Bug 223719

Summary: bindings/js/JSEventListener.cpp:281:91: runtime error: reference binding to null pointer of type 'WebCore::ScriptExecutionContext'
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: WebCore Misc.Assignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, ddkilzer, ggaren, sam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=176131
Attachments:
Description Flags
Patch
none
Patch none

Description Chris Dumez 2021-03-24 16:57:20 PDT 
Fix bug in JSEventListener's eventHandlerAttribute() found by UBSan.
Comment 1 Chris Dumez 2021-03-24 17:04:58 PDT 
Created attachment 424203 [details]
Patch
Comment 2 Darin Adler 2021-03-24 17:36:52 PDT 
Comment on attachment 424203 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=424203&action=review

> Source/WebCore/bindings/js/JSEventListener.cpp:281
> -    return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), *target.scriptExecutionContext());
> +    return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), target.scriptExecutionContext());

Why not just add the null check here? This is the only place where it can be null.

    auto context = target.scriptExecutionContext();
    if (!context)
        return jsNull();
Comment 3 Chris Dumez 2021-03-24 17:38:04 PDT 
(In reply to Darin Adler from comment #2)
> Comment on attachment 424203 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=424203&action=review
> 
> > Source/WebCore/bindings/js/JSEventListener.cpp:281
> > -    return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), *target.scriptExecutionContext());
> > +    return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), target.scriptExecutionContext());
> 
> Why not just add the null check here? This is the only place where it can be
> null.
> 
>     auto context = target.scriptExecutionContext();
>     if (!context)
>         return jsNull();

I hesitated. I went the other way because this was the place where we had the other checks and jsNull() returns. That said, it is true that we only need it for this particular call site. I'll make the change.
Comment 4 Chris Dumez 2021-03-24 17:40:36 PDT 
Created attachment 424208 [details]
Patch
Comment 5 EWS 2021-03-24 18:48:24 PDT 
Committed r274996: <https://commits.webkit.org/r274996>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 424208 [details].
Comment 6 Radar WebKit Bug Importer 2021-03-24 18:49:15 PDT 
<rdar://problem/75816500>