Bug 108636

Summary: Creating a WebInspector.ContextMenu without an event crashes WebCore when calling .show()
Product: WebKit Reporter: Antoine Quint <graouts>
Component: Web Inspector (Deprecated)Assignee: Antoine Quint <graouts>
Status: RESOLVED FIXED    
Severity: Normal CC: apavlov, keishi, loislo, pfeldman, pmuellr, vsevik, web-inspector-bugs, webkit-bug-importer, webkit.review.bot, yurys
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Antoine Quint
Reported 2013-02-01 07:31:07 PST
Creating a WebInspector.ContextMenu without an event crashes WebCore when calling .show()
Attachments
Patch (1.51 KB, patch)
2013-02-01 07:33 PST, Antoine Quint 		no flags
DetailsFormatted DiffDiff
Patch (2.16 KB, patch)
2013-02-01 09:37 PST, Antoine Quint 		no flags
DetailsFormatted DiffDiff
Patch (2.30 KB, patch)
2013-02-02 05:06 PST, Antoine Quint 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Antoine Quint
Comment 1 2013-02-01 07:33:18 PST
Created attachment 186044 [details] Patch
Dean Jackson
Comment 2 2013-02-01 07:34:48 PST
Comment on attachment 186044 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=186044&action=review > Source/WebCore/ChangeLog:10 > + No new tests (OOPS!). At least mention why there are no tests, or remove this line.
Radar WebKit Bug Importer
Comment 3 2013-02-01 07:35:44 PST
<rdar://problem/13133613>
Pavel Feldman
Comment 4 2013-02-01 07:58:24 PST
Comment on attachment 186044 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=186044&action=review > Source/WebCore/page/ContextMenuController.cpp:145 > + if (!event || !event->isMouseEvent()) Do you want to add an assertion here instead?
Antoine Quint
Comment 5 2013-02-01 09:12:40 PST
(In reply to comment #4) > (From update of attachment 186044 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=186044&action=review > > > Source/WebCore/page/ContextMenuController.cpp:145 > > + if (!event || !event->isMouseEvent()) > > Do you want to add an assertion here instead? You mean *also* an assert before the early return?
Pavel Feldman
Comment 6 2013-02-01 09:21:33 PST
Comment on attachment 186044 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=186044&action=review >>> Source/WebCore/page/ContextMenuController.cpp:145 >>> + if (!event || !event->isMouseEvent()) >> >> Do you want to add an assertion here instead? > > You mean *also* an assert before the early return? I meant assertion + a check on the call site. One obviously needs an event for creating this menu.
Antoine Quint
Comment 7 2013-02-01 09:37:38 PST
Created attachment 186066 [details] Patch
Pavel Feldman
Comment 8 2013-02-01 09:41:25 PST
Comment on attachment 186066 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=186066&action=review > Source/WebCore/page/ContextMenuController.cpp:111 > + if (!event) When does this happen? > Source/WebCore/page/ContextMenuController.cpp:130 > + if (!event) When does this happen?
Antoine Quint
Comment 9 2013-02-01 09:47:11 PST
(In reply to comment #8) > (From update of attachment 186066 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=186066&action=review > > > Source/WebCore/page/ContextMenuController.cpp:111 > > + if (!event) > > When does this happen? I'm not sure when it would, but I understood from your previous comment you wanted all call sites to ContextMenuController::createContextMenu() guarded. > > Source/WebCore/page/ContextMenuController.cpp:130 > > + if (!event) > > When does this happen? This would happen if you call InspectorFrontendHost.showContextMenu() from the front-end JS code without an event. This was how I originally found the issue.
Antoine Quint
Comment 10 2013-02-01 09:50:45 PST
(In reply to comment #9) > (In reply to comment #8) > > (From update of attachment 186066 [details] [details]) > > View in context: https://bugs.webkit.org/attachment.cgi?id=186066&action=review > > > > > Source/WebCore/page/ContextMenuController.cpp:111 > > > + if (!event) > > > > When does this happen? > > I'm not sure when it would, but I understood from your previous comment you wanted all call sites to ContextMenuController::createContextMenu() guarded. I guess you meant the actual original call site in the JS code. In this case, WebInspector.ContextMenu.prototype.show().
Pavel Feldman
Comment 11 2013-02-02 04:04:27 PST
Comment on attachment 186066 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=186066&action=review >>>> Source/WebCore/page/ContextMenuController.cpp:111 >>>> + if (!event) >>> >>> When does this happen? >> >> I'm not sure when it would, but I understood from your previous comment you wanted all call sites to ContextMenuController::createContextMenu() guarded. > > I guess you meant the actual original call site in the JS code. In this case, WebInspector.ContextMenu.prototype.show(). Oh, I meant to place the checks into the call sites that operate nullable event pointers. This one does not. >>> Source/WebCore/page/ContextMenuController.cpp:130 >>> + if (!event) >> >> When does this happen? > > This would happen if you call InspectorFrontendHost.showContextMenu() from the front-end JS code without an event. This was how I originally found the issue. You probably want to move this check into the call site (InspectorFrontendHost::showContextMenu) then. That way you clearly separate contexts with nullable event pointers from the ones that rely upon their existence.
Antoine Quint
Comment 12 2013-02-02 05:06:06 PST
Created attachment 186224 [details] Patch
WebKit Review Bot
Comment 13 2013-02-02 05:16:54 PST
Comment on attachment 186224 [details] Patch Rejecting attachment 186224 [details] from commit-queue. graouts@apple.com does not have committer permissions according to http://trac.webkit.org/browser/trunk/Tools/Scripts/webkitpy/common/config/committers.py. - If you do not have committer rights please read http://webkit.org/coding/contributing.html for instructions on how to use bugzilla flags. - If you have committer rights please correct the error in Tools/Scripts/webkitpy/common/config/committers.py by adding yourself to the file (no review needed). The commit-queue restarts itself every 2 hours. After restart the commit-queue will correctly respect your committer rights.
WebKit Review Bot
Comment 14 2013-02-02 05:56:34 PST
Comment on attachment 186224 [details] Patch Clearing flags on attachment: 186224 Committed r141692: <http://trac.webkit.org/changeset/141692>
WebKit Review Bot
Comment 15 2013-02-02 05:56:39 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.