Bug 1691930 - Check that FocusedChild is bound to a doc in RecvFocusedChild. r=Jamie

Added an assert in focus manager. Hopefully fuzzers will help us find
cases where the active item is defunct, if that is indeed what is
happening.

Differential Revision: https://phabricator.services.mozilla.com/D109403

accessible/base/FocusManager.cpp

@@ -28,7 +28,14 @@ FocusManager::FocusManager() {}
 FocusManager::~FocusManager() {}
 
 LocalAccessible* FocusManager::FocusedAccessible() const {
-  if (mActiveItem) return mActiveItem;
+  if (mActiveItem) {
+    if (mActiveItem->IsDefunct()) {
+      MOZ_ASSERT_UNREACHABLE("Stored active item is unbound from document");
+      return nullptr;
+    }
+
+    return mActiveItem;
+  }
 
   nsINode* focusedNode = FocusedDOMNode();
   if (focusedNode) {

accessible/ipc/other/DocAccessibleChild.cpp

@@ -1542,6 +1542,11 @@ mozilla::ipc::IPCResult DocAccessibleChild::RecvFocusedChild(
     // document, not just a descendant of the caller's document. Check that it
     // is really a descendant.
     DocAccessible* doc = result->Document();
+    if (!doc) {
+      MOZ_ASSERT_UNREACHABLE("Focused child is unbound from doc.");
+      return IPC_OK();
+    }
+
     while (doc != mDoc) {
       doc = doc->ParentDocument();
       if (!doc) {