-
Kurt Catti-Schmidt authored
This change adds a nullptr check in GetFragmentRootParentOf. AXFragmentRootMapWin maps from HWND to fragment root, and it was assumed that an existing fragment root with a valid HWND will always have its child delegate available via GetChildNodeDelegate. However, this bug demonstrates that this assumption is incorrect. gets called during the destruction of any WebContents while the HWND is still valid. In the repro case I found, ToolbarActionView::UpdateState initiates a layout during tab restore, which ends up firing accessiblity events, which end up doing tree traversal and hit this crash. A unit test was added that reproduces this specific scenario and which crashes without the nullptr check. RenderWidgetHostImpl: :DetachDelegate will get us in this state, and it Bug: 1021633 Change-Id: I344651844f093b81f7b8fbdfade54f1c7bd029f3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1900095 Commit-Queue: Kurt Catti-Schmidt <kschmi@microsoft.com> Reviewed-by:
Kevin Babbitt <kbabbitt@microsoft.com> Cr-Commit-Position: refs/heads/master@{#712798}
b4e3d2e4
