Skip to site navigation (Press enter)

[webkit-changes] [207949] releases/WebKitGTK/webkit-2.14/Source/WebCore

carlosgc Thu, 27 Oct 2016 00:20:07 -0700

Title: [207949] releases/WebKitGTK/webkit-2.14/Source/WebCore

Revision: 207949
Author: carlo...@webkit.org
Date: 2016-10-27 00:20:24 -0700 (Thu, 27 Oct 2016)

Log Message

Merge r206941 - EventHandler functions that need to guarantee event handler lifetime need to use Ref<Frame>
https://bugs.webkit.org/show_bug.cgi?id=98617
<rdar://problem/12778649>


Reviewed by Daniel Bates.

Improve stability by ensuring that the Frame holding an active EventHandler is kept
alive while in the process of handling events and executing _javascript_.

No new tests since there is no change in behavior.

* page/EventHandler.cpp:
(WebCore::EventHandler::handleMousePressEventSingleClick): Protect the Frame with a Ref<>.
(WebCore::EventHandler::handleMousePressEvent): Ditto.
(WebCore::EventHandler::handleMouseDraggedEvent): Ditto.
(WebCore::EventHandler::eventMayStartDrag): Ditto.
(WebCore::EventHandler::handleMouseReleaseEvent): Ditto.
(WebCore::EventHandler::hitTestResultAtPoint): Ditto.
(WebCore::EventHandler::scrollRecursively): Ditto.
(WebCore::EventHandler::logicalScrollRecursively): Ditto.
(WebCore::EventHandler::selectCursor): Ditto.
(WebCore::EventHandler::handleMouseDoubleClickEvent): Ditto.
(WebCore::EventHandler::mouseMoved): Ditto.
(WebCore::EventHandler::handleMouseMoveEvent): Ditto.
(WebCore::EventHandler::handleMouseForceEvent): Ditto.
(WebCore::EventHandler::dispatchDragEvent): Ditto.
(WebCore::EventHandler::updateDragAndDrop): Ditto.
(WebCore::EventHandler::cancelDragAndDrop): Ditto.
(WebCore::EventHandler::performDragAndDrop): Ditto.
(WebCore::EventHandler::prepareMouseEvent): Ditto.
(WebCore::EventHandler::updateMouseEventTargetNode): Ditto.
(WebCore::EventHandler::dispatchMouseEvent): Ditto.
(WebCore::EventHandler::platformCompleteWheelEvent): Ditto.
(WebCore::EventHandler::handleWheelEvent): Ditto.
(WebCore::EventHandler::defaultWheelEventHandler): Ditto.
(WebCore::EventHandler::sendContextMenuEvent): Ditto.
(WebCore::EventHandler::sendContextMenuEventForKey): Ditto.
(WebCore::EventHandler::hoverTimerFired): Ditto.
(WebCore::EventHandler::keyEvent): Ditto.
(WebCore::EventHandler::defaultKeyboardEventHandler): Ditto.
(WebCore::EventHandler::handleDrag): Ditto.
(WebCore::EventHandler::handleTextInputEvent): Ditto.
(WebCore::EventHandler::defaultSpaceEventHandler): Ditto.
(WebCore::EventHandler::defaultTabEventHandler): Ditto.
(WebCore::EventHandler::sendScrollEvent): Ditto.
(WebCore::EventHandler::handleTouchEvent): Ditto.
* page/ios/EventHandlerIOS.mm:
(WebCore::EventHandler::focusDocumentView): Ditto.
* page/mac/EventHandlerMac.mm:
(WebCore::EventHandler::platformCompleteWheelEvent): Ditto.

Modified Paths

releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog
releases/WebKitGTK/webkit-2.14/Source/WebCore/page/EventHandler.cpp
releases/WebKitGTK/webkit-2.14/Source/WebCore/page/ios/EventHandlerIOS.mm
releases/WebKitGTK/webkit-2.14/Source/WebCore/page/mac/EventHandlerMac.mm

Diff

Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog (207948 => 207949)


--- releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog	2016-10-27 07:18:05 UTC (rev 207948)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog	2016-10-27 07:20:24 UTC (rev 207949)
@@ -1,3 +1,56 @@
+2016-10-07  Brent Fulgham  <bfulg...@apple.com>
+
+        EventHandler functions that need to guarantee event handler lifetime need to use Ref<Frame>
+        https://bugs.webkit.org/show_bug.cgi?id=98617
+        <rdar://problem/12778649>
+
+        Reviewed by Daniel Bates.
+
+        Improve stability by ensuring that the Frame holding an active EventHandler is kept
+        alive while in the process of handling events and executing _javascript_.
+
+        No new tests since there is no change in behavior.
+
+        * page/EventHandler.cpp:
+        (WebCore::EventHandler::handleMousePressEventSingleClick): Protect the Frame with a Ref<>.
+        (WebCore::EventHandler::handleMousePressEvent): Ditto.
+        (WebCore::EventHandler::handleMouseDraggedEvent): Ditto.
+        (WebCore::EventHandler::eventMayStartDrag): Ditto.
+        (WebCore::EventHandler::handleMouseReleaseEvent): Ditto.
+        (WebCore::EventHandler::hitTestResultAtPoint): Ditto.
+        (WebCore::EventHandler::scrollRecursively): Ditto.
+        (WebCore::EventHandler::logicalScrollRecursively): Ditto.
+        (WebCore::EventHandler::selectCursor): Ditto.
+        (WebCore::EventHandler::handleMouseDoubleClickEvent): Ditto.
+        (WebCore::EventHandler::mouseMoved): Ditto.
+        (WebCore::EventHandler::handleMouseMoveEvent): Ditto.
+        (WebCore::EventHandler::handleMouseForceEvent): Ditto.
+        (WebCore::EventHandler::dispatchDragEvent): Ditto.
+        (WebCore::EventHandler::updateDragAndDrop): Ditto.
+        (WebCore::EventHandler::cancelDragAndDrop): Ditto.
+        (WebCore::EventHandler::performDragAndDrop): Ditto.
+        (WebCore::EventHandler::prepareMouseEvent): Ditto.
+        (WebCore::EventHandler::updateMouseEventTargetNode): Ditto.
+        (WebCore::EventHandler::dispatchMouseEvent): Ditto.
+        (WebCore::EventHandler::platformCompleteWheelEvent): Ditto.
+        (WebCore::EventHandler::handleWheelEvent): Ditto.
+        (WebCore::EventHandler::defaultWheelEventHandler): Ditto.
+        (WebCore::EventHandler::sendContextMenuEvent): Ditto.
+        (WebCore::EventHandler::sendContextMenuEventForKey): Ditto.
+        (WebCore::EventHandler::hoverTimerFired): Ditto.
+        (WebCore::EventHandler::keyEvent): Ditto.
+        (WebCore::EventHandler::defaultKeyboardEventHandler): Ditto.
+        (WebCore::EventHandler::handleDrag): Ditto.
+        (WebCore::EventHandler::handleTextInputEvent): Ditto.
+        (WebCore::EventHandler::defaultSpaceEventHandler): Ditto.
+        (WebCore::EventHandler::defaultTabEventHandler): Ditto.
+        (WebCore::EventHandler::sendScrollEvent): Ditto.
+        (WebCore::EventHandler::handleTouchEvent): Ditto.
+        * page/ios/EventHandlerIOS.mm:
+        (WebCore::EventHandler::focusDocumentView): Ditto.
+        * page/mac/EventHandlerMac.mm:
+        (WebCore::EventHandler::platformCompleteWheelEvent): Ditto.
+
 2016-10-07  Andreas Kling  <akl...@apple.com>
 
         [WK2] didRemoveFrameFromHierarchy callback doesn't fire for subframes when evicting from PageCache.

Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/page/EventHandler.cpp (207948 => 207949)


--- releases/WebKitGTK/webkit-2.14/Source/WebCore/page/EventHandler.cpp	2016-10-27 07:18:05 UTC (rev 207948)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/page/EventHandler.cpp	2016-10-27 07:20:24 UTC (rev 207949)
@@ -660,6 +660,8 @@
 
 bool EventHandler::handleMousePressEventSingleClick(const MouseEventWithHitTestResults& event)
 {
+    Ref<Frame> protectedFrame(m_frame);
+
     m_frame.document()->updateLayoutIgnorePendingStylesheets();
     Node* targetNode = event.targetNode();
     if (!(targetNode && targetNode->renderer() && m_mouseDownMayStartSelect))
@@ -735,6 +737,8 @@
 
 bool EventHandler::handleMousePressEvent(const MouseEventWithHitTestResults& event)
 {
+    Ref<Frame> protectedFrame(m_frame);
+
 #if ENABLE(DRAG_SUPPORT)
     // Reset drag state.
     dragState().source = nullptr;
@@ -819,6 +823,8 @@
     if (!m_mousePressed)
         return false;
 
+    Ref<Frame> protectedFrame(m_frame);
+
     if (handleDrag(event, ShouldCheckDragHysteresis))
         return true;
 
@@ -878,6 +884,8 @@
     if (!page)
         return false;
 
+    Ref<Frame> protectedFrame(m_frame);
+
     updateDragSourceActionsAllowed();
     HitTestRequest request(HitTestRequest::ReadOnly | HitTestRequest::DisallowUserAgentShadowContent);
     HitTestResult result(view->windowToContents(event.position()));
@@ -1010,6 +1018,8 @@
     if (autoscrollInProgress())
         stopAutoscrollTimer();
 
+    Ref<Frame> protectedFrame(m_frame);
+
     if (handleMouseUp(event))
         return true;
 
@@ -1118,6 +1128,8 @@
 
 HitTestResult EventHandler::hitTestResultAtPoint(const LayoutPoint& point, HitTestRequest::HitTestRequestType hitType, const LayoutSize& padding)
 {
+    Ref<Frame> protectedFrame(m_frame);
+
     // We always send hitTestResultAtPoint to the main frame if we have one,
     // otherwise we might hit areas that are obscured by higher frames.
     if (!m_frame.isMainFrame()) {
@@ -1201,6 +1213,8 @@
 
 bool EventHandler::scrollRecursively(ScrollDirection direction, ScrollGranularity granularity, Node* startingNode)
 {
+    Ref<Frame> protectedFrame(m_frame);
+
     // The layout needs to be up to date to determine if we can scroll. We may be
     // here because of an onLoad event, in which case the final layout hasn't been performed yet.
     m_frame.document()->updateLayoutIgnorePendingStylesheets();
@@ -1218,6 +1232,8 @@
 
 bool EventHandler::logicalScrollRecursively(ScrollLogicalDirection direction, ScrollGranularity granularity, Node* startingNode)
 {
+    Ref<Frame> protectedFrame(m_frame);
+
     // The layout needs to be up to date to determine if we can scroll. We may be
     // here because of an onLoad event, in which case the final layout hasn't been performed yet.
     m_frame.document()->updateLayoutIgnorePendingStylesheets();
@@ -1371,6 +1387,8 @@
         return NoCursorChange;
 #endif
 
+    Ref<Frame> protectedFrame(m_frame);
+
     // Use always pointer cursor for scrollbars.
     if (result.scrollbar()) {
 #if ENABLE(CURSOR_VISIBILITY)
@@ -1598,6 +1616,7 @@
 
 bool EventHandler::handleMousePressEvent(const PlatformMouseEvent& platformMouseEvent)
 {
+    Ref<Frame> protectedFrame(m_frame);
     RefPtr<FrameView> protector(m_frame.view());
 
     if (InspectorInstrumentation::handleMousePress(m_frame)) {
@@ -1738,6 +1757,7 @@
 // This method only exists for platforms that don't know how to deliver 
 bool EventHandler::handleMouseDoubleClickEvent(const PlatformMouseEvent& platformMouseEvent)
 {
+    Ref<Frame> protectedFrame(m_frame);
     RefPtr<FrameView> protector(m_frame.view());
 
     m_frame.selection().setCaretBlinkingSuspended(false);
@@ -1792,6 +1812,7 @@
 
 bool EventHandler::mouseMoved(const PlatformMouseEvent& event)
 {
+    Ref<Frame> protectedFrame(m_frame);
     RefPtr<FrameView> protector(m_frame.view());
     MaximumDurationTracker maxDurationTracker(&m_maxMouseMovedDuration);
 
@@ -1835,6 +1856,7 @@
         return true;
 #endif
 
+    Ref<Frame> protectedFrame(m_frame);
     RefPtr<FrameView> protector(m_frame.view());
     
     setLastKnownMousePosition(platformMouseEvent);
@@ -1970,6 +1992,7 @@
 
 bool EventHandler::handleMouseReleaseEvent(const PlatformMouseEvent& platformMouseEvent)
 {
+    Ref<Frame> protectedFrame(m_frame);
     RefPtr<FrameView> protector(m_frame.view());
 
     m_frame.selection().setCaretBlinkingSuspended(false);
@@ -2049,6 +2072,7 @@
 #if ENABLE(MOUSE_FORCE_EVENTS)
 bool EventHandler::handleMouseForceEvent(const PlatformMouseEvent& event)
 {
+    Ref<Frame> protectedFrame(m_frame);
     RefPtr<FrameView> protector(m_frame.view());
 
     setLastKnownMousePosition(event);
@@ -2113,6 +2137,7 @@
 
 bool EventHandler::dispatchDragEvent(const AtomicString& eventType, Element& dragTarget, const PlatformMouseEvent& event, DataTransfer* dataTransfer)
 {
+    Ref<Frame> protectedFrame(m_frame);
     FrameView* view = m_frame.view();
 
     // FIXME: We might want to dispatch a dragleave even if the view is gone.
@@ -2206,6 +2231,8 @@
     
 bool EventHandler::updateDragAndDrop(const PlatformMouseEvent& event, DataTransfer* dataTransfer)
 {
+    Ref<Frame> protectedFrame(m_frame);
+
     bool accept = false;
 
     if (!m_frame.view())
@@ -2280,6 +2307,8 @@
 
 void EventHandler::cancelDragAndDrop(const PlatformMouseEvent& event, DataTransfer* dataTransfer)
 {
+    Ref<Frame> protectedFrame(m_frame);
+
     Frame* targetFrame;
     if (targetIsFrame(m_dragTarget.get(), targetFrame)) {
         if (targetFrame)
@@ -2294,6 +2323,8 @@
 
 bool EventHandler::performDragAndDrop(const PlatformMouseEvent& event, DataTransfer* dataTransfer)
 {
+    Ref<Frame> protectedFrame(m_frame);
+
     Frame* targetFrame;
     bool preventedDefault = false;
     if (targetIsFrame(m_dragTarget.get(), targetFrame)) {
@@ -2325,6 +2356,7 @@
 
 MouseEventWithHitTestResults EventHandler::prepareMouseEvent(const HitTestRequest& request, const PlatformMouseEvent& mouseEvent)
 {
+    Ref<Frame> protectedFrame(m_frame);
     ASSERT(m_frame.document());
     return m_frame.document()->prepareMouseEvent(request, documentPointForWindowPoint(m_frame, mouseEvent.position()), mouseEvent);
 }
@@ -2355,6 +2387,7 @@
 
 void EventHandler::updateMouseEventTargetNode(Node* targetNode, const PlatformMouseEvent& platformMouseEvent, bool fireMouseOverOut)
 {
+    Ref<Frame> protectedFrame(m_frame);
     Element* targetElement = nullptr;
     
     // If we're capturing, we always go right to that element.
@@ -2473,6 +2506,7 @@
 
 bool EventHandler::dispatchMouseEvent(const AtomicString& eventType, Node* targetNode, bool /*cancelable*/, int clickCount, const PlatformMouseEvent& platformMouseEvent, bool setUnder)
 {
+    Ref<Frame> protectedFrame(m_frame);
     if (FrameView* view = m_frame.view())
         view->disableLayerFlushThrottlingTemporarilyForInteraction();
 
@@ -2573,6 +2607,8 @@
 
 bool EventHandler::platformCompleteWheelEvent(const PlatformWheelEvent& event, ContainerNode*, const WeakPtr<ScrollableArea>&)
 {
+    Ref<Frame> protectedFrame(m_frame);
+
     // We do another check on the frame view because the event handler can run JS which results in the frame getting destroyed.
     FrameView* view = m_frame.view();
     
@@ -2647,6 +2683,7 @@
     if (!renderView)
         return false;
 
+    Ref<Frame> protectedFrame(m_frame);
     RefPtr<FrameView> protector(m_frame.view());
 
     FrameView* view = m_frame.view();
@@ -2722,6 +2759,8 @@
     if (!startNode)
         return;
     
+    Ref<Frame> protectedFrame(m_frame);
+
     FloatSize filteredPlatformDelta(wheelEvent.deltaX(), wheelEvent.deltaY());
     if (const PlatformWheelEvent* platformWheelEvent = wheelEvent.wheelEvent()) {
         filteredPlatformDelta.setWidth(platformWheelEvent->deltaX());
@@ -2751,6 +2790,8 @@
 #if ENABLE(CONTEXT_MENUS)
 bool EventHandler::sendContextMenuEvent(const PlatformMouseEvent& event)
 {
+    Ref<Frame> protectedFrame(m_frame);
+
     Document* doc = m_frame.document();
     FrameView* view = m_frame.view();
     if (!view)
@@ -2784,6 +2825,8 @@
 
 bool EventHandler::sendContextMenuEventForKey()
 {
+    Ref<Frame> protectedFrame(m_frame);
+
     FrameView* view = m_frame.view();
     if (!view)
         return false;
@@ -2955,6 +2998,8 @@
 
     ASSERT(m_frame.document());
 
+    Ref<Frame> protectedFrame(m_frame);
+
     if (RenderView* renderView = m_frame.contentRenderer()) {
         if (FrameView* view = m_frame.view()) {
             HitTestRequest request(HitTestRequest::Move | HitTestRequest::DisallowUserAgentShadowContent);
@@ -3012,6 +3057,7 @@
 
 bool EventHandler::keyEvent(const PlatformKeyboardEvent& initialKeyEvent)
 {
+    Ref<Frame> protectedFrame(m_frame);
     RefPtr<FrameView> protector(m_frame.view());
 
     LOG(Editing, "EventHandler %p keyEvent (text %s keyIdentifier %s)", this, initialKeyEvent.text().utf8().data(), initialKeyEvent.keyIdentifier().utf8().data());
@@ -3266,6 +3312,8 @@
 
 void EventHandler::defaultKeyboardEventHandler(KeyboardEvent& event)
 {
+    Ref<Frame> protectedFrame(m_frame);
+
     if (event.type() == eventNames().keydownEvent) {
         m_frame.editor().handleKeyboardEvent(event);
         if (event.defaultHandled())
@@ -3379,6 +3427,8 @@
         return false;
     }
     
+    Ref<Frame> protectedFrame(m_frame);
+
     if (eventLoopHandleMouseDragged(event))
         return true;
     
@@ -3542,6 +3592,8 @@
     // and avoid dispatching text input events from keydown default handlers.
     ASSERT(!is<KeyboardEvent>(underlyingEvent) || downcast<KeyboardEvent>(*underlyingEvent).type() == eventNames().keypressEvent);
 
+    Ref<Frame> protectedFrame(m_frame);
+
     EventTarget* target;
     if (underlyingEvent)
         target = underlyingEvent->target();
@@ -3599,6 +3651,8 @@
 
 void EventHandler::defaultSpaceEventHandler(KeyboardEvent& event)
 {
+    Ref<Frame> protectedFrame(m_frame);
+
     ASSERT(event.type() == eventNames().keypressEvent);
 
     if (event.ctrlKey() || event.metaKey() || event.altKey() || event.altGraphKey())
@@ -3672,6 +3726,8 @@
 
 void EventHandler::defaultTabEventHandler(KeyboardEvent& event)
 {
+    Ref<Frame> protectedFrame(m_frame);
+
     ASSERT(event.type() == eventNames().keydownEvent);
 
     // We should only advance focus on tabs if no special modifier keys are held down.
@@ -3696,6 +3752,7 @@
 
 void EventHandler::sendScrollEvent()
 {
+    Ref<Frame> protectedFrame(m_frame);
     setFrameWasScrolledByUser();
     if (m_frame.view() && m_frame.document())
         m_frame.document()->eventQueue().enqueueOrDispatchScrollEvent(*m_frame.document());
@@ -3774,6 +3831,8 @@
 
 bool EventHandler::handleTouchEvent(const PlatformTouchEvent& event)
 {
+    Ref<Frame> protectedFrame(m_frame);
+
     // First build up the lists to use for the 'touches', 'targetTouches' and 'changedTouches' attributes
     // in the JS event. See http://www.sitepen.com/blog/2008/07/10/touching-and-gesturing-on-the-iphone/
     // for an overview of how these lists fit together.

Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/page/ios/EventHandlerIOS.mm (207948 => 207949)


--- releases/WebKitGTK/webkit-2.14/Source/WebCore/page/ios/EventHandlerIOS.mm	2016-10-27 07:18:05 UTC (rev 207948)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/page/ios/EventHandlerIOS.mm	2016-10-27 07:20:24 UTC (rev 207949)
@@ -166,6 +166,8 @@
     if (!page)
         return;
 
+    Ref<Frame> protectedFrame(m_frame);
+
     if (FrameView* frameView = m_frame.view()) {
         if (NSView *documentView = frameView->documentView())
             page->chrome().focusNSView(documentView);

Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/page/mac/EventHandlerMac.mm (207948 => 207949)


--- releases/WebKitGTK/webkit-2.14/Source/WebCore/page/mac/EventHandlerMac.mm	2016-10-27 07:18:05 UTC (rev 207948)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/page/mac/EventHandlerMac.mm	2016-10-27 07:20:24 UTC (rev 207949)
@@ -1038,6 +1038,8 @@
 
 bool EventHandler::platformCompleteWheelEvent(const PlatformWheelEvent& wheelEvent, ContainerNode* scrollableContainer, const WeakPtr<ScrollableArea>& scrollableArea)
 {
+    Ref<Frame> protectedFrame(m_frame);
+
     FrameView* view = m_frame.view();
     // We do another check on the frame view because the event handler can run JS which results in the frame getting destroyed.
     if (!view)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes