[Webkit-unassigned] [Bug 191155] New: SimulatedInputDispatcher::transitionInputSourceToState() can reuse a moved-from completion handler

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 1 10:04:22 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=191155

            Bug ID: 191155
           Summary: SimulatedInputDispatcher::transitionInputSourceToState
                    () can reuse a moved-from completion handler
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebDriver
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: zan at falconsigh.net
                CC: bburg at apple.com, cgarcia at igalia.com

In the SimulatedInputDispatcher::transitionInputSourceToState() method, the `eventDispatchFinished` completion handler can be incorrectly reused when multiple WebAutomationSession::simulateKeyboardInteraction() calls are done.

This can specifically happen when keyboard input simulation ends up adjusting to differences between the current and the new state of pressed virtual keys. As soon as two or more virtual keys are different between the states, the corresponding simulateKeyboardInteraction() invocations are dispatched. Problem is that while the first invocation moves out from the `eventDispatchFinished` variable that contains the completion handler, the second dispatch (and any additional ones) does the same -- on an already moved-out variable.

This results in a crash later in WebAutomationSession, when the completion handlers stored in the `m_pendingKeyboardEventsFlushedCallbacksPerPage` HashMap are retrieved from there and dispatched.

I don't know if this is a problem in any of the currently-imported WebDriver tests, but it was observed in existing WebDriver tests in the web-platform-tests suite.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181101/ac04b27d/attachment.html>

More information about the webkit-unassigned mailing list