Bug 208867 - Crash in RenderMenuList::didUpdateActiveOption.
Summary: Crash in RenderMenuList::didUpdateActiveOption.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Andres Gonzalez
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-03-10 09:45 PDT by Andres Gonzalez
Modified: 2020-04-02 18:51 PDT (History)
16 users (show)

See Also:

Attachments
Patch (1.65 KB, patch)
2020-03-10 09:54 PDT, Andres Gonzalez 		no flags Details | Formatted Diff | Diff
Patch (7.01 KB, patch)
2020-04-02 14:46 PDT, Andres Gonzalez 		no flags Details | Formatted Diff | Diff
Patch (7.06 KB, patch)
2020-04-02 16:27 PDT, Andres Gonzalez 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andres Gonzalez 2020-03-10 09:45:18 PDT 
Crash in RenderMenuList::didUpdateActiveOption.
Comment 1 Andres Gonzalez 2020-03-10 09:54:49 PDT 
Created attachment 393162 [details]
Patch
Comment 2 Andres Gonzalez 2020-03-10 09:58:30 PDT 
<rdar://problem/60035390>
Comment 3 chris fleizach 2020-03-10 09:59:36 PDT 
Comment on attachment 393162 [details]
Patch

Can we add a test?
Comment 4 Sam Weinig 2020-03-10 11:05:03 PDT 
Comment on attachment 393162 [details]
Patch

Needs a test.
Comment 5 Darin Adler 2020-03-16 13:21:05 PDT 
Comment on attachment 393162 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=393162&action=review

> Source/WebCore/rendering/RenderMenuList.cpp:428
> -    if (auto* menuList = downcast<AccessibilityMenuList>(axCache->get(this)))
> -        menuList->didUpdateActiveOption(optionIndex);
> +    if (auto* axObject = axCache->get(this)) {
> +        if (!is<AccessibilityMenuList>(*axObject))
> +            return;
> +
> +        downcast<AccessibilityMenuList>(*axObject).didUpdateActiveOption(optionIndex);
> +    }

More elegant way to write this taking advantage of the null checking built into is<>:

    auto* axObject = axCache->get(this);
    if (is<AccessibiltyMenuList>(axObject))
        downcast<AccessibilityMenuList>(*axObject).didUpdateActiveOption(optionIndex);
Comment 6 Andres Gonzalez 2020-04-02 14:46:32 PDT 
Created attachment 395303 [details]
Patch
Comment 7 Andres Gonzalez 2020-04-02 14:48:58 PDT 
(In reply to Darin Adler from comment #5)
> Comment on attachment 393162 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=393162&action=review
> 
> > Source/WebCore/rendering/RenderMenuList.cpp:428
> > -    if (auto* menuList = downcast<AccessibilityMenuList>(axCache->get(this)))
> > -        menuList->didUpdateActiveOption(optionIndex);
> > +    if (auto* axObject = axCache->get(this)) {
> > +        if (!is<AccessibilityMenuList>(*axObject))
> > +            return;
> > +
> > +        downcast<AccessibilityMenuList>(*axObject).didUpdateActiveOption(optionIndex);
> > +    }
> 
> More elegant way to write this taking advantage of the null checking built
> into is<>:
> 
>     auto* axObject = axCache->get(this);
>     if (is<AccessibiltyMenuList>(axObject))
>        
> downcast<AccessibilityMenuList>(*axObject).
> didUpdateActiveOption(optionIndex);

Done. Thanks!
Comment 8 Andres Gonzalez 2020-04-02 16:27:26 PDT 
Created attachment 395319 [details]
Patch
Comment 9 EWS 2020-04-02 18:51:22 PDT 
Committed r259438: <https://trac.webkit.org/changeset/259438>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 395319 [details].