[Webkit-unassigned] [Bug 64256] REGRESSION(r90552): platform/mac/accessibility/html-slider-indicator.html fails
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jul 11 04:00:09 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=64256
--- Comment #4 from Kent Tamura <tkent at chromium.org> 2011-07-11 04:00:09 PST ---
(From update of attachment 100256)
View in context: https://bugs.webkit.org/attachment.cgi?id=100256&action=review
>>> Source/WebCore/html/RangeInputType.cpp:224
>>> }
>>
>> dispatchFormControlChangeEvent() dispatch an 'change' event, so a JavaScript code runs in it.
>> The JavaScriptCode can delete the parent <input>, and can change the type of the <input>. So accessing element() after dispatchFormControlChangeEvent() causes a use-after-free.
>>
>> You need to protect a reference of element() by RefPtr<> in order to keep <input> alive and in order to avoid 'this' access.
>> RefPtr<HTMLInputELement> input = element();
>> input->dispatchFormControlChangeEvent();
>> if (...)
>> input->document()->axObjectCache()->postNotification(input->renderer(), ...
>
> I found that postNotification() is called before dispatchFormControlChangeEvent() in HTMLInputElement::setChecked().
> So If it is OK, I would like to move postNotification before dispatchFormControlChangeEvent. Do you think it may also break something? If so, I will use RefPtr to keep it.
It's ok to move because the code without r90552 dispatched AXValueChanged then 'change'.
But I'm not confident AXValueChanged notification won't delete the element.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list