Don't run AXRelationCache::Init until layout is clean.

The regression test is odd but it's the smallest repro I could come up
with based on ClusterFuzz.

Bug: 1149132
Change-Id: I09fbb35c7cbdd47a14d9f68a6268285d193844cd
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2559806
Commit-Queue: Dominic Mazzoni <dmazzoni@chromium.org>
Reviewed-by: Aaron Leventhal <aleventhal@chromium.org>
Cr-Commit-Position: refs/heads/master@{#831126}

third_party/blink/renderer/modules/accessibility/ax_object_cache_impl.cc

@@ -148,10 +148,6 @@ AXObjectCacheImpl::AXObjectCacheImpl(Document& document)
     AddPermissionStatusListener();
   documents_.insert(&document);
   use_ax_menu_list_ = GetSettings()->GetUseAXMenuList();
-
-  // Perform last, to ensure AXObjectCacheImpl() is fully set up, as
-  // AXRelationCache() sometimes calls back into AXObjectCacheImpl.
-  relation_cache_->Init();
 }
 
 AXObjectCacheImpl::~AXObjectCacheImpl() {

third_party/blink/renderer/modules/accessibility/ax_relation_cache.cc

@@ -15,7 +15,7 @@ AXRelationCache::AXRelationCache(AXObjectCacheImpl* object_cache)
 
 AXRelationCache::~AXRelationCache() = default;
 
-void AXRelationCache::Init() {
+void AXRelationCache::DoInitialDocumentScan() {
   // Init the relation cache with elements already in the document.
   Document& document = object_cache_->GetDocument();
   for (Element& element :
@@ -34,9 +34,14 @@ void AXRelationCache::Init() {
       }
     }
   }
+
+  initialized_ = true;
 }
 
 void AXRelationCache::ProcessUpdatesWithCleanLayout() {
+  if (!initialized_)
+    DoInitialDocumentScan();
+
   for (AXID aria_owns_obj_id : owner_ids_to_update_) {
     AXObject* obj = ObjectFromAXID(aria_owns_obj_id);
     if (obj)

third_party/blink/renderer/modules/accessibility/ax_relation_cache.h

@@ -26,9 +26,6 @@ class AXRelationCache {
   // Safe to call at any time. Doesn't make any changes to the tree.
   //
 
-  // Scan the initial document.
-  void Init();
-
   // Returns true if the given object's position in the tree was due to
   // aria-owns.
   bool IsAriaOwned(const AXObject*) const;
@@ -108,6 +105,10 @@ class AXRelationCache {
       AXObject* owner,
       HeapVector<Member<AXObject>>& validated_owned_children_result);
 
+  // Whether the document has been scanned for initial relationships
+  // first or not.
+  bool initialized_ = false;
+
   WeakPersistent<AXObjectCacheImpl> object_cache_;
 
   // Map from the AXID of the owner to the AXIDs of the children.
@@ -148,6 +149,10 @@ class AXRelationCache {
   AXObject* Get(Node*);
   void ChildrenChanged(AXObject*);
 
+  // Do an initial scan of the document to find any relationships.
+  // We'll catch any subsequent ones when attributes change.
+  void DoInitialDocumentScan();
+
   DISALLOW_COPY_AND_ASSIGN(AXRelationCache);
 };
 

third_party/blink/web_tests/accessibility/aria-owns-crash.html

+<!DOCTYPE HTML>
+<script src="../resources/testharness.js"></script>
+<script src="../resources/testharnessreport.js"></script>
+
+<dialog>
+  <div aria-owns=>
+    <style>
+      .arbitraryClassName { }
+    </style>
+  </div>
+</dialog>
+
+<script>
+async_test((t) => {
+    let child = document.createElement('div');
+    child.id = 'foo';
+    document.body.appendChild(child);
+
+    setTimeout(() => {
+        document.styleSheets[0].deleteRule(0);
+        document.replaceChild(child, document.documentElement);
+        t.done();
+    });
+}, "Regression test for aria-owns related crash in AXRelationCache::Init");
+
+</script>