Creating a WebInspector.ContextMenu without an event crashes WebCore when calling .show()
Created attachment 186044 [details] Patch
Comment on attachment 186044 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=186044&action=review > Source/WebCore/ChangeLog:10 > + No new tests (OOPS!). At least mention why there are no tests, or remove this line.
<rdar://problem/13133613>
Comment on attachment 186044 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=186044&action=review > Source/WebCore/page/ContextMenuController.cpp:145 > + if (!event || !event->isMouseEvent()) Do you want to add an assertion here instead?
(In reply to comment #4) > (From update of attachment 186044 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=186044&action=review > > > Source/WebCore/page/ContextMenuController.cpp:145 > > + if (!event || !event->isMouseEvent()) > > Do you want to add an assertion here instead? You mean *also* an assert before the early return?
Comment on attachment 186044 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=186044&action=review >>> Source/WebCore/page/ContextMenuController.cpp:145 >>> + if (!event || !event->isMouseEvent()) >> >> Do you want to add an assertion here instead? > > You mean *also* an assert before the early return? I meant assertion + a check on the call site. One obviously needs an event for creating this menu.
Created attachment 186066 [details] Patch
Comment on attachment 186066 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=186066&action=review > Source/WebCore/page/ContextMenuController.cpp:111 > + if (!event) When does this happen? > Source/WebCore/page/ContextMenuController.cpp:130 > + if (!event) When does this happen?
(In reply to comment #8) > (From update of attachment 186066 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=186066&action=review > > > Source/WebCore/page/ContextMenuController.cpp:111 > > + if (!event) > > When does this happen? I'm not sure when it would, but I understood from your previous comment you wanted all call sites to ContextMenuController::createContextMenu() guarded. > > Source/WebCore/page/ContextMenuController.cpp:130 > > + if (!event) > > When does this happen? This would happen if you call InspectorFrontendHost.showContextMenu() from the front-end JS code without an event. This was how I originally found the issue.
(In reply to comment #9) > (In reply to comment #8) > > (From update of attachment 186066 [details] [details]) > > View in context: https://bugs.webkit.org/attachment.cgi?id=186066&action=review > > > > > Source/WebCore/page/ContextMenuController.cpp:111 > > > + if (!event) > > > > When does this happen? > > I'm not sure when it would, but I understood from your previous comment you wanted all call sites to ContextMenuController::createContextMenu() guarded. I guess you meant the actual original call site in the JS code. In this case, WebInspector.ContextMenu.prototype.show().
Comment on attachment 186066 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=186066&action=review >>>> Source/WebCore/page/ContextMenuController.cpp:111 >>>> + if (!event) >>> >>> When does this happen? >> >> I'm not sure when it would, but I understood from your previous comment you wanted all call sites to ContextMenuController::createContextMenu() guarded. > > I guess you meant the actual original call site in the JS code. In this case, WebInspector.ContextMenu.prototype.show(). Oh, I meant to place the checks into the call sites that operate nullable event pointers. This one does not. >>> Source/WebCore/page/ContextMenuController.cpp:130 >>> + if (!event) >> >> When does this happen? > > This would happen if you call InspectorFrontendHost.showContextMenu() from the front-end JS code without an event. This was how I originally found the issue. You probably want to move this check into the call site (InspectorFrontendHost::showContextMenu) then. That way you clearly separate contexts with nullable event pointers from the ones that rely upon their existence.
Created attachment 186224 [details] Patch
Comment on attachment 186224 [details] Patch Rejecting attachment 186224 [details] from commit-queue. graouts@apple.com does not have committer permissions according to http://trac.webkit.org/browser/trunk/Tools/Scripts/webkitpy/common/config/committers.py. - If you do not have committer rights please read http://webkit.org/coding/contributing.html for instructions on how to use bugzilla flags. - If you have committer rights please correct the error in Tools/Scripts/webkitpy/common/config/committers.py by adding yourself to the file (no review needed). The commit-queue restarts itself every 2 hours. After restart the commit-queue will correctly respect your committer rights.
Comment on attachment 186224 [details] Patch Clearing flags on attachment: 186224 Committed r141692: <http://trac.webkit.org/changeset/141692>
All reviewed patches have been landed. Closing bug.