Bug 208867

Summary: Crash in RenderMenuList::didUpdateActiveOption.
Product: WebKit Reporter: Andres Gonzalez <andresg_22>
Component: New BugsAssignee: Andres Gonzalez <andresg_22>
Status: RESOLVED FIXED    
Severity: Normal CC: aboxhall, apinheiro, cdumez, cfleizach, darin, dmazzoni, esprehn+autocc, ews-watchlist, glenn, jcraig, jdiggs, kondapallykalyan, mifenton, pdr, samuel_white, sam
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Description Andres Gonzalez 2020-03-10 09:45:18 PDT 
Crash in RenderMenuList::didUpdateActiveOption.
Comment 1 Andres Gonzalez 2020-03-10 09:54:49 PDT 
Created attachment 393162 [details]
Patch
Comment 2 Andres Gonzalez 2020-03-10 09:58:30 PDT 
<rdar://problem/60035390>
Comment 3 chris fleizach 2020-03-10 09:59:36 PDT 
Comment on attachment 393162 [details]
Patch

Can we add a test?
Comment 4 Sam Weinig 2020-03-10 11:05:03 PDT 
Comment on attachment 393162 [details]
Patch

Needs a test.
Comment 5 Darin Adler 2020-03-16 13:21:05 PDT 
Comment on attachment 393162 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=393162&action=review

> Source/WebCore/rendering/RenderMenuList.cpp:428
> -    if (auto* menuList = downcast<AccessibilityMenuList>(axCache->get(this)))
> -        menuList->didUpdateActiveOption(optionIndex);
> +    if (auto* axObject = axCache->get(this)) {
> +        if (!is<AccessibilityMenuList>(*axObject))
> +            return;
> +
> +        downcast<AccessibilityMenuList>(*axObject).didUpdateActiveOption(optionIndex);
> +    }

More elegant way to write this taking advantage of the null checking built into is<>:

    auto* axObject = axCache->get(this);
    if (is<AccessibiltyMenuList>(axObject))
        downcast<AccessibilityMenuList>(*axObject).didUpdateActiveOption(optionIndex);
Comment 6 Andres Gonzalez 2020-04-02 14:46:32 PDT 
Created attachment 395303 [details]
Patch
Comment 7 Andres Gonzalez 2020-04-02 14:48:58 PDT 
(In reply to Darin Adler from comment #5)
> Comment on attachment 393162 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=393162&action=review
> 
> > Source/WebCore/rendering/RenderMenuList.cpp:428
> > -    if (auto* menuList = downcast<AccessibilityMenuList>(axCache->get(this)))
> > -        menuList->didUpdateActiveOption(optionIndex);
> > +    if (auto* axObject = axCache->get(this)) {
> > +        if (!is<AccessibilityMenuList>(*axObject))
> > +            return;
> > +
> > +        downcast<AccessibilityMenuList>(*axObject).didUpdateActiveOption(optionIndex);
> > +    }
> 
> More elegant way to write this taking advantage of the null checking built
> into is<>:
> 
>     auto* axObject = axCache->get(this);
>     if (is<AccessibiltyMenuList>(axObject))
>        
> downcast<AccessibilityMenuList>(*axObject).
> didUpdateActiveOption(optionIndex);

Done. Thanks!
Comment 8 Andres Gonzalez 2020-04-02 16:27:26 PDT 
Created attachment 395319 [details]
Patch
Comment 9 EWS 2020-04-02 18:51:22 PDT 
Committed r259438: <https://trac.webkit.org/changeset/259438>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 395319 [details].