Add fuzzer for AXTree and fix a couple of bugs it found.

ui/accessibility/ax_tree_fuzzer.cc

Index: ui/accessibility/ax_tree_fuzzer.cc
diff --git a/ui/accessibility/ax_tree_fuzzer.cc b/ui/accessibility/ax_tree_fuzzer.cc
new file mode 100644
index 0000000000000000000000000000000000000000..c3f93e8f1ad254d0ea684f1b02df0db566ba944c
--- /dev/null
+++ b/ui/accessibility/ax_tree_fuzzer.cc
@@ -0,0 +1,49 @@
+// Copyright (c) 2016 The Chromium Authors. All rights reserved.

[mmoroz, 2016/09/12 08:17:54]

No "(c)" in copyright:
https://chromium.googlesource.com/chromium/src/+/master/styleguide/c++/c++.md...

[dmazzoni, 2016/09/12 16:45:41]

Done

+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "ui/accessibility/ax_tree.h"
+
+class EmptyAXTreeDelegate : public ui::AXTreeDelegate {
+ public:
+  EmptyAXTreeDelegate() {}
+
+  void OnNodeDataWillChange(ui::AXTree* tree,
+                            const ui::AXNodeData& old_node_data,
+                            const ui::AXNodeData& new_node_data) override {}
+  void OnTreeDataChanged(ui::AXTree* tree) override {}
+  void OnNodeWillBeDeleted(ui::AXTree* tree, ui::AXNode* node) override {}
+  void OnSubtreeWillBeDeleted(ui::AXTree* tree, ui::AXNode* node) override {}
+  void OnNodeCreated(ui::AXTree* tree, ui::AXNode* node) override {}
+  void OnNodeChanged(ui::AXTree* tree, ui::AXNode* node) override {}
+  void OnAtomicUpdateFinished(ui::AXTree* tree,
+                              bool root_changed,
+                              const std::vector<Change>& changes) override {}
+};
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size) {
+  ui::AXTreeUpdate initial_state;
+  size_t i = 0;
+  while (i < size) {
+    ui::AXNodeData node;
+    node.id = data[i++];
+    node.state = 0;
+    if (i < size) {
+      int child_count = data[i++];

[mmoroz, 2016/09/12 08:17:54]

Wouldn't it be better to use size_t or other unsigned type here and for j in the
next loop?

[dmazzoni, 2016/09/12 16:45:41]

You're right, good idea.

+      for (int j = 0; j < child_count && i < size; j++)
+        node.child_ids.push_back(data[i++]);
+    }
+    initial_state.nodes.push_back(node);
+  }
+
+  // Run with --v=1 to aid in debugging a specific crash.
+  VLOG(1) << "Input accessibility tree:\n" << initial_state.ToString();
+
+  ui::AXTree tree;
+  EmptyAXTreeDelegate delegate;
+  tree.SetDelegate(&delegate);
+  tree.Unserialize(initial_state);
+
+  return 0;
+}