223719 – bindings/js/JSEventListener.cpp:281:91: runtime error: reference binding to null pointer of type 'WebCore::ScriptExecutionContext'

Bug 223719 - bindings/js/JSEventListener.cpp:281:91: runtime error: reference binding to null pointer of type 'WebCore::ScriptExecutionContext'

Summary: bindings/js/JSEventListener.cpp:281:91: runtime error: reference binding to n...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-03-24 16:57 PDT by Chris Dumez
Modified:	2021-03-24 18:49 PDT (History)
CC List:	5 users (show)

See Also:	176131

Attachments
Patch (3.82 KB, patch) 2021-03-24 17:04 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Patch (1.86 KB, patch) 2021-03-24 17:40 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2021-03-24 16:57:20 PDT

Fix bug in JSEventListener's eventHandlerAttribute() found by UBSan.

Comment 1 Chris Dumez 2021-03-24 17:04:58 PDT

Created attachment 424203 [details]
Patch

Comment 2 Darin Adler 2021-03-24 17:36:52 PDT

Comment on attachment 424203 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=424203&action=review

> Source/WebCore/bindings/js/JSEventListener.cpp:281
> -    return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), *target.scriptExecutionContext());
> +    return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), target.scriptExecutionContext());

Why not just add the null check here? This is the only place where it can be null.

    auto context = target.scriptExecutionContext();
    if (!context)
        return jsNull();

Comment 3 Chris Dumez 2021-03-24 17:38:04 PDT

(In reply to Darin Adler from comment #2)
> Comment on attachment 424203 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=424203&action=review
> 
> > Source/WebCore/bindings/js/JSEventListener.cpp:281
> > -    return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), *target.scriptExecutionContext());
> > +    return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), target.scriptExecutionContext());
> 
> Why not just add the null check here? This is the only place where it can be
> null.
> 
>     auto context = target.scriptExecutionContext();
>     if (!context)
>         return jsNull();

I hesitated. I went the other way because this was the place where we had the other checks and jsNull() returns. That said, it is true that we only need it for this particular call site. I'll make the change.

Comment 4 Chris Dumez 2021-03-24 17:40:36 PDT

Created attachment 424208 [details]
Patch

Comment 5 EWS 2021-03-24 18:48:24 PDT

Committed r274996: <https://commits.webkit.org/r274996>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 424208 [details].

Comment 6 Radar WebKit Bug Importer 2021-03-24 18:49:15 PDT

<rdar://problem/75816500>