Fix a possible renderer hang due to an WebAccessibilityObject becoming invalid.

content/renderer/renderer_accessibility.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/command_line.h"
 #include "content/common/view_messages.h"
 #include "content/public/common/content_switches.h"
 #include "content/renderer/render_view_impl.h"
 #include "content/renderer/renderer_accessibility.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebAccessibilityObject.h"
@@ skipping 195 matching lines @@
 
   // Send all pending accessibility notifications.
   std::vector<ViewHostMsg_AccessibilityNotification_Params> notifications;
   for (size_t i = 0; i < pending_notifications_.size(); ++i) {
     Notification& notification = pending_notifications_[i];
 
     bool includes_children = ShouldIncludeChildren(notification);
     WebAccessibilityObject obj = document.accessibilityObjectFromID(
         notification.id);
 
-    if (!obj.isValid()) {
-#ifndef NDEBUG
-      if (logging_)
-        LOG(WARNING) << "Got notification on invalid object id " << obj.axID();
-#endif
-      continue;
-    }
-
     // The browser may not have this object yet, for example if we get a
     // notification on an object that was recently added, or if we get a
     // notification on a node before the page has loaded. Work our way
     // up the parent chain until we find a node the browser has, or until
     // we reach the root.
     int root_id = document.accessibilityObject().axID();
     while (browser_id_map_.find(obj.axID()) == browser_id_map_.end() &&
+           obj.isValid() &&
            obj.axID() != root_id) {
       obj = obj.parentObject();
       includes_children = true;
       if (notification.type ==
           WebKit::WebAccessibilityNotificationChildrenChanged) {
         notification.id = obj.axID();
       }
     }
 
+    if (!obj.isValid()) {
+#ifndef NDEBUG
+      if (logging_)
+        LOG(WARNING) << "Got notification on object that is invalid or has"
+                     << " invalid ancestor. Id: " << obj.axID();
+#endif
+      continue;
+    }
+
     // Another potential problem is that this notification may be on an
     // object that is detached from the tree. Determine if this node is not a
     // child of its parent, and if so move the notification to the parent.
     // TODO(dmazzoni): see if this can be removed after
     // https://bugs.webkit.org/show_bug.cgi?id=68466 is fixed.
     if (obj.axID() != root_id) {
       WebAccessibilityObject parent = obj.parentObject();
-      while (!parent.isNull() && parent.accessibilityIsIgnored())
+      while (!parent.isNull() &&
+             parent.isValid() &&
+             parent.accessibilityIsIgnored()) {
         parent = parent.parentObject();
-      if (parent.isNull()) {
+      }
+
+      if (parent.isNull() || !parent.isValid()) {
         NOTREACHED();
+        continue;
       }
       bool is_child_of_parent = false;
       for (unsigned int i = 0; i < parent.childCount(); ++i) {
         if (parent.childAt(i).equals(obj)) {
           is_child_of_parent = true;
           break;
         }
       }
       if (!is_child_of_parent) {
         obj = parent;
@@ skipping 164 matching lines @@
 
 WebDocument RendererAccessibility::GetMainDocument() {
   WebView* view = render_view()->GetWebView();
   WebFrame* main_frame = view ? view->mainFrame() : NULL;
 
   if (main_frame)
     return main_frame->document();
   else
     return WebDocument();
 }