Changeset 139345 in webkit

Timestamp:

Jan 10, 2013, 11:29:37 AM (12 years ago)

Author:

leviw@chromium.org

Message:

Regression(r137939): Heap-use-after-free in WebCore::accumulateDocumentEventTargetRects
​https://bugs.webkit.org/show_bug.cgi?id=106454

Reviewed by James Robinson.

Source/WebCore:

Correctly removing child Documents from their parent's tracked touch handler maps when detaching and
when their last touch event handler is removed.

Test: fast/events/touch/nested-document-with-touch-handler-detached-crash.html

• dom/Document.cpp:

(WebCore::Document::detach):
(WebCore::Document::didRemoveEventTargetNode):

LayoutTests:

• fast/events/touch/nested-document-with-touch-handler-detached-crash.html: Added.
• fast/events/touch/nested-document-with-touch-handler-detached-crash-expected.txt: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/events/touch/nested-document-with-touch-handler-detached-crash-expected.txt (added)
• LayoutTests/fast/events/touch/nested-document-with-touch-handler-detached-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/Document.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-01-10  Levi Weintraub  <leviw@chromium.org>
+
+        Regression(r137939): Heap-use-after-free in WebCore::accumulateDocumentEventTargetRects
+        https://bugs.webkit.org/show_bug.cgi?id=106454
+
+        Reviewed by James Robinson.
+
+        * fast/events/touch/nested-document-with-touch-handler-detached-crash.html: Added.
+        * fast/events/touch/nested-document-with-touch-handler-detached-crash-expected.txt: Added.
+
 2013-01-10  Ojan Vafai  <ojan@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-01-10  Levi Weintraub  <leviw@chromium.org>
+
+        Regression(r137939): Heap-use-after-free in WebCore::accumulateDocumentEventTargetRects
+        https://bugs.webkit.org/show_bug.cgi?id=106454
+
+        Reviewed by James Robinson.
+
+        Correctly removing child Documents from their parent's tracked touch handler maps when detaching and
+        when their last touch event handler is removed.
+
+        Test: fast/events/touch/nested-document-with-touch-handler-detached-crash.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::detach):
+        (WebCore::Document::didRemoveEventTargetNode):
+
 2013-01-10  Nate Chapin  <japhet@chromium.org>
 

trunk/Source/WebCore/dom/Document.cpp

@@ -2118 +2118 @@
         render->destroy();
 
+#if ENABLE(TOUCH_EVENTS)
+    if (m_touchEventTargets && m_touchEventTargets->size() && parentDocument())
+        parentDocument()->didRemoveEventTargetNode(this);
+#endif
+
     // This is required, as our Frame might delete itself as soon as it detaches
     // us. However, this violates Node::detach() semantics, as it's never
@@ -5660 +5665 @@
 void Document::didRemoveEventTargetNode(Node* handler)
 {
-    if (m_touchEventTargets.get())
+    if (m_touchEventTargets) {
         m_touchEventTargets->removeAll(handler);
-    if (handler == this)
-        if (Document* parentDocument = this->parentDocument())
-            parentDocument->didRemoveEventTargetNode(this);
+        if ((handler == this || m_touchEventTargets->isEmpty()) && parentDocument())
+            parentDocument()->didRemoveEventTargetNode(this);
+    }
 }
 #endif