[webkit-reviews] review denied: [Bug 64256] REGRESSION(r90552): platform/mac/accessibility/html-slider-indicator.html fails : [Attachment 100256] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jul 11 02:33:28 PDT 2011
Kent Tamura <tkent at chromium.org> has denied Shinya Kawanaka
<shinyak at google.com>'s request for review:
Bug 64256: REGRESSION(r90552):
platform/mac/accessibility/html-slider-indicator.html fails
https://bugs.webkit.org/show_bug.cgi?id=64256
Attachment 100256: Patch
https://bugs.webkit.org/attachment.cgi?id=100256&action=review
------- Additional Comments from Kent Tamura <tkent at chromium.org>
View in context: https://bugs.webkit.org/attachment.cgi?id=100256&action=review
> Source/WebCore/html/RangeInputType.cpp:224
> element()->dispatchFormControlChangeEvent();
> +
> + if (AXObjectCache::accessibilityEnabled())
> +
element()->document()->axObjectCache()->postNotification(element()->renderer(),
AXObjectCache::AXValueChanged, true);
> }
dispatchFormControlChangeEvent() dispatch an 'change' event, so a JavaScript
code runs in it.
The JavaScriptCode can delete the parent <input>, and can change the type of
the <input>. So accessing element() after dispatchFormControlChangeEvent()
causes a use-after-free.
You need to protect a reference of element() by RefPtr<> in order to keep
<input> alive and in order to avoid 'this' access.
RefPtr<HTMLInputELement> input = element();
input->dispatchFormControlChangeEvent();
if (...)
input->document()->axObjectCache()->postNotification(input->renderer(), ...
More information about the webkit-reviews
mailing list