Title: [196790] trunk
- Revision
- 196790
- Author
- [email protected]
- Date
- 2016-02-18 17:13:15 -0800 (Thu, 18 Feb 2016)
Log Message
Wheel event callback removing the window causes crash in WebCore.
https://bugs.webkit.org/show_bug.cgi?id=150871
Reviewed by Brent Fulgham.
Source/WebCore:
Null check the FrameView before using it, since the iframe may have been removed
from its parent document inside the event handler.
Test: fast/events/wheel-event-destroys-frame.html
* page/mac/EventHandlerMac.mm:
(WebCore::EventHandler::platformCompleteWheelEvent):
LayoutTests:
* fast/events/wheel-event-destroys-frame-expected.txt: Added.
* fast/events/wheel-event-destroys-frame.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (196789 => 196790)
--- trunk/LayoutTests/ChangeLog 2016-02-19 01:07:37 UTC (rev 196789)
+++ trunk/LayoutTests/ChangeLog 2016-02-19 01:13:15 UTC (rev 196790)
@@ -1,3 +1,13 @@
+2016-02-18 Simon Fraser <[email protected]>
+
+ Wheel event callback removing the window causes crash in WebCore.
+ https://bugs.webkit.org/show_bug.cgi?id=150871
+
+ Reviewed by Brent Fulgham.
+
+ * fast/events/wheel-event-destroys-frame-expected.txt: Added.
+ * fast/events/wheel-event-destroys-frame.html: Added.
+
2016-02-18 Zalan Bujtas <[email protected]>
Soft hyphen is not shown when it is placed at the end of an inline element
Added: trunk/LayoutTests/fast/events/wheel-event-destroys-frame-expected.txt (0 => 196790)
--- trunk/LayoutTests/fast/events/wheel-event-destroys-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/events/wheel-event-destroys-frame-expected.txt 2016-02-19 01:13:15 UTC (rev 196790)
@@ -0,0 +1,3 @@
+This test should not crash
+
+
Added: trunk/LayoutTests/fast/events/wheel-event-destroys-frame.html (0 => 196790)
--- trunk/LayoutTests/fast/events/wheel-event-destroys-frame.html (rev 0)
+++ trunk/LayoutTests/fast/events/wheel-event-destroys-frame.html 2016-02-19 01:13:15 UTC (rev 196790)
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script>
+ if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ }
+
+ function frameLoaded(iframe)
+ {
+ iframe.contentWindow.addEventListener('wheel', function() {
+ // Removing the window during event firing causes crash.
+ window.document.body.removeChild(iframe);
+ window.setTimeout(function() {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, 0);
+ });
+
+ if (!window.eventSender)
+ return;
+
+ var iframeTarget = document.getElementById('iframe');
+ var iframeBounds = iframeTarget.getBoundingClientRect();
+
+ eventSender.mouseMoveTo(iframeBounds.left + 10, iframeBounds.top + 10);
+ eventSender.mouseScrollByWithWheelAndMomentumPhases(0, -1, 'began', 'none');
+ eventSender.mouseScrollByWithWheelAndMomentumPhases(0, -1, 'changed', 'none');
+ eventSender.mouseScrollByWithWheelAndMomentumPhases(0, -1, 'changed', 'none');
+ eventSender.mouseScrollByWithWheelAndMomentumPhases(0, 0, 'ended', 'none');
+ }
+ </script>
+</head>
+<body>
+ <p>This test should not crash</p>
+ <iframe id="iframe" _onload_="frameLoaded(this)" src="" here</body>"></iframe>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (196789 => 196790)
--- trunk/Source/WebCore/ChangeLog 2016-02-19 01:07:37 UTC (rev 196789)
+++ trunk/Source/WebCore/ChangeLog 2016-02-19 01:13:15 UTC (rev 196790)
@@ -1,3 +1,18 @@
+2016-02-18 Simon Fraser <[email protected]>
+
+ Wheel event callback removing the window causes crash in WebCore.
+ https://bugs.webkit.org/show_bug.cgi?id=150871
+
+ Reviewed by Brent Fulgham.
+
+ Null check the FrameView before using it, since the iframe may have been removed
+ from its parent document inside the event handler.
+
+ Test: fast/events/wheel-event-destroys-frame.html
+
+ * page/mac/EventHandlerMac.mm:
+ (WebCore::EventHandler::platformCompleteWheelEvent):
+
2016-02-18 Brady Eidson <[email protected]>
Modern IDB: Fix IDBGetResult encoder/decoder.
Modified: trunk/Source/WebCore/page/mac/EventHandlerMac.mm (196789 => 196790)
--- trunk/Source/WebCore/page/mac/EventHandlerMac.mm 2016-02-19 01:07:37 UTC (rev 196789)
+++ trunk/Source/WebCore/page/mac/EventHandlerMac.mm 2016-02-19 01:13:15 UTC (rev 196790)
@@ -1008,9 +1008,10 @@
bool EventHandler::platformCompleteWheelEvent(const PlatformWheelEvent& wheelEvent, ContainerNode* scrollableContainer, ScrollableArea* scrollableArea)
{
+ FrameView* view = m_frame.view();
// We do another check on the frame view because the event handler can run JS which results in the frame getting destroyed.
- ASSERT(m_frame.view());
- FrameView* view = m_frame.view();
+ if (!view)
+ return false;
ScrollLatchingState* latchingState = m_frame.mainFrame().latchingState();
if (wheelEvent.useLatchedEventElement() && !latchingIsLockedToAncestorOfThisFrame(m_frame) && latchingState && latchingState->scrollableContainer()) {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
