Bug 17956

Summary: possible write to freed memory in EventTargetNode::dispatchSimulatedMouseEvent()
Product: WebKit Reporter: Eric Roman <eroman>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: adele, ddkilzer, koivisto, mrowe
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows XP   

Eric Roman
Reported 2008-03-19 14:14:27 PDT
Not certain about this, but it looks like if the event handler deletes the node within dispatchSimulatedMouseEvent(), there can be a subsequent assignment to freed memory: EventTargetNode::dispatchSimulatedMouseEvent(...) { ... m_dispatchingSimulatedEvent = true; // <--- The event handler may end up deleting "this" ---> dispatchMouseEvent(...); // <--- Could this assignment happen to freed memory? ---> m_dispatchingSimulatedEvent = false; } I ran into a problem when using an access key that deleted the anchor (LayoutTests/fast/events/access-key-self-destruct.html) -- however I am not certain if there were other modifications in my code that could have caused this problem. Can someone familiar with the method comment if this is a problem? (I see that EventTargetNode::dispatchMouseEvent() protects "this" from deletion, why does this block not require it too?)
Attachments
Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2008-03-19 14:19:58 PDT
It should be possible to construct a test case which crashes due to this issue. It may require GuardMalloc to be enabled to reproducibly crash though.
Mark Rowe (bdash)
Comment 2 2008-03-19 14:20:10 PDT
<rdar://problem/5808517>
Adele Peterson
Comment 3 2008-04-01 17:44:08 PDT
I've been trying to create a test case where the node gets destroyed that early, and I've been unsuccessful. I think its because the Event keeps a RefPtr to the EventTarget...and dispatchSimulatedClick has a RefPtr for the event, so the event and the target node can't get destroyed until after dispatchSimulatedClick exits. Someone should check my logic on that though...
Eric Seidel (no email)
Comment 4 2008-05-16 13:50:33 PDT
The m_dispatchingSimulatedMouseEvent bool is gone from TOT. This bug can be closed.
David Kilzer (:ddkilzer)
Comment 5 2009-08-12 16:49:42 PDT
(In reply to comment #4) > The m_dispatchingSimulatedMouseEvent bool is gone from TOT. This bug can be > closed. The m_dispatchingSimulatedEvent bool was removed in r31767. <http://trac.webkit.org/changeset/31767>
Note You need to log in before you can comment on or make changes to this bug.