[webkit-changes] [278964] trunk/Source/WebCore

[cdumez]

Title: [278964] trunk/Source/WebCore

Revision

278964

Author

cdu...@apple.com

Date

2021-06-16 16:09:07 -0700 (Wed, 16 Jun 2021)

Log Message

Protect Element before calling dispatchMouseEvent() on it
https://bugs.webkit.org/show_bug.cgi?id=226767
<rdar://problem/79009112>

Reviewed by Ryosuke Niwa.

* page/EventHandler.cpp:
(WebCore::EventHandler::updateMouseEventTargetNode):
(WebCore::EventHandler::dispatchMouseEvent):
* page/PointerLockController.cpp:
(WebCore::PointerLockController::dispatchLockedMouseEvent):
* page/Quirks.cpp:
(WebCore::Quirks::triggerOptionalStorageAccessQuirk const):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/dom/Element.cpp
• trunk/Source/WebCore/page/EventHandler.cpp
• trunk/Source/WebCore/page/PointerLockController.cpp
• trunk/Source/WebCore/page/Quirks.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (278963 => 278964)

--- trunk/Source/WebCore/ChangeLog	2021-06-16 22:41:35 UTC (rev 278963)
+++ trunk/Source/WebCore/ChangeLog	2021-06-16 23:09:07 UTC (rev 278964)
@@ -1,3 +1,19 @@
+2021-06-16  Chris Dumez  <cdu...@apple.com>
+
+        Protect Element before calling dispatchMouseEvent() on it
+        https://bugs.webkit.org/show_bug.cgi?id=226767
+        <rdar://problem/79009112>
+
+        Reviewed by Ryosuke Niwa.
+
+        * page/EventHandler.cpp:
+        (WebCore::EventHandler::updateMouseEventTargetNode):
+        (WebCore::EventHandler::dispatchMouseEvent):
+        * page/PointerLockController.cpp:
+        (WebCore::PointerLockController::dispatchLockedMouseEvent):
+        * page/Quirks.cpp:
+        (WebCore::Quirks::triggerOptionalStorageAccessQuirk const):
+
 2021-06-16  Peng Liu  <peng.l...@apple.com>
 
         Some http/tests/ are crashing with ASSERTION FAILED: isInRoutingArbitrationForToken(token) || m_setupArbitrationOngoing

Modified: trunk/Source/WebCore/dom/Element.cpp (278963 => 278964)

--- trunk/Source/WebCore/dom/Element.cpp	2021-06-16 22:41:35 UTC (rev 278963)
+++ trunk/Source/WebCore/dom/Element.cpp	2021-06-16 23:09:07 UTC (rev 278964)
@@ -386,6 +386,7 @@
     if (mouseEvent->type().isEmpty())
         return true; // Shouldn't happen.
 
+    Ref protectedThis { *this };
     bool didNotSwallowEvent = true;
 
     if (dispatchPointerEventIfNeeded(*this, mouseEvent.get(), platformEvent, didNotSwallowEvent) == ShouldIgnoreMouseEvent::Yes)

Modified: trunk/Source/WebCore/page/EventHandler.cpp (278963 => 278964)

--- trunk/Source/WebCore/page/EventHandler.cpp	2021-06-16 22:41:35 UTC (rev 278963)
+++ trunk/Source/WebCore/page/EventHandler.cpp	2021-06-16 23:09:07 UTC (rev 278964)
@@ -2588,8 +2588,8 @@
                 enteredElementsChain.shrink(enteredElementsChain.size() - i);
             }
 
-            if (m_lastElementUnderMouse)
-                m_lastElementUnderMouse->dispatchMouseEvent(platformMouseEvent, eventNames().mouseoutEvent, 0, m_elementUnderMouse.get());
+            if (auto lastElementUnderMouse = m_lastElementUnderMouse)
+                lastElementUnderMouse->dispatchMouseEvent(platformMouseEvent, eventNames().mouseoutEvent, 0, m_elementUnderMouse.get());
 
             for (auto& chain : leftElementsChain) {
                 if (hasCapturingMouseLeaveListener || chain->hasEventListeners(eventNames().pointerleaveEvent) || chain->hasEventListeners(eventNames().mouseleaveEvent))
@@ -2596,8 +2596,8 @@
                     chain->dispatchMouseEvent(platformMouseEvent, eventNames().mouseleaveEvent, 0, m_elementUnderMouse.get());
             }
 
-            if (m_elementUnderMouse)
-                m_elementUnderMouse->dispatchMouseEvent(platformMouseEvent, eventNames().mouseoverEvent, 0, m_lastElementUnderMouse.get());
+            if (auto elementUnderMouse = m_elementUnderMouse)
+                elementUnderMouse->dispatchMouseEvent(platformMouseEvent, eventNames().mouseoverEvent, 0, m_lastElementUnderMouse.get());
 
             for (auto& chain : WTF::makeReversedRange(enteredElementsChain)) {
                 if (hasCapturingMouseEnterListener || chain->hasEventListeners(eventNames().pointerenterEvent) || chain->hasEventListeners(eventNames().mouseenterEvent))
@@ -2703,8 +2703,10 @@
 
     updateMouseEventTargetNode(eventType, targetNode, platformMouseEvent, fireMouseOverOut);
 
-    if (m_elementUnderMouse && !m_elementUnderMouse->dispatchMouseEvent(platformMouseEvent, eventType, clickCount))
-        return false;
+    if (auto elementUnderMouse = m_elementUnderMouse) {
+        if (!elementUnderMouse->dispatchMouseEvent(platformMouseEvent, eventType, clickCount))
+            return false;
+    }
 
     if (eventType != eventNames().mousedownEvent)
         return true;

Modified: trunk/Source/WebCore/page/PointerLockController.cpp (278963 => 278964)

--- trunk/Source/WebCore/page/PointerLockController.cpp	2021-06-16 22:41:35 UTC (rev 278963)
+++ trunk/Source/WebCore/page/PointerLockController.cpp	2021-06-16 23:09:07 UTC (rev 278964)
@@ -181,11 +181,12 @@
     if (!m_element || !m_element->document().frame())
         return;
 
-    m_element->dispatchMouseEvent(event, eventType, event.clickCount());
+    Ref protectedElement { *m_element };
+    protectedElement->dispatchMouseEvent(event, eventType, event.clickCount());
 
     // Create click events
     if (eventType == eventNames().mouseupEvent)
-        m_element->dispatchMouseEvent(event, eventNames().clickEvent, event.clickCount());
+        protectedElement->dispatchMouseEvent(event, eventNames().clickEvent, event.clickCount());
 }
 
 void PointerLockController::dispatchLockedWheelEvent(const PlatformWheelEvent& event)

Modified: trunk/Source/WebCore/page/Quirks.cpp (278963 => 278964)

--- trunk/Source/WebCore/page/Quirks.cpp	2021-06-16 22:41:35 UTC (rev 278963)
+++ trunk/Source/WebCore/page/Quirks.cpp	2021-06-16 23:09:07 UTC (rev 278964)
@@ -1234,11 +1234,12 @@
 
         if (isStorageAccessQuirkDomainAndElement(m_document->url(), element)) {
             return requestStorageAccessAndHandleClick([element = makeWeakPtr(element), platformEvent, eventType, detail, relatedTarget] (ShouldDispatchClick shouldDispatchClick) mutable {
-                if (!element)
+                RefPtr protectedElement { element.get() };
+                if (!protectedElement)
                     return;
 
                 if (shouldDispatchClick == ShouldDispatchClick::Yes)
-                    element->dispatchMouseEvent(platformEvent, eventType, detail, relatedTarget);
+                    protectedElement->dispatchMouseEvent(platformEvent, eventType, detail, relatedTarget);
             });
         }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes