From f4238ee721be15e463ecf2e656fe5cbc63e8bb5a Mon Sep 17 00:00:00 2001 From: Eitan Isaacson Date: Wed, 24 Mar 2021 16:24:47 +0000 Subject: [PATCH] Bug 1691930 - Check that FocusedChild is bound to a doc in RecvFocusedChild. r=Jamie Added an assert in focus manager. Hopefully fuzzers will help us find cases where the active item is defunct, if that is indeed what is happening. Differential Revision: https://phabricator.services.mozilla.com/D109403 --- accessible/base/FocusManager.cpp | 9 ++++++++- accessible/ipc/other/DocAccessibleChild.cpp | 5 +++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/accessible/base/FocusManager.cpp b/accessible/base/FocusManager.cpp index 4b3064fa5731..497a7e91f3ec 100644 --- a/accessible/base/FocusManager.cpp +++ b/accessible/base/FocusManager.cpp @@ -28,7 +28,14 @@ FocusManager::FocusManager() {} FocusManager::~FocusManager() {} LocalAccessible* FocusManager::FocusedAccessible() const { - if (mActiveItem) return mActiveItem; + if (mActiveItem) { + if (mActiveItem->IsDefunct()) { + MOZ_ASSERT_UNREACHABLE("Stored active item is unbound from document"); + return nullptr; + } + + return mActiveItem; + } nsINode* focusedNode = FocusedDOMNode(); if (focusedNode) { diff --git a/accessible/ipc/other/DocAccessibleChild.cpp b/accessible/ipc/other/DocAccessibleChild.cpp index 482e843ccd93..c80e3948029b 100644 --- a/accessible/ipc/other/DocAccessibleChild.cpp +++ b/accessible/ipc/other/DocAccessibleChild.cpp @@ -1542,6 +1542,11 @@ mozilla::ipc::IPCResult DocAccessibleChild::RecvFocusedChild( // document, not just a descendant of the caller's document. Check that it // is really a descendant. DocAccessible* doc = result->Document(); + if (!doc) { + MOZ_ASSERT_UNREACHABLE("Focused child is unbound from doc."); + return IPC_OK(); + } + while (doc != mDoc) { doc = doc->ParentDocument(); if (!doc) {