Fix bug in JSEventListener's eventHandlerAttribute() found by UBSan.
Created attachment 424203 [details] Patch
Comment on attachment 424203 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=424203&action=review > Source/WebCore/bindings/js/JSEventListener.cpp:281 > - return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), *target.scriptExecutionContext()); > + return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), target.scriptExecutionContext()); Why not just add the null check here? This is the only place where it can be null. auto context = target.scriptExecutionContext(); if (!context) return jsNull();
(In reply to Darin Adler from comment #2) > Comment on attachment 424203 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=424203&action=review > > > Source/WebCore/bindings/js/JSEventListener.cpp:281 > > - return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), *target.scriptExecutionContext()); > > + return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), target.scriptExecutionContext()); > > Why not just add the null check here? This is the only place where it can be > null. > > auto context = target.scriptExecutionContext(); > if (!context) > return jsNull(); I hesitated. I went the other way because this was the place where we had the other checks and jsNull() returns. That said, it is true that we only need it for this particular call site. I'll make the change.
Created attachment 424208 [details] Patch
Committed r274996: <https://commits.webkit.org/r274996> All reviewed patches have been landed. Closing bug and clearing flags on attachment 424208 [details].
<rdar://problem/75816500>