityUIElement::uiElementForSearchPredicate implementation.
+accessibility/aria-modal-with-text-crash.html [ Skip ]
accessibility/display-contents-search-traversal.html [ Skip ]
accessibility/search-traversal-after-role-change.html [ Skip ]
accessibility/table-search-traversal.html [ Skip ]
Modified: branches/safari-7614.1.14.10-branch/Source/WebCore/ChangeLog (295328 => 295329)
--- branches/safari-7614.1.14.10-branch/Source/WebCore/ChangeLog 2022-06-07 05:37:39 UTC (rev 295328)
+++ branches/safari-7614.1.14.10-branch/Source/WebCore/ChangeLog 2022-06-07 05:47:29 UTC (rev 295329)
@@ -1,3 +1,90 @@
+2022-06-06 Alan Coon <[email protected]>
+
+ Cherry-pick r294186. rdar://problem/93805727
+
+ Infinite recursion caused by call to accessibilityIsIgnored in the midst of AccessibilityObject::ignoredFromModalPresence
+ https://bugs.webkit.org/show_bug.cgi?id=240365
+
+ Reviewed by Chris Fleizach.
+
+ Source/WebCore:
+
+ We can get infinite recursion when accessibilityIsIgnored is called as
+ part of computing AccessibilityObject::ignoredFromModalPresence. One
+ example of such a cycle:
+
+ AXObjectCache::currentModalNode() ->
+ AccessibilityRenderObject::computeAccessibilityIsIgnored() ->
+ AccessibilityRenderObject::parentObjectUnignored() ->
+ AccessibilityObject::accessibilityIsIgnored() ->
+ AccessibilityObject::ignoredFromModalPresence() ->
+ AXObjectCache::currentModalNode() ->
+ ...repeat...
+
+ This patch fixes this by tracking when we start computing the current
+ modal node in the AXObjectCache. Then, in AccessibilityObject::accessibilityIsIgnored(),
+ we don't call AccessibilityObject::ignoredFromModalPresence() if this new state is true,
+ since in this context we only need to know if the object is inherently
+ ignored (i.e. ignored disregarding modal presence).
+
+ Test: accessibility/aria-modal-with-text-crash.html
+
+ * accessibility/AXObjectCache.cpp:
+ (WebCore::AXObjectCache::currentModalNode):
+ * accessibility/AXObjectCache.h:
+ Add m_isRetrievingCurrentModalNode.
+ (WebCore::AXObjectCache::isRetrievingCurrentModalNode): Added.
+ * accessibility/AccessibilityObject.cpp:
+ (WebCore::AccessibilityObject::accessibilityIsIgnored const):
+ Don't call ignoredFromModalPresence if we're in the midst of computing the current modal.
+
+ LayoutTests:
+
+ * accessibility/aria-modal-with-text-crash-expected.txt: Added.
+ * accessibility/aria-modal-with-text-crash.html: Added.
+ * platform/glib/TestExpectations: Skip new test.
+ * platform/ios/TestExpectations: Enable new test.
+ * platform/win/TestExpectations: Skip new test.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@294186 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-05-13 Tyler Wilcock <[email protected]>
+
+ Infinite recursion caused by call to accessibilityIsIgnored in the midst of AccessibilityObject::ignoredFromModalPresence
+ https://bugs.webkit.org/show_bug.cgi?id=240365
+
+ Reviewed by Chris Fleizach.
+
+ We can get infinite recursion when accessibilityIsIgnored is called as
+ part of computing AccessibilityObject::ignoredFromModalPresence. One
+ example of such a cycle:
+
+ AXObjectCache::currentModalNode() ->
+ AccessibilityRenderObject::computeAccessibilityIsIgnored() ->
+ AccessibilityRenderObject::parentObjectUnignored() ->
+ AccessibilityObject::accessibilityIsIgnored() ->
+ AccessibilityObject::ignoredFromModalPresence() ->
+ AXObjectCache::currentModalNode() ->
+ ...repeat...
+
+ This patch fixes this by tracking when we start computing the current
+ modal node in the AXObjectCache. Then, in AccessibilityObject::accessibilityIsIgnored(),
+ we don't call AccessibilityObject::ignoredFromModalPresence() if this new state is true,
+ since in this context we only need to know if the object is inherently
+ ignored (i.e. ignored disregarding modal presence).
+
+ Test: accessibility/aria-modal-with-text-crash.html
+
+ * accessibility/AXObjectCache.cpp:
+ (WebCore::AXObjectCache::currentModalNode):
+ * accessibility/AXObjectCache.h:
+ Add m_isRetrievingCurrentModalNode.
+ (WebCore::AXObjectCache::isRetrievingCurrentModalNode): Added.
+ * accessibility/AccessibilityObject.cpp:
+ (WebCore::AccessibilityObject::accessibilityIsIgnored const):
+ Don't call ignoredFromModalPresence if we're in the midst of computing the current modal.
+
2022-05-16 Russell Epstein <[email protected]>
Cherry-pick r294264. rdar://problem/93118830
Modified: branches/safari-7614.1.14.10-branch/Source/WebCore/accessibility/AXObjectCache.cpp (295328 => 295329)
--- branches/safari-7614.1.14.10-branch/Source/WebCore/accessibility/AXObjectCache.cpp 2022-06-07 05:37:39 UTC (rev 295328)
+++ branches/safari-7614.1.14.10-branch/Source/WebCore/accessibility/AXObjectCache.cpp 2022-06-07 05:47:29 UTC (rev 295329)
@@ -306,6 +306,7 @@
return activeModalDialog;
}
+ SetForScope retrievingCurrentModalNode(m_isRetrievingCurrentModalNode, true);
// If any of the modal nodes contains the keyboard focus, we want to pick that one.
// If not, we want to pick the last visible dialog in the DOM.
RefPtr<Element> focusedElement = document().focusedElement();
Modified: branches/safari-7614.1.14.10-branch/Source/WebCore/accessibility/AXObjectCache.h (295328 => 295329)
--- branches/safari-7614.1.14.10-branch/Source/WebCore/accessibility/AXObjectCache.h 2022-06-07 05:37:39 UTC (rev 295328)
+++ branches/safari-7614.1.14.10-branch/Source/WebCore/accessibility/AXObjectCache.h 2022-06-07 05:47:29 UTC (rev 295329)
@@ -199,7 +199,8 @@
void deferNodeAddedOrRemoved(Node*);
void handleScrolledToAnchor(const Node* anchorNode);
void handleScrollbarUpdate(ScrollView*);
-
+
+ bool isRetrievingCurrentModalNode() { return m_isRetrievingCurrentModalNode; }
Node* modalNode();
void deferAttributeChangeIfNeeded(const QualifiedName&, Element*);
@@ -516,6 +517,7 @@
// If that changes to require only one aria-modal we could change this to a WeakHashSet, or discard the set completely.
ListHashSet<Element*> m_modalElementsSet;
bool m_modalNodesInitialized { false };
+ bool m_isRetrievingCurrentModalNode { false };
Timer m_performCacheUpdateTimer;
Modified: branches/safari-7614.1.14.10-branch/Source/WebCore/accessibility/AccessibilityObject.cpp (295328 => 295329)
--- branches/safari-7614.1.14.10-branch/Source/WebCore/accessibility/AccessibilityObject.cpp 2022-06-07 05:37:39 UTC (rev 295328)
+++ branches/safari-7614.1.14.10-branch/Source/WebCore/accessibility/AccessibilityObject.cpp 2022-06-07 05:47:29 UTC (rev 295329)
@@ -3746,7 +3746,10 @@
}
}
- bool ignored = ignoredFromModalPresence();
+ // If we are in the midst of retrieving the current modal node, we only need to consider whether the object
+ // is inherently ignored via computeAccessibilityIsIgnored. Also, calling ignoredFromModalPresence
+ // in this state would cause infinite recursion.
+ bool ignored = cache && cache->isRetrievingCurrentModalNode() ? false : ignoredFromModalPresence();
if (!ignored)
ignored = computeAccessibilityIsIgnored();
