Bug 1564542: Add a dummy implementation of Bounds() on DocProxyAccessibleWrap/RemoteIframeDocProxyAccessibleWrap to prevent crashes when hit testing via XPCOM. a=RyanVM
authorJames Teh <jteh@mozilla.com>
Wed, 17 Jul 2019 18:43:40 +0300
changeset 544665 524bbb009aa8b0956b0790b915d88ffda43fc6f3
parent 544664 8fc282145f2eac7067e60a2827f46a57636fa08d
child 544666 07d0601ce1716b9f1d425a9d1b469eddd5410165
push id2131
push userffxbld-merge
push dateMon, 26 Aug 2019 18:30:20 +0000
treeherdermozilla-release@b19ffb3ca153 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersRyanVM
bugs1564542
milestone69.0
Bug 1564542: Add a dummy implementation of Bounds() on DocProxyAccessibleWrap/RemoteIframeDocProxyAccessibleWrap to prevent crashes when hit testing via XPCOM. a=RyanVM OuterDocAccessible can return a DocProxyAccessibleWrap or RemoteIframeDocProxyAccessibleWrap as a child. Accessible::ChildAtPoint on an ancestor might retrieve this proxy and call Bounds() on it. This will crash on a proxy, so we override it on these document proxies to do nothing. Differential Revision: https://phabricator.services.mozilla.com//D38256
accessible/windows/ProxyWrappers.h
--- a/accessible/windows/ProxyWrappers.h
+++ b/accessible/windows/ProxyWrappers.h
@@ -59,16 +59,24 @@ class DocProxyAccessibleWrap : public Hy
   void AddID(uint32_t aID, AccessibleWrap* aAcc) {
     mIDToAccessibleMap.Put(aID, aAcc);
   }
   void RemoveID(uint32_t aID) { mIDToAccessibleMap.Remove(aID); }
   AccessibleWrap* GetAccessibleByID(uint32_t aID) const {
     return mIDToAccessibleMap.Get(aID);
   }
 
+  virtual nsIntRect Bounds() const override {
+    // OuterDocAccessible can return a DocProxyAccessibleWrap as a child.
+    // Accessible::ChildAtPoint on an ancestor might retrieve this proxy and
+    // call Bounds() on it. This will crash on a proxy, so we override it to do
+    // nothing here.
+    return nsIntRect();
+  }
+
  private:
   /*
    * This provides a mapping from 32 bit id to accessible objects.
    */
   nsDataHashtable<nsUint32HashKey, AccessibleWrap*> mIDToAccessibleMap;
 };
 
 template <typename T>
@@ -100,16 +108,24 @@ class RemoteIframeDocProxyAccessibleWrap
     mCOMProxy = nullptr;
   }
 
   virtual void GetNativeInterface(void** aOutAccessible) override {
     RefPtr<IDispatch> addRefed = mCOMProxy;
     addRefed.forget(aOutAccessible);
   }
 
+  virtual nsIntRect Bounds() const override {
+    // OuterDocAccessible can return a RemoteIframeDocProxyAccessibleWrap as a
+    // child. Accessible::ChildAtPoint on an ancestor might retrieve this proxy
+    // and call Bounds() on it. This will crash on a proxy, so we override it
+    // to do nothing here.
+    return nsIntRect();
+  }
+
  private:
   RefPtr<IDispatch> mCOMProxy;
 };
 
 }  // namespace a11y
 }  // namespace mozilla
 
 #endif