Diff
Modified: trunk/Source/WebCore/ChangeLog (278963 => 278964)
--- trunk/Source/WebCore/ChangeLog 2021-06-16 22:41:35 UTC (rev 278963)
+++ trunk/Source/WebCore/ChangeLog 2021-06-16 23:09:07 UTC (rev 278964)
@@ -1,3 +1,19 @@
+2021-06-16 Chris Dumez <cdu...@apple.com>
+
+ Protect Element before calling dispatchMouseEvent() on it
+ https://bugs.webkit.org/show_bug.cgi?id=226767
+ <rdar://problem/79009112>
+
+ Reviewed by Ryosuke Niwa.
+
+ * page/EventHandler.cpp:
+ (WebCore::EventHandler::updateMouseEventTargetNode):
+ (WebCore::EventHandler::dispatchMouseEvent):
+ * page/PointerLockController.cpp:
+ (WebCore::PointerLockController::dispatchLockedMouseEvent):
+ * page/Quirks.cpp:
+ (WebCore::Quirks::triggerOptionalStorageAccessQuirk const):
+
2021-06-16 Peng Liu <peng.l...@apple.com>
Some http/tests/ are crashing with ASSERTION FAILED: isInRoutingArbitrationForToken(token) || m_setupArbitrationOngoing
Modified: trunk/Source/WebCore/dom/Element.cpp (278963 => 278964)
--- trunk/Source/WebCore/dom/Element.cpp 2021-06-16 22:41:35 UTC (rev 278963)
+++ trunk/Source/WebCore/dom/Element.cpp 2021-06-16 23:09:07 UTC (rev 278964)
@@ -386,6 +386,7 @@
if (mouseEvent->type().isEmpty())
return true; // Shouldn't happen.
+ Ref protectedThis { *this };
bool didNotSwallowEvent = true;
if (dispatchPointerEventIfNeeded(*this, mouseEvent.get(), platformEvent, didNotSwallowEvent) == ShouldIgnoreMouseEvent::Yes)
Modified: trunk/Source/WebCore/page/EventHandler.cpp (278963 => 278964)
--- trunk/Source/WebCore/page/EventHandler.cpp 2021-06-16 22:41:35 UTC (rev 278963)
+++ trunk/Source/WebCore/page/EventHandler.cpp 2021-06-16 23:09:07 UTC (rev 278964)
@@ -2588,8 +2588,8 @@
enteredElementsChain.shrink(enteredElementsChain.size() - i);
}
- if (m_lastElementUnderMouse)
- m_lastElementUnderMouse->dispatchMouseEvent(platformMouseEvent, eventNames().mouseoutEvent, 0, m_elementUnderMouse.get());
+ if (auto lastElementUnderMouse = m_lastElementUnderMouse)
+ lastElementUnderMouse->dispatchMouseEvent(platformMouseEvent, eventNames().mouseoutEvent, 0, m_elementUnderMouse.get());
for (auto& chain : leftElementsChain) {
if (hasCapturingMouseLeaveListener || chain->hasEventListeners(eventNames().pointerleaveEvent) || chain->hasEventListeners(eventNames().mouseleaveEvent))
@@ -2596,8 +2596,8 @@
chain->dispatchMouseEvent(platformMouseEvent, eventNames().mouseleaveEvent, 0, m_elementUnderMouse.get());
}
- if (m_elementUnderMouse)
- m_elementUnderMouse->dispatchMouseEvent(platformMouseEvent, eventNames().mouseoverEvent, 0, m_lastElementUnderMouse.get());
+ if (auto elementUnderMouse = m_elementUnderMouse)
+ elementUnderMouse->dispatchMouseEvent(platformMouseEvent, eventNames().mouseoverEvent, 0, m_lastElementUnderMouse.get());
for (auto& chain : WTF::makeReversedRange(enteredElementsChain)) {
if (hasCapturingMouseEnterListener || chain->hasEventListeners(eventNames().pointerenterEvent) || chain->hasEventListeners(eventNames().mouseenterEvent))
@@ -2703,8 +2703,10 @@
updateMouseEventTargetNode(eventType, targetNode, platformMouseEvent, fireMouseOverOut);
- if (m_elementUnderMouse && !m_elementUnderMouse->dispatchMouseEvent(platformMouseEvent, eventType, clickCount))
- return false;
+ if (auto elementUnderMouse = m_elementUnderMouse) {
+ if (!elementUnderMouse->dispatchMouseEvent(platformMouseEvent, eventType, clickCount))
+ return false;
+ }
if (eventType != eventNames().mousedownEvent)
return true;
Modified: trunk/Source/WebCore/page/PointerLockController.cpp (278963 => 278964)
--- trunk/Source/WebCore/page/PointerLockController.cpp 2021-06-16 22:41:35 UTC (rev 278963)
+++ trunk/Source/WebCore/page/PointerLockController.cpp 2021-06-16 23:09:07 UTC (rev 278964)
@@ -181,11 +181,12 @@
if (!m_element || !m_element->document().frame())
return;
- m_element->dispatchMouseEvent(event, eventType, event.clickCount());
+ Ref protectedElement { *m_element };
+ protectedElement->dispatchMouseEvent(event, eventType, event.clickCount());
// Create click events
if (eventType == eventNames().mouseupEvent)
- m_element->dispatchMouseEvent(event, eventNames().clickEvent, event.clickCount());
+ protectedElement->dispatchMouseEvent(event, eventNames().clickEvent, event.clickCount());
}
void PointerLockController::dispatchLockedWheelEvent(const PlatformWheelEvent& event)
Modified: trunk/Source/WebCore/page/Quirks.cpp (278963 => 278964)
--- trunk/Source/WebCore/page/Quirks.cpp 2021-06-16 22:41:35 UTC (rev 278963)
+++ trunk/Source/WebCore/page/Quirks.cpp 2021-06-16 23:09:07 UTC (rev 278964)
@@ -1234,11 +1234,12 @@
if (isStorageAccessQuirkDomainAndElement(m_document->url(), element)) {
return requestStorageAccessAndHandleClick([element = makeWeakPtr(element), platformEvent, eventType, detail, relatedTarget] (ShouldDispatchClick shouldDispatchClick) mutable {
- if (!element)
+ RefPtr protectedElement { element.get() };
+ if (!protectedElement)
return;
if (shouldDispatchClick == ShouldDispatchClick::Yes)
- element->dispatchMouseEvent(platformEvent, eventType, detail, relatedTarget);
+ protectedElement->dispatchMouseEvent(platformEvent, eventType, detail, relatedTarget);
});
}