The Static Analysis tool Coverity detected that a return null pointer dereference occurs in several places where return pointer of |aContext->ARIARoleMap| is passed around and later dereferenced like: >> if (!roleMapEntry && newAcc && aContext->HasStrongARIARole()) { >> if (frame->AccessibleType() == eHTMLTableRowType) { >> const nsRoleMapEntry* contextRoleMap = aContext->ARIARoleMap(); >> if (!contextRoleMap->IsOfType(eTable)) >> roleMapEntry = &aria::gEmptyRoleMap; Looking through code this should be guarded of null pointer dereference like: >>inline bool >>Accessible::IsSearchbox() const >>{ >> const nsRoleMapEntry* roleMapEntry = ARIARoleMap(); >> return (roleMapEntry && roleMapEntry->Is(nsGkAtoms::searchbox)) || >> (mContent->IsHTMLElement(nsGkAtoms::input) && >> mContent->AsElement()->AttrValueIs(kNameSpaceID_None, nsGkAtoms::type, >> nsGkAtoms::search, eCaseMatters)); >>}

Comment on attachment 8938932 [details] Bug 1427171 - prevent null pointer dereference when using return pointer from aContext->ARIARoleMap(). Alex would you want some kind of assert here?

Comment on attachment 8938932 [details] Bug 1427171 - prevent null pointer dereference when using return pointer from aContext->ARIARoleMap(). https://reviewboard.mozilla.org/r/209396/#review215408 ::: accessible/base/nsAccessibilityService.cpp:1203 (Diff revision 1) > // If table has strong ARIA role then all table descendants shouldn't > // expose their native roles. > if (!roleMapEntry && newAcc && aContext->HasStrongARIARole()) { > if (frame->AccessibleType() == eHTMLTableRowType) { > const nsRoleMapEntry* contextRoleMap = aContext->ARIARoleMap(); > - if (!contextRoleMap->IsOfType(eTable)) > + if (contextRoleMap && !contextRoleMap->IsOfType(eTable)) HasStrongARIARole() guarantees us that aContext->ARIARoleMap() is never null. It appears that the static analysys gave a false positive in this case. Not sure what is the best way to proceed, either leave the code untouched or make it more straightforward to avoid possible misreadings.