Bug 21063

Summary: NULL pointer crash in dispatchEvent(null);
Product: WebKit Reporter: Dean McNamee <deanm>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, mihnea, sam, skylined
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
patch ap: review+

Description Dean McNamee 2008-09-24 10:01:21 PDT
We found this a while ago, looks like it never got filed:

  var xhr = new XMLHttpRequest();
  xhr.dispatchEvent(null);

I don't have a mac, or a webkit build where I can test and make a layout test.  However, it should be trivial to turn the above into a layout test, and apply and test this patch:

diff --git a/WebCore/xml/XMLHttpRequest.cpp b/WebCore/xml/XMLHttpRequest.cpp
index 4b4bc96..0303d01 100644
--- a/WebCore/xml/XMLHttpRequest.cpp
+++ b/WebCore/xml/XMLHttpRequest.cpp
@@ -309,7 +309,7 @@ void XMLHttpRequest::removeEventListener(const AtomicString&
 bool XMLHttpRequest::dispatchEvent(PassRefPtr<Event> evt, ExceptionCode& ec, bo
 {
     // FIXME: check for other error conditions enumerated in the spec.
-    if (evt->type().isEmpty()) {
+    if (!evt || evt->type().isEmpty()) {
         ec = EventException::UNSPECIFIED_EVENT_TYPE_ERR;
         return true;
     }
Comment 1 Alexey Proskuryakov 2008-09-25 08:21:18 PDT
We seem to have the same issue in other dispatchEvent() implementations (why are there so many?). E.g. XMLHttpRequestUpload::dispatchEvent, DOMApplicationCache::dispatchEvent, MessagePort::dispatchEvent.
Comment 2 Sam Weinig 2008-09-25 11:10:04 PDT
(In reply to comment #1)
> We seem to have the same issue in other dispatchEvent() implementations (why
> are there so many?). E.g. XMLHttpRequestUpload::dispatchEvent,
> DOMApplicationCache::dispatchEvent, MessagePort::dispatchEvent.

Anders and I just discussed this yesterday.  The functions seem generic enough that we should be able to factor them up to EventTarget (or elsewhere).
Comment 3 Dean McNamee 2008-11-24 20:51:24 PST
Any word on this?  Could we check in the simple NULL checks for now until it gets refactored?
Comment 4 Alexey Proskuryakov 2008-11-25 00:10:10 PST
Yes. Would you be willing to make a patch with test cases?
Comment 5 Sam Weinig 2008-11-29 14:06:18 PST
Created attachment 25601 [details]
patch
Comment 6 Alexey Proskuryakov 2008-11-29 14:09:48 PST
Comment on attachment 25601 [details]
patch

r=me
Comment 7 Sam Weinig 2008-11-29 14:34:05 PST
Fixed in r38845.