Changeset 121909 in webkit

Timestamp:

Jul 5, 2012 9:21:43 AM (12 years ago)

Author:

scheib@chromium.org

Message:

[Chromium] Clear m_currentInputEvent after handled by pointerLockMouseEvent().
​https://bugs.webkit.org/show_bug.cgi?id=90391

Source/WebKit/chromium:

WebViewImpl::handleInputEvent was keeping a pointer to an input event that would
later be accessed. When in pointer lock, that pointer was not being cleared.
Code modified to use TemporaryChange to automatically clear the pointer at all
method exit points.

Reviewed by Abhishek Arya.

• src/WebViewImpl.cpp:

(WebKit::WebViewImpl::handleInputEvent):

LayoutTests:

Test that reproduces bug 90391:
Enable pointer lock, receive mouse move, call window.open, don't crash.

Reviewed by Abhishek Arya.

• pointer-lock/bug90391-move-then-window-open-crash-expected.txt: Added.
• pointer-lock/bug90391-move-then-window-open-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/pointer-lock/bug90391-move-then-window-open-crash-expected.txt (added)
• LayoutTests/pointer-lock/bug90391-move-then-window-open-crash.html (added)
• Source/WebKit/chromium/ChangeLog (modified) (1 diff)
• Source/WebKit/chromium/src/WebViewImpl.cpp (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-07-05  Vincent Scheib  <scheib@chromium.org>
+
+        [Chromium] Clear m_currentInputEvent after handled by pointerLockMouseEvent().
+        https://bugs.webkit.org/show_bug.cgi?id=90391
+
+        Test that reproduces bug 90391:
+        Enable pointer lock, receive mouse move, call window.open, don't crash.
+
+        Reviewed by Abhishek Arya.
+
+        * pointer-lock/bug90391-move-then-window-open-crash-expected.txt: Added.
+        * pointer-lock/bug90391-move-then-window-open-crash.html: Added.
+
 2012-07-05  John Mellor  <johnme@chromium.org>
 

trunk/Source/WebKit/chromium/ChangeLog

@@ +1 @@
+2012-07-05  Vincent Scheib  <scheib@chromium.org>
+
+        [Chromium] Clear m_currentInputEvent after handled by pointerLockMouseEvent().
+        https://bugs.webkit.org/show_bug.cgi?id=90391
+
+        WebViewImpl::handleInputEvent was keeping a pointer to an input event that would
+        later be accessed. When in pointer lock, that pointer was not being cleared.
+        Code modified to use TemporaryChange to automatically clear the pointer at all
+        method exit points.
+
+        Reviewed by Abhishek Arya.
+
+        * src/WebViewImpl.cpp:
+        (WebKit::WebViewImpl::handleInputEvent):
+
 2012-07-05  John Mellor  <johnme@chromium.org>
 

trunk/Source/WebKit/chromium/src/WebViewImpl.cpp

@@ -165 +165 @@
 #include <wtf/MainThread.h>
 #include <wtf/RefPtr.h>
+#include <wtf/TemporaryChange.h>
 #include <wtf/Uint8ClampedArray.h>
 
@@ -1761 +1762 @@
         return false;
 
-    m_currentInputEvent = &inputEvent;
+    TemporaryChange<const WebInputEvent*>(m_currentInputEvent, &inputEvent);
 
 #if ENABLE(POINTER_LOCK)
@@ -1799 +1800 @@
               PlatformMouseEventBuilder(mainFrameImpl()->frameView(), *static_cast<const WebMouseEvent*>(&inputEvent)),
               eventType, static_cast<const WebMouseEvent*>(&inputEvent)->clickCount);
-        m_currentInputEvent = 0;
         return true;
     }
 
     bool handled = PageWidgetDelegate::handleInputEvent(m_page.get(), *this, inputEvent);
-    m_currentInputEvent = 0;
     return handled;
 }