[Webkit-unassigned] [Bug 17956] New: possible write to freed memory in EventTargetNode::dispatchSimulatedMouseEvent()

Wed Mar 19 14:14:27 PDT 2008

http://bugs.webkit.org/show_bug.cgi?id=17956

           Summary: possible write to freed memory in
                    EventTargetNode::dispatchSimulatedMouseEvent()
           Product: WebKit
           Version: 526+ (Nightly build)
          Platform: PC
        OS/Version: Windows XP
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: minatoar at gmail.com

Not certain about this, but it looks like if the event handler deletes the node
within dispatchSimulatedMouseEvent(), there can be a subsequent assignment to
freed memory:

EventTargetNode::dispatchSimulatedMouseEvent(...) {
    ...

    m_dispatchingSimulatedEvent = true;

    // <--- The event handler may end up deleting "this" --->
    dispatchMouseEvent(...);

    // <--- Could this assignment happen to freed memory? --->
    m_dispatchingSimulatedEvent = false;
}

I ran into a problem when using an access key that deleted the anchor
(LayoutTests/fast/events/access-key-self-destruct.html) -- however I am not
certain if there were other modifications in my code that could have caused
this problem.

Can someone familiar with the method comment if this is a problem?

(I see that EventTargetNode::dispatchMouseEvent() protects "this" from
deletion, why does this block not require it too?)

-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.