[Webkit-unassigned] [Bug 77854] New: XMLHttpRequest modified during onreadystatechange handler

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Feb 5 23:11:45 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=77854

           Summary: XMLHttpRequest modified during onreadystatechange
                    handler
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mark.toller at samsung.com


Apologies if this isn't on the correct component...

Here's the scenario:

A page creates an XMLHttpRequest for a file (there is a global variable 'req' which is set to the XMLHttpRequest).  The onreadystatechange handler contains the following code:

 function() {
        if (req.readyState !== 4 || req.status !== 200) {
            return;
        }
        var txt = req.responseText;
        req.onreadystatechange = null;
        configreq = null;
        eval('(' + txt + ')');
    };

There is also a plugin (NPAPI) running, which has a javascript function property 'onChannelChangeSucceeded'. This is set to the following code:

function() {
    if (req) {
        req.abort();
        req.onreadystatechange = null;
        req = false;
    }
}

It seems that the plugin onChannelChangeSucceeded can be called and execute the 'abort()' method whilst the onreadystatechange is being processed... i.e. the XMLHttpRequest completes, and starts processing the onreadstatechange handler, this passes the if(readyState || status) statement, but before the responseText is read into 'txt', the plugin onChannelChangeSucceeded is called, and this resets the XMLHttpRequest by calling 'abort()'.  The result is that the reponseText is then empty when read in the onreadystatechange handler.

I wouldn't expect the contents of the XMLHttpRequest to be changed *during* the execution of the onreadystatechange handler.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list