[Webkit-unassigned] [Bug 34973] New: Missing null pointer check in MouseRelatedEvent::receivedTarget()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Feb 16 03:53:35 PST 2010 

https://bugs.webkit.org/show_bug.cgi?id=34973

           Summary: Missing null pointer check in
                    MouseRelatedEvent::receivedTarget()
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: andreas.kling at nokia.com


Created an attachment (id=48802)
 --> (https://bugs.webkit.org/attachment.cgi?id=48802)
Backtrace

Original bugreport: http://bugreports.qt.nokia.com/browse/QTBUG-5020

Compiler: Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01
for 80x86 

I can't provide you with exact steps to reproduce because bug is very rare and
hard to reproduce, but I found a root cause of the bug. 
We use Qt for developing proprietary application with UI partially written with
the JavaScript-rich HTML that intensively uses Qt plugins and webkit HTML5
extensions. In some unforeseen circumstances application unexpectedly crashes
in $(Qt)/src/3rdparty/webkit/webcore/dom/mouserelatedevent.cpp, in the
MouseRelatedEvent::receivedTarget method.

There is a following code in MouseRelatedEvent::receivedTarget: 
======================================================== 
Node* n = targ; 
while (n && !n->renderer()) 
n = n->parent(); 
if (n) { 
RenderLayer* layer = n->renderer()->enclosingLayer(); 
layer->updateLayerPosition(); 
for (; layer; layer = layer->parent()) { 
m_layerX -= layer->xPos(); 
m_layerY -= layer->yPos(); 
} 
} 
======================================================== 

in some circumstances layer is NULL in call to layer->updateLayerPosition() in
the code above. 
Null pointer check introduced in for loop, I believe that it shall be
introduced above the call to updateLayerPosition, in other words code shall be
rewritten as follows: 

Node* n = targ; 
while (n && !n->renderer()) 
n = n->parent(); 
if (n) { 
RenderLayer* layer = n->renderer()->enclosingLayer(); 
if (layer) { 
layer->updateLayerPosition(); 

// this is to avoid redundant null pointer check in the first iteration 
do 
{ 
m_layerX -= layer->xPos(); 
m_layerY -= layer->yPos(); 
} 
while (layer = layer->parent()); 
} 
}

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list