Crash in EventDispatcher::dispatchEventPostProcess() due to limited "dispatch flag" implementaion |
|||||
Issue descriptionChrome Version: ToT OS: All What steps will reproduce the problem? (1) Run http://w3c-test.org/dom/events/Event-dispatch-click.html with Google Chrome with a11y enabled, or content shell --run-layout-test (or run-webkit-tests external/wpt/dom/events/Event-dispatch-click.html) What is the expected result? No crash What happens instead? Crash in EventDispatcher::dispatchEventPostProcess() because m_event->target() is null. Please use labels and text to provide additional information. The crasher test is: async_test(function(t) { var input = document.createElement("input") input.type = "checkbox" dump.appendChild(input) var clickEvent = new MouseEvent("click") var finalTarget = document.createElement("doesnotmatter") finalTarget.onclick = t.step_func_done(function() { assert_equals(clickEvent.target, finalTarget) }) input.onchange = t.step_func(function() { finalTarget.dispatchEvent(clickEvent) }) input.dispatchEvent(clickEvent) }, "redispatch during post-click handling") It tries to re-dispatch a dispatching click event. The inner dispatchEvent() clears |target| at the end of process, and dispatchEventPostProcess() for the outer dispatchEvent() crashes. https://dom.spec.whatwg.org/#dom-eventtarget-dispatchevent In this case, the inner dispatchEvent() should throw an InvalidStateError according to the standard. Firefox correctly handles this test.
,
Jan 26 2017
,
Jan 26 2017
,
Jan 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/69fa20d42cdab2a175275293d3953c7ca3ba19dc commit 69fa20d42cdab2a175275293d3953c7ca3ba19dc Author: tkent <tkent@chromium.org> Date: Thu Jan 26 06:43:32 2017 INPUT element: avoid crash in EventDispatcher::dispatchEventPostProcess(). This CL swaps AX-related code and postDispatchEventHandler() in dispatchEventPostProcess() postDispatchEventHandler() may dispatch a 'change' event, and an event handler might update m_event. accessing m_event->target() after postDispatchEventHandler() isn't safe. BUG= 685450 Review-Url: https://codereview.chromium.org/2655803006 Cr-Commit-Position: refs/heads/master@{#446258} [modify] https://crrev.com/69fa20d42cdab2a175275293d3953c7ca3ba19dc/third_party/WebKit/LayoutTests/TestExpectations [add] https://crrev.com/69fa20d42cdab2a175275293d3953c7ca3ba19dc/third_party/WebKit/LayoutTests/external/wpt/dom/events/Event-dispatch-click-expected.txt [modify] https://crrev.com/69fa20d42cdab2a175275293d3953c7ca3ba19dc/third_party/WebKit/Source/core/events/EventDispatcher.cpp
,
Jan 26 2017
,
Mar 15 2017
Remove Blink>DOM>Events |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by tkent@chromium.org
, Jan 26 2017Actually, Event has isBeingDispatched() member function, and EventTarget::dispatchEvent() checks it. However, eventPhase() is NONE during EventDispatcher::dispatchEventPostProcess(). bool isBeingDispatched() const { return eventPhase(); }