browser_accessibility_fuzzer: Add some tree updates

This increases coverage somewhat, though there's still a ways to go.

Bug: 1009106
Change-Id: Ia569e7b3630380a5f0abb2401b180550dd321328
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1865425Reviewed-by: Max Moroz <mmoroz@chromium.org>
Reviewed-by: Dominic Mazzoni <dmazzoni@chromium.org>
Commit-Queue: Leonard Grey <lgrey@chromium.org>
Cr-Commit-Position: refs/heads/master@{#707071}

content/test/fuzzer/browser_accessibility_fuzzer.cc

@@ -4,6 +4,7 @@
 
 #include <fuzzer/FuzzedDataProvider.h>
 
+#include "base/at_exit.h"
 #include "content/browser/accessibility/browser_accessibility.h"
 #include "content/browser/accessibility/browser_accessibility_manager.h"
 #include "content/browser/accessibility/one_shot_accessibility_tree_search.h"
@@ -61,6 +62,8 @@ void AddStates(FuzzedDataProvider& fdp, ui::AXNodeData* node) {
 // the fuzz input. Once the tree is constructed, fuzz by calling some
 // functions that walk the tree in various ways to ensure they don't crash.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  base::AtExitManager at_exit;
+
   FuzzedDataProvider fdp(data, size);
 
   // The tree structure is always the same, only the data changes.
@@ -77,6 +80,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   ui::AXTreeID parent_tree_id = ui::AXTreeID::CreateNewAXTreeID();
   ui::AXTreeID child_tree_id = ui::AXTreeID::CreateNewAXTreeID();
 
+  const int num_nodes = 10;
+
   ui::AXTreeUpdate tree;
   tree.root_id = 1;
   tree.tree_data.tree_id = parent_tree_id;
@@ -103,17 +108,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   tree.nodes[3].child_ids = {9, 10};
   AddStates(fdp, &tree.nodes[3]);
 
-  for (int i = 4; i < 10; i++) {
+  for (int i = 4; i < num_nodes; i++) {
     tree.nodes[i].id = i + 1;
     tree.nodes[i].role = GetInterestingRole(fdp);
     AddStates(fdp, &tree.nodes[i]);
   }
 
-  for (int i = 0; i < 10; i++)
+  for (int i = 0; i < num_nodes; i++)
     tree.nodes[i].SetName(fdp.ConsumeRandomLengthString(5));
 
   // Optionally, embed the child tree in the parent tree.
-  int embedder_node = fdp.ConsumeIntegralInRange(0, 10);
+  int embedder_node = fdp.ConsumeIntegralInRange(0, num_nodes);
   if (embedder_node > 0)
     tree.nodes[embedder_node - 1].AddStringAttribute(
         ax::mojom::StringAttribute::kChildTreeId, child_tree_id.ToString());
@@ -173,6 +178,24 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   // This is just to ensure that none of the above code gets optimized away.
   CHECK_NE(0U, results.size());
 
+  // Add a node, possibly clearing old children.
+  int node_id = num_nodes + 1;
+  int parent = fdp.ConsumeIntegralInRange(0, num_nodes);
+
+  ui::AXTreeUpdate update;
+  update.nodes.resize(2);
+  update.nodes[0].id = parent;
+  update.nodes[0].child_ids = {node_id};
+  update.nodes[1].id = node_id;
+  update.nodes[1].role = GetInterestingRole(fdp);
+  AddStates(fdp, &update.nodes[1]);
+
+  AXEventNotificationDetails notification;
+  notification.updates.resize(1);
+  notification.updates[0] = update;
+
+  CHECK(manager->OnAccessibilityEvents(notification));
+
   return 0;
 }