Changeset 196837 in webkit

Timestamp:

Feb 19, 2016 2:59:25 PM (8 years ago)

Author:

Simon Fraser

Message:

Wheel event callback removing the window causes crash in WebCore.
​https://bugs.webkit.org/show_bug.cgi?id=150871

Reviewed by Brent Fulgham.

Source/WebCore:

Null check the FrameView before using it, since the iframe may have been removed
from its parent document inside the event handler.

The new test triggered a cross-load side-effect, where wheel event filtering wasn't
reset between page loads. Fix by calling clearLatchedState() in EventHandler::clear(),
which resets the filtering.

Test: fast/events/wheel-event-destroys-frame.html

• page/EventHandler.cpp:

(WebCore::EventHandler::clear):

• page/WheelEventDeltaFilter.cpp:

(WebCore::WheelEventDeltaFilter::filteredDelta):

• page/mac/EventHandlerMac.mm:

(WebCore::EventHandler::platformCompleteWheelEvent):

• rendering/RenderLayer.cpp:

(WebCore::RenderLayer::scrollTo):

LayoutTests:

• fast/events/wheel-event-destroys-frame-expected.txt: Added.
• fast/events/wheel-event-destroys-frame.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/events/wheel-event-destroys-frame-expected.txt (added)
• LayoutTests/fast/events/wheel-event-destroys-frame.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/EventHandler.cpp (modified) (2 diffs)
• Source/WebCore/page/WheelEventDeltaFilter.cpp (modified) (2 diffs)
• Source/WebCore/page/mac/EventHandlerMac.mm (modified) (1 diff)
• Source/WebCore/rendering/RenderLayer.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-02-19  Simon Fraser  <simon.fraser@apple.com>
+
+        Wheel event callback removing the window causes crash in WebCore.
+        https://bugs.webkit.org/show_bug.cgi?id=150871
+
+        Reviewed by Brent Fulgham.
+
+        * fast/events/wheel-event-destroys-frame-expected.txt: Added.
+        * fast/events/wheel-event-destroys-frame.html: Added.
+
 2016-02-19  Antti Koivisto  <antti@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-02-19  Simon Fraser  <simon.fraser@apple.com>
+
+        Wheel event callback removing the window causes crash in WebCore.
+        https://bugs.webkit.org/show_bug.cgi?id=150871
+
+        Reviewed by Brent Fulgham.
+
+        Null check the FrameView before using it, since the iframe may have been removed
+        from its parent document inside the event handler.
+        
+        The new test triggered a cross-load side-effect, where wheel event filtering wasn't
+        reset between page loads. Fix by calling clearLatchedState() in EventHandler::clear(),
+        which resets the filtering.
+
+        Test: fast/events/wheel-event-destroys-frame.html
+
+        * page/EventHandler.cpp:
+        (WebCore::EventHandler::clear):
+        * page/WheelEventDeltaFilter.cpp:
+        (WebCore::WheelEventDeltaFilter::filteredDelta):
+        * page/mac/EventHandlerMac.mm:
+        (WebCore::EventHandler::platformCompleteWheelEvent):
+        * rendering/RenderLayer.cpp:
+        (WebCore::RenderLayer::scrollTo):
+
 2016-02-19  Myles C. Maxfield  <mmaxfield@apple.com>
 

trunk/Source/WebCore/page/EventHandler.cpp

@@ -453 +453 @@
     m_capturesDragging = false;
     m_capturingMouseEventsElement = nullptr;
-#if PLATFORM(MAC)
-    m_frame.mainFrame().resetLatchingState();
-#endif
+    clearLatchedState();
 #if ENABLE(TOUCH_EVENTS) && !ENABLE(IOS_TOUCH_EVENTS)
     m_originatingTouchPointTargets.clear();
@@ -2665 +2663 @@
     m_frame.mainFrame().resetLatchingState();
 #endif
-    m_frame.mainFrame().wheelEventDeltaFilter()->endFilteringDeltas();
+    if (WheelEventDeltaFilter* filter = m_frame.mainFrame().wheelEventDeltaFilter())
+        filter->endFilteringDeltas();
 }
 

trunk/Source/WebCore/page/WheelEventDeltaFilter.cpp

@@ -32 +32 @@
 
 #include "FloatSize.h"
+#include "Logging.h"
+#include "TextStream.h"
 
 namespace WebCore {
@@ -59 +61 @@
 FloatSize WheelEventDeltaFilter::filteredDelta() const
 {
+    LOG_WITH_STREAM(Scrolling, stream << "BasicWheelEventDeltaFilter::filteredDelta returning " << m_currentFilteredDelta);
     return m_currentFilteredDelta;
 }

trunk/Source/WebCore/page/mac/EventHandlerMac.mm

@@ -1009 +1009 @@
 bool EventHandler::platformCompleteWheelEvent(const PlatformWheelEvent& wheelEvent, ContainerNode* scrollableContainer, ScrollableArea* scrollableArea)
 {
+    FrameView* view = m_frame.view();
     // We do another check on the frame view because the event handler can run JS which results in the frame getting destroyed.
-    ASSERT(m_frame.view());
-    FrameView* view = m_frame.view();
+    if (!view)
+        return false;
 
     ScrollLatchingState* latchingState = m_frame.mainFrame().latchingState();

trunk/Source/WebCore/rendering/RenderLayer.cpp

@@ -2350 +2350 @@
         return;
 
+    LOG_WITH_STREAM(Scrolling, stream << "RenderLayer::scrollTo " << position);
+
     ScrollPosition newPosition = position;
     if (box->style().overflowX() != OMARQUEE) {