Permalink
Browse files

Web Inspector: Calling getEventListeners() on element with malformed …

…javascript event listeners crashes


https://bugs.webkit.org/show_bug.cgi?id=93937

Reviewed by Pavel Feldman.

Source/WebCore:

- check listener function to be non-null (happens upon an exception while compiling attribute listeners)

* bindings/js/JSInjectedScriptHostCustom.cpp:
(WebCore::getJSListenerFunctions):
* bindings/v8/custom/V8InjectedScriptHostCustom.cpp:
(WebCore::getJSListenerFunctions):

LayoutTests:

- added test for crash on invalid syntax in an attribute JS listener;
- added custom expectation for chrome due to JS error logged to console by JSC while compiling attribute listener;

* inspector/console/command-line-api-getEventListeners-expected.txt:
* inspector/console/command-line-api-getEventListeners.html:
* platform/chromium/inspector/console/command-line-api-getEventListeners-expected.txt: Copied from LayoutTests/inspector/console/command-line-api-getEventListeners-expected.txt.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@125654 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information...
1 parent 41258f1 commit 1f4ac6deb6655bb8aec3be7e532458a9f1e27e3d @caseq caseq committed Aug 15, 2012
View
@@ -1,3 +1,17 @@
+2012-08-14 Andrey Kosyakov <caseq@chromium.org>
+
+ Web Inspector: Calling getEventListeners() on element with malformed javascript event listeners crashes
+ https://bugs.webkit.org/show_bug.cgi?id=93937
+
+ Reviewed by Pavel Feldman.
+
+ - added test for crash on invalid syntax in an attribute JS listener;
+ - added custom expectation for chrome due to JS error logged to console by JSC while compiling attribute listener;
+
+ * inspector/console/command-line-api-getEventListeners-expected.txt:
+ * inspector/console/command-line-api-getEventListeners.html:
+ * platform/chromium/inspector/console/command-line-api-getEventListeners-expected.txt: Copied from LayoutTests/inspector/console/command-line-api-getEventListeners-expected.txt.
+
2012-08-15 Christophe Dumez <christophe.dumez@intel.com>
[EFL] Update expectations for canvas/philip tests that require space collapsing
@@ -1,6 +1,7 @@
+CONSOLE MESSAGE: line 26: SyntaxError: Expected an identifier but found 'JavaScript' instead
Tests getEventListeners() method of console command line API.
-
+
- inner -
keydown: {
0: {
@@ -45,6 +46,7 @@ click: {
}
}
- empty -
+- invalid -
- object -
undefined
- null -
@@ -23,7 +23,7 @@
<div id="empty">
</div>
<button id="button" onclick="alert(1)" onmouseover="listener2()"></button>
-
+<button id="invalid" onclick="Invalid JavaScript"></button>
<script>
function listener1()
{
@@ -80,6 +80,8 @@
dumpObject(getEventListeners(document.getElementById("button")));
output("- empty -");
dumpObject(getEventListeners(document.getElementById("empty")));
+ output("- invalid -");
+ dumpObject(getEventListeners(document.getElementById("invalid")));
output("- object -");
output(typeof getEventListeners({}));
output("- null -");
@@ -0,0 +1,57 @@
+Tests getEventListeners() method of console command line API.
+
+
+- inner -
+keydown: {
+ 0: {
+ listener: function listener1() { }
+ useCapture: false
+ }
+ 1: {
+ listener: function listener2() { }
+ useCapture: true
+ }
+}
+- outer -
+mousemove: {
+ 0: {
+ listener: function listener1() { }
+ useCapture: false
+ }
+}
+keydown: {
+ 0: {
+ listener: function listener2() { }
+ useCapture: true
+ }
+}
+mousedown: {
+ 0: {
+ listener: function listener2() { }
+ useCapture: true
+ }
+}
+- attribute event listeners -
+mouseover: {
+ 0: {
+ listener: function onmouseover(event) { listener2() }
+ useCapture: false
+ }
+}
+click: {
+ 0: {
+ listener: function onclick(event) { alert(1) }
+ useCapture: false
+ }
+}
+- empty -
+- invalid -
+- object -
+undefined
+- null -
+undefined
+- undefined -
+undefined
+- window -
+undefined
+
@@ -1,3 +1,17 @@
+2012-08-14 Andrey Kosyakov <caseq@chromium.org>
+
+ Web Inspector: Calling getEventListeners() on element with malformed javascript event listeners crashes
+ https://bugs.webkit.org/show_bug.cgi?id=93937
+
+ Reviewed by Pavel Feldman.
+
+ - check listener function to be non-null (happens upon an exception while compiling attribute listeners)
+
+ * bindings/js/JSInjectedScriptHostCustom.cpp:
+ (WebCore::getJSListenerFunctions):
+ * bindings/v8/custom/V8InjectedScriptHostCustom.cpp:
+ (WebCore::getJSListenerFunctions):
+
2012-08-14 Jan Keromnes <janx@linux.com>
Web Inspector: CodeMirrorTextEditor doesn't clear execution line
@@ -203,6 +203,8 @@ static JSArray* getJSListenerFunctions(ExecState* exec, Document* document, cons
if (jsListener->isolatedWorld() != currentWorld(exec))
continue;
JSObject* function = jsListener->jsFunction(document);
+ if (!function)
+ continue;
JSObject* listenerEntry = constructEmptyObject(exec);
listenerEntry->putDirect(exec->globalData(), Identifier(exec, "listener"), function);
listenerEntry->putDirect(exec->globalData(), Identifier(exec, "useCapture"), jsBoolean(listenerInfo.eventListenerVector[i].useCapture));
@@ -207,7 +207,15 @@ static v8::Handle<v8::Array> getJSListenerFunctions(Document* document, const Ev
// Hide listeners from other contexts.
if (context != v8::Context::GetCurrent())
continue;
- v8::Local<v8::Object> function = v8Listener->getListenerObject(document);
+ v8::Local<v8::Object> function;
+ {
+ // getListenerObject() may cause JS in the event attribute to get compiled, potentially unsuccessfully.
+ v8::TryCatch block;
+ function = v8Listener->getListenerObject(document);
+ if (block.HasCaught())
+ continue;
+ }
+ ASSERT(!function.IsEmpty());
v8::Local<v8::Object> listenerEntry = v8::Object::New();
listenerEntry->Set(v8::String::New("listener"), function);
listenerEntry->Set(v8::String::New("useCapture"), v8::Boolean::New(listenerInfo.eventListenerVector[i].useCapture));

0 comments on commit 1f4ac6d

Please sign in to comment.