Null check before dereferencing the return of GetOrCreate(LayoutObject*)

GetOrCreate(LayoutObject*) can return nullptr if the node is an area element. Added null check. Bug: 996451 Change-Id: Id94b88dcdd521b98abdc24cd17e907801b79ae7b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1774828Reviewed-by: Kevin Babbitt <kbabbitt@microsoft.com> Reviewed-by: Aaron Leventhal <aleventhal@chromium.org> Commit-Queue: Jacques Newman <janewman@microsoft.com> Cr-Commit-Position: refs/heads/master@{#691814}

Null check before dereferencing the return of GetOrCreate(LayoutObject*)
GetOrCreate(LayoutObject*) can return nullptr if the node is an area element. Added null check. Bug: 996451 Change-Id: Id94b88dcdd521b98abdc24cd17e907801b79ae7b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1774828Reviewed-by: Kevin Babbitt <kbabbitt@microsoft.com> Reviewed-by: Aaron Leventhal <aleventhal@chromium.org> Commit-Queue: Jacques Newman <janewman@microsoft.com> Cr-Commit-Position: refs/heads/master@{#691814}
87247c95 · Jacques Newman · Commit Bot · 2ad77913 · 87247c95 · 87247c95
Commit 87247c95 authored Aug 29, 2019 by Jacques Newman Committed by Commit Bot Aug 29, 2019
4 changed files
--- a/content/browser/accessibility/dump_accessibility_tree_browsertest.cc
+++ b/content/browser/accessibility/dump_accessibility_tree_browsertest.cc
@@ -311,6 +311,10 @@ IN_PROC_BROWSER_TEST_P(DumpAccessibilityTreeTest, AccessibilityArea) {
  RunHtmlTest(FILE_PATH_LITERAL("area.html"));
 }
+IN_PROC_BROWSER_TEST_P(DumpAccessibilityTreeTest, AccessibilityAreaCrash) {
+  RunHtmlTest(FILE_PATH_LITERAL("area-crash.html"));
+}
 IN_PROC_BROWSER_TEST_P(DumpAccessibilityTreeTest, AccessibilityAName) {
  RunHtmlTest(FILE_PATH_LITERAL("a-name.html"));
 }

--- a/content/test/data/accessibility/html/area-crash-expected-blink.txt
+++ b/content/test/data/accessibility/html/area-crash-expected-blink.txt
+rootWebArea
++genericContainer
++++link name='foo'
++++++staticText name='foo'
++++++++inlineTextBox name='foo'
++++staticText name=' '
++++++inlineTextBox name=' '
++++staticText name='done'
++++++inlineTextBox name='done'
--- a/content/test/data/accessibility/html/area-crash.html
+++ b/content/test/data/accessibility/html/area-crash.html
+<!--
+  @WAIT-FOR:done
+This is a regression test for a bug that crashes when determining if an area is
+a descendant of an anchor.
+-->
+<html>
+<script>
+  window.onload = () => {
+    document.getElementById('area').textContent = "foo";
+    document.body.appendChild(document.createTextNode("done"));
+  };
+</script>
+<body>
+  <area id='area'/>
+</body>
\ No newline at end of file
--- a/third_party/blink/renderer/modules/accessibility/ax_layout_object.cc
+++ b/third_party/blink/renderer/modules/accessibility/ax_layout_object.cc
@@ -2187,10 +2187,14 @@ Element* AXLayoutObject::AnchorElement() const {
  if (!node)
    return nullptr;
  for (Node& runner : NodeTraversal::InclusiveAncestorsOf(*node)) {
-    if (IsA<HTMLAnchorElement>(runner) ||
+    if (IsA<HTMLAnchorElement>(runner))
-        (runner.GetLayoutObject() &&
-         cache.GetOrCreate(runner.GetLayoutObject())->IsAnchor()))
      return To<Element>(&runner);
+    if (LayoutObject* layout_object = runner.GetLayoutObject()) {
+      AXObject* ax_object = cache.GetOrCreate(layout_object);
+      if (ax_object && ax_object->IsAnchor())
+        return To<Element>(&runner);
+    }
  }
  return nullptr;