Context Navigation

← Previous Changeset
Next Changeset →

Changeset 182349 in webkit

Timestamp:

Apr 4, 2015 5:51:53 PM (9 years ago)

Author:

Simon Fraser

Message:

Crash under Document::absoluteRegionForEventTargets on build.webkit.org/dashboard
https://bugs.webkit.org/show_bug.cgi?id=143406
rdar://problem/20407080

Reviewed by Ryosuke Niwa.

Source/WebCore:

We failed to remove elements from Document's m_wheelEventTargets HashSet when the
elements were destroyed with wheel handlers still on them. Fix by removing the
node from the set via Node::willBeDeletedFrom().

Tests: platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/destroy-element-with-multiple-handlers-crash.html

platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/destroy-wheel-element-crash.html
platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/destroy-wheel-element-parent-crash.html

dom/Document.cpp:

(WebCore::removeHandlerFromSet): Helper to remove one or all handlers on the given node.
(WebCore::Document::didRemoveWheelEventHandler): Add a parameter to specify whether we're
removing all handlers on the given node.
(WebCore::Document::didRemoveTouchEventHandler): Use removeHandlerFromSet().

dom/Document.h:
dom/Node.cpp:

(WebCore::Node::willBeDeletedFrom): Tell the document we're removing all handlers
for this node.

LayoutTests:

Test configurations of elements with different parenting and event handlers adding orders, and multiple handlers on
the same node.

platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/destroy-element-with-multiple-handlers-crash-expected.txt: Added.
platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/destroy-element-with-multiple-handlers-crash.html: Added.
platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/destroy-wheel-element-crash-expected.txt: Added.
platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/destroy-wheel-element-crash.html: Added.
platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/destroy-wheel-element-parent-crash-expected.txt: Added.
platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/destroy-wheel-element-parent-crash.html: Added.

Location:

trunk

Files:

: 6 added
: 5 edited

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r182346
+                      r182349
+-04-04  Simon Fraser  <simon.fraser@apple.com>
+        Crash under Document::absoluteRegionForEventTargets on build.webkit.org/dashboard
+        https://bugs.webkit.org/show_bug.cgi?id=143406
+        rdar://problem/20407080
+        Reviewed by Ryosuke Niwa.
+        Test configurations of elements with different parenting and event handlers adding orders, and multiple handlers on
+        the same node.
+        * platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/destroy-element-with-multiple-handlers-crash-expected.txt: Added.
+        * platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/destroy-element-with-multiple-handlers-crash.html: Added.
+        * platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/destroy-wheel-element-crash-expected.txt: Added.
+        * platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/destroy-wheel-element-crash.html: Added.
+        * platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/destroy-wheel-element-parent-crash-expected.txt: Added.
+        * platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/destroy-wheel-element-parent-crash.html: Added.
 -04-04  Simon Fraser  <simon.fraser@apple.com>

trunk/Source/WebCore/ChangeLog

-                      r182346
+                      r182349
+-04-04  Simon Fraser  <simon.fraser@apple.com>
+        Crash under Document::absoluteRegionForEventTargets on build.webkit.org/dashboard
+        https://bugs.webkit.org/show_bug.cgi?id=143406
+        rdar://problem/20407080
+        Reviewed by Ryosuke Niwa.
+        We failed to remove elements from Document's m_wheelEventTargets HashSet when the
+        elements were destroyed with wheel handlers still on them. Fix by removing the
+        node from the set via Node::willBeDeletedFrom().
+        Tests: platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/destroy-element-with-multiple-handlers-crash.html
+               platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/destroy-wheel-element-crash.html
+               platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/destroy-wheel-element-parent-crash.html
+        * dom/Document.cpp:
+        (WebCore::removeHandlerFromSet): Helper to remove one or all handlers on the given node.
+        (WebCore::Document::didRemoveWheelEventHandler): Add a parameter to specify whether we're
+        removing all handlers on the given node.
+        (WebCore::Document::didRemoveTouchEventHandler): Use removeHandlerFromSet().
+        * dom/Document.h:
+        * dom/Node.cpp:
+        (WebCore::Node::willBeDeletedFrom): Tell the document we're removing all handlers
+        for this node.
 -04-04  Simon Fraser  <simon.fraser@apple.com>

trunk/Source/WebCore/dom/Document.cpp

-                      r182271
+                      r182349
+}
+void Document::didRemoveWheelEventHandler(Node& node)
+static bool removeHandlerFromSet(EventTargetSet& handlerSet, Node& node, EventHandlerRemoval removal)
+{
+    switch (removal) {
+    case EventHandlerRemoval::One:
+        return handlerSet.remove(&node);
+    case EventHandlerRemoval::All:
+        return handlerSet.removeAll(&node);
+    }
+    return false;
+}
+void Document::didRemoveWheelEventHandler(Node& node, EventHandlerRemoval removal)
+{
     if (!m_wheelEventTargets)
         return;
     ASSERT(m_wheelEventTargets->contains(&node));
     m_wheelEventTargets->remove(&node);
+    if (!removeHandlerFromSet(*m_wheelEventTargets, node, removal))
+        return;
     if (Document* parent = parentDocument()) {
 …
+}
 void Document::didRemoveTouchEventHandler(Node& handler)
+void Document::didRemoveTouchEventHandler(Node& handler, EventHandlerRemoval removal)
+{
 #if ENABLE(TOUCH_EVENTS)
 …
         return;
+    ASSERT(m_touchEventTargets->contains(&handler));
+    m_touchEventTargets->remove(&handler);
+    removeHandlerFromSet(*m_touchEventTargets, handler, removal))
     if (Document* parent = parentDocument()) {
 …
 #else
     UNUSED_PARAM(handler);
+    UNUSED_PARAM(removal);
 #endif
+}
 …
     for (auto it : *targets) {
         LayoutRect rootRelativeBounds;
         if (is<Document>(it.key)) {
             Document* document = downcast<Document>(it.key);

trunk/Source/WebCore/dom/Document.h

-                      r182242
+                      r182349
 const int numNodeListInvalidationTypes = InvalidateOnAnyAttrChange + 1;
+enum class EventHandlerRemoval { One, All };
 typedef HashCountedSet<Node*> EventTargetSet;
 …
     void didAddWheelEventHandler(Node&);
     void didRemoveWheelEventHandler(Node&);
+    void didRemoveWheelEventHandler(Node&, EventHandlerRemoval = EventHandlerRemoval::One);
     double lastHandledUserGestureTimestamp() const { return m_lastHandledUserGestureTimestamp; }
 …
     void didAddTouchEventHandler(Node&);
     void didRemoveTouchEventHandler(Node&);
+    void didRemoveTouchEventHandler(Node&, EventHandlerRemoval = EventHandlerRemoval::One);
     void didRemoveEventTargetNode(Node&);

trunk/Source/WebCore/dom/Node.cpp

-                      r181514
+                      r182349
+{
     if (hasEventTargetData()) {
+        document.didRemoveWheelEventHandler(*this, EventHandlerRemoval::All);
 #if ENABLE(TOUCH_EVENTS) && PLATFORM(IOS)
         document.removeTouchEventListener(this, true);
+#else
+        // FIXME: This should call didRemoveTouchEventHandler().
 #endif
         clearEventTargetData();

Note: See TracChangeset for help on using the changeset viewer.