Bug 223719

Summary: bindings/js/JSEventListener.cpp:281:91: runtime error: reference binding to null pointer of type 'WebCore::ScriptExecutionContext'
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: WebCore Misc.Assignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, ddkilzer, ggaren, sam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=176131
Attachments:
Description Flags
Patch
none
Patch none

Chris Dumez
Reported 2021-03-24 16:57:20 PDT
Fix bug in JSEventListener's eventHandlerAttribute() found by UBSan.
Attachments
Patch (3.82 KB, patch)
2021-03-24 17:04 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (1.86 KB, patch)
2021-03-24 17:40 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2021-03-24 17:04:58 PDT
Created attachment 424203 [details] Patch
Darin Adler
Comment 2 2021-03-24 17:36:52 PDT
Comment on attachment 424203 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=424203&action=review > Source/WebCore/bindings/js/JSEventListener.cpp:281 > - return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), *target.scriptExecutionContext()); > + return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), target.scriptExecutionContext()); Why not just add the null check here? This is the only place where it can be null. auto context = target.scriptExecutionContext(); if (!context) return jsNull();
Chris Dumez
Comment 3 2021-03-24 17:38:04 PDT
(In reply to Darin Adler from comment #2) > Comment on attachment 424203 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=424203&action=review > > > Source/WebCore/bindings/js/JSEventListener.cpp:281 > > - return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), *target.scriptExecutionContext()); > > + return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), target.scriptExecutionContext()); > > Why not just add the null check here? This is the only place where it can be > null. > > auto context = target.scriptExecutionContext(); > if (!context) > return jsNull(); I hesitated. I went the other way because this was the place where we had the other checks and jsNull() returns. That said, it is true that we only need it for this particular call site. I'll make the change.
Chris Dumez
Comment 4 2021-03-24 17:40:36 PDT
Created attachment 424208 [details] Patch
EWS
Comment 5 2021-03-24 18:48:24 PDT
Committed r274996: <https://commits.webkit.org/r274996> All reviewed patches have been landed. Closing bug and clearing flags on attachment 424208 [details].
Radar WebKit Bug Importer
Comment 6 2021-03-24 18:49:15 PDT
<rdar://problem/75816500>
Note You need to log in before you can comment on or make changes to this bug.