Bug 62248

Summary: WKResponderChainSink mechanism isn't robust against some types of responder chain manipulation
Product: WebKit Reporter: John Sullivan <sullivan>
Component: WebKit2Assignee: John Sullivan <sullivan>
Status: RESOLVED FIXED    
Severity: Normal CC: darin
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch to make [WKResponderChainSink detach] robust against some kinds of responder chain manipulations darin: review+

John Sullivan
Reported 2011-06-07 16:08:35 PDT
WebKit2's WKResponderChainSink mechanism assumes that no other code has modified the responder chain during the lifetime of this WKResponderChainSink. That's generally a decent assumption, because the lifetime of these objects (as currently used) is wrapped around a single call to [super doCommandBySelector:]. But if that call ends up modifying the responder chain, [WKResponderChainSink detach] can modify it again in the wrong way, leaving itself in the responder chain even after it has been dealloc'ed.
Attachments
Patch to make [WKResponderChainSink detach] robust against some kinds of responder chain manipulations (2.26 KB, patch)
2011-06-07 16:27 PDT, John Sullivan 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
John Sullivan
Comment 1 2011-06-07 16:27:52 PDT
Created attachment 96326 [details] Patch to make [WKResponderChainSink detach] robust against some kinds of responder chain manipulations
Darin Adler
Comment 2 2011-06-07 16:39:15 PDT
Comment on attachment 96326 [details] Patch to make [WKResponderChainSink detach] robust against some kinds of responder chain manipulations View in context: https://bugs.webkit.org/attachment.cgi?id=96326&action=review > Source/WebKit2/UIProcess/API/mac/WKView.mm:2527 > + // This assumes that the responder chain was either unmodified since > + // -initWithResponderChain: was called, or was modified in such a way > + // that _lastResponderInChain is still in the chain, and self was not > + // moved earlier in the chain than _lastResponderInChain. Another technique would be to start with -[NSWindow firstResponder] and search for self in that chain. We could do that instead of saving _lastResponderInChain. Or we could do both to make sure we’re removed if either technique finds us.
Darin Adler
Comment 3 2011-06-07 16:39:25 PDT
Patch is OK as is.
John Sullivan
Comment 4 2011-06-07 17:21:17 PDT
I thought about starting with the window’s first responder, but that would be a bigger change for what I needed to work here, and still not guaranteed to find every possible kind of responder chain manipulation. Note that the WKResponderChainSink is not an NSView so it isn’t associated with a window. So to start with the window’s first responder would require that the WKResponderChainSink keeps track of either a window or an NSView. It could be changed to require an NSView rather than an NSResponder in its init method, and then store that NSView and use it to get the window and then start with the first responder in -detach. That would be a little more work in detach since it would have to walk (nearly) the entire responder chain every time instead of just calling nextResponder once in the common case as it does with my patch. As you say, the combination of the two approaches would be more robust, but seemed a little like overkill for now.
John Sullivan
Comment 5 2011-06-07 17:45:07 PDT
Fixed in http://trac.webkit.org/changeset/88298
Note You need to log in before you can comment on or make changes to this bug.