Not certain about this, but it looks like if the event handler deletes the node within dispatchSimulatedMouseEvent(), there can be a subsequent assignment to freed memory: EventTargetNode::dispatchSimulatedMouseEvent(...) { ... m_dispatchingSimulatedEvent = true; // <--- The event handler may end up deleting "this" ---> dispatchMouseEvent(...); // <--- Could this assignment happen to freed memory? ---> m_dispatchingSimulatedEvent = false; } I ran into a problem when using an access key that deleted the anchor (LayoutTests/fast/events/access-key-self-destruct.html) -- however I am not certain if there were other modifications in my code that could have caused this problem. Can someone familiar with the method comment if this is a problem? (I see that EventTargetNode::dispatchMouseEvent() protects "this" from deletion, why does this block not require it too?)
It should be possible to construct a test case which crashes due to this issue. It may require GuardMalloc to be enabled to reproducibly crash though.
<rdar://problem/5808517>
I've been trying to create a test case where the node gets destroyed that early, and I've been unsuccessful. I think its because the Event keeps a RefPtr to the EventTarget...and dispatchSimulatedClick has a RefPtr for the event, so the event and the target node can't get destroyed until after dispatchSimulatedClick exits. Someone should check my logic on that though...
The m_dispatchingSimulatedMouseEvent bool is gone from TOT. This bug can be closed.
(In reply to comment #4) > The m_dispatchingSimulatedMouseEvent bool is gone from TOT. This bug can be > closed. The m_dispatchingSimulatedEvent bool was removed in r31767. <http://trac.webkit.org/changeset/31767>