[Webkit-unassigned] [Bug 36864] Mutation events and textarea can be used to corrupt the render tree.

Tue Mar 30 17:20:26 PDT 2010

https://bugs.webkit.org/show_bug.cgi?id=36864

Dimitri Glazkov (Google) <dglazkov at chromium.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
         AssignedTo|webkit-unassigned at lists.web |dglazkov at chromium.org
                   |kit.org                     |
                 CC|                            |darin at apple.com,
                   |                            |ggaren at apple.com,
                   |                            |hyatt at apple.com

--- Comment #1 from Dimitri Glazkov (Google) <dglazkov at chromium.org>  2010-03-30 17:20:26 PST ---
This is not yet ready for review, but I wanted you guys to take a peek. The
problem is in RenderTextControlMultiLine::updateFromElement(), because by using
setInnerTextValue(), it may call ContainerNode::appendChild(), which in turn
may dispatch child insertion events (DOMNodeInserted and/or
DOMNodeInsertedIntoDocument).

Armed with this knowledge, we can create a sequence of event where dispatching
this event triggers recalcStyle on the whole document, which in turn proceeds
to detach/attach nodes in the tree, thus creating a re-entrantcy.

Adding a few ULs/LIs is just enough to get the renderer to attempt locating its
common ancestor renderer and crash, realizing that it's an orphaned
RenderObject (see test attached)...

The badness is obvious, but the fix isn't. My take is to explicitly silence
child insertion events when attaching an HTMLFormControlElement, since it
shouldn't fire mutation events here anyway.

What do you think?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.