Bug 218546

Summary: window.event may get set on wrong global when dispatching an event
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: DOMAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, calvaris, clopez, darin, ews-watchlist, ggaren, sam, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
URL: https://dom.spec.whatwg.org/#concept-event-listener-inner-invoke
Attachments:
Description Flags
WIP Patch
none
Patch
none
Patch
none
Patch
none
Patch
sam: review+, ews-feeder: commit-queue-
Patch none

Description Chris Dumez 2020-11-03 16:40:39 PST 
window.event may get set on wrong global when dispatching an event.
Comment 1 Chris Dumez 2020-11-03 16:41:03 PST 
Created attachment 413122 [details]
WIP Patch
Comment 2 Chris Dumez 2020-11-04 07:54:17 PST 
Created attachment 413163 [details]
Patch
Comment 3 Chris Dumez 2020-11-04 08:05:09 PST 
Created attachment 413165 [details]
Patch
Comment 4 Geoffrey Garen 2020-11-04 10:31:15 PST 
Comment on attachment 413165 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=413165&action=review

> Source/WebCore/ChangeLog:9
> +        'current event', stating that global the 'listener callbackâs associated Realmâs global

that global the => that global is the

> Source/WebCore/bindings/js/JSDOMWindowBase.h:114
> +    Event* m_currentEvent { nullptr };

Can we use RefPtr here?

> Source/WebCore/bindings/js/JSErrorHandler.cpp:83
> +        Event* savedEvent = nullptr;

Can we use RefPtr here?

> Source/WebCore/bindings/js/JSErrorHandler.cpp:86
> +            jsFunctionWindow->currentEvent();

I think you meant to assign to savedEvent here? Seems like a bug. Might need a new test.

> Source/WebCore/bindings/js/JSEventListener.cpp:166
> +    Event* savedEvent = nullptr;

Can we use RefPtr here?
Comment 5 Chris Dumez 2020-11-04 10:54:00 PST 
Comment on attachment 413165 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=413165&action=review

>> Source/WebCore/bindings/js/JSDOMWindowBase.h:114
>> +    Event* m_currentEvent { nullptr };
> 
> Can we use RefPtr here?

I am merely moving the code so this is not new. I think we can make it a RefPtr though, even if not strictly needed for safety.
Comment 6 Chris Dumez 2020-11-04 11:05:22 PST 
Created attachment 413182 [details]
Patch
Comment 7 Chris Dumez 2020-11-04 11:10:54 PST 
Created attachment 413184 [details]
Patch
Comment 8 Chris Dumez 2020-11-04 16:11:35 PST 
Created attachment 413221 [details]
Patch
Comment 9 EWS 2020-11-04 18:23:36 PST 
Committed r269414: <https://trac.webkit.org/changeset/269414>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 413221 [details].
Comment 10 Radar WebKit Bug Importer 2020-11-04 18:24:21 PST 
<rdar://problem/71060677>