Title: [261196] trunk/Source/WebCore
- Revision
- 261196
- Author
- simon.fra...@apple.com
- Date
- 2020-05-05 13:52:15 -0700 (Tue, 05 May 2020)
Log Message
Assert that EventHandler only tracks event target nodes in its own document
https://bugs.webkit.org/show_bug.cgi?id=211462
Reviewed by Zalan Bujtas.
EventHandler is per-Frame, so should not track Nodes from different documents. However, it did so
by mistake if an event handler moved a node between documents.
* page/EventHandler.cpp:
(WebCore::EventHandler::updateMouseEventTargetNode):
* rendering/HitTestResult.cpp:
(WebCore::HitTestResult::targetNode const):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (261195 => 261196)
--- trunk/Source/WebCore/ChangeLog 2020-05-05 20:50:59 UTC (rev 261195)
+++ trunk/Source/WebCore/ChangeLog 2020-05-05 20:52:15 UTC (rev 261196)
@@ -1,3 +1,18 @@
+2020-05-05 Simon Fraser <simon.fra...@apple.com>
+
+ Assert that EventHandler only tracks event target nodes in its own document
+ https://bugs.webkit.org/show_bug.cgi?id=211462
+
+ Reviewed by Zalan Bujtas.
+
+ EventHandler is per-Frame, so should not track Nodes from different documents. However, it did so
+ by mistake if an event handler moved a node between documents.
+
+ * page/EventHandler.cpp:
+ (WebCore::EventHandler::updateMouseEventTargetNode):
+ * rendering/HitTestResult.cpp:
+ (WebCore::HitTestResult::targetNode const):
+
2020-05-05 Antti Koivisto <an...@apple.com>
Factor RenderLayerBacking::updateEventRegion skip conditions into a lambda
Modified: trunk/Source/WebCore/page/EventHandler.cpp (261195 => 261196)
--- trunk/Source/WebCore/page/EventHandler.cpp 2020-05-05 20:50:59 UTC (rev 261195)
+++ trunk/Source/WebCore/page/EventHandler.cpp 2020-05-05 20:52:15 UTC (rev 261196)
@@ -2537,6 +2537,9 @@
m_elementUnderMouse = targetElement;
+ ASSERT_IMPLIES(m_elementUnderMouse, &m_elementUnderMouse->document() == m_frame.document());
+ ASSERT_IMPLIES(m_lastElementUnderMouse, &m_lastElementUnderMouse->document() == m_frame.document());
+
// Fire mouseout/mouseover if the mouse has shifted to a different node.
if (fireMouseOverOut == FireMouseOverOut::Yes) {
auto scrollableAreaForLastNode = enclosingScrollableArea(m_lastElementUnderMouse.get());
@@ -2621,6 +2624,11 @@
chain->dispatchMouseEvent(platformMouseEvent, eventNames().mouseenterEvent, 0, m_lastElementUnderMouse.get());
}
}
+
+ // Event handling may have moved the element to a different document.
+ if (m_elementUnderMouse && &m_elementUnderMouse->document() != m_frame.document())
+ m_elementUnderMouse = nullptr;
+
m_lastElementUnderMouse = m_elementUnderMouse;
}
}
Modified: trunk/Source/WebCore/rendering/HitTestResult.cpp (261195 => 261196)
--- trunk/Source/WebCore/rendering/HitTestResult.cpp 2020-05-05 20:50:59 UTC (rev 261195)
+++ trunk/Source/WebCore/rendering/HitTestResult.cpp 2020-05-05 20:52:15 UTC (rev 261196)
@@ -718,7 +718,7 @@
{
Node* node = innerNode();
if (!node)
- return 0;
+ return nullptr;
if (node->isConnected())
return node;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
