Changeset 58760 in webkit

Timestamp:

May 4, 2010 8:30:07 AM (14 years ago)

Author:

eric@webkit.org

Message:

2010-05-04 Ben Murdoch <​benm@google.com>

Reviewed by Simon Hausmann.

Crash in handleTouchEvent: using dangling node ptrs in hashmap
​https://bugs.webkit.org/show_bug.cgi?id=38514

• fast/events/touch/resources/touch-stale-node-crash.js: Added.
• fast/events/touch/resources/send-touch-up.html: Added.
• fast/events/touch/touch-stale-node-crash-expected.txt: Added.
• fast/events/touch/touch-stale-node-crash.html: Added.

2010-05-04 Ben Murdoch <​benm@google.com>

Reviewed by Simon Hausmann.

Crash in handleTouchEvent: using dangling node ptrs in hashmap
​https://bugs.webkit.org/show_bug.cgi?id=38514

When navigating away from a page, if you have your finger still
pressed and then lift it on the new page we see a crash if the
node got deleted as we still have a dangling pointer in the
m_originatingTouchPointTargets hashmap and try to use it as the
receiver to dispatch a touchend event.

Test: fast/events/touch/touch-stale-node-crash.html

• page/EventHandler.cpp: (WebCore::EventHandler::clear): Clear the hashmap of touch targets.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/events/touch/resources/send-touch-up.html (added)
• LayoutTests/fast/events/touch/resources/touch-stale-node-crash.js (added)
• LayoutTests/fast/events/touch/touch-stale-node-crash-expected.txt (added)
• LayoutTests/fast/events/touch/touch-stale-node-crash.html (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/page/EventHandler.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-05-04  Ben Murdoch  <benm@google.com>
+
+        Reviewed by Simon Hausmann.
+
+        Crash in handleTouchEvent: using dangling node ptrs in hashmap
+        https://bugs.webkit.org/show_bug.cgi?id=38514
+
+        * fast/events/touch/resources/touch-stale-node-crash.js: Added.
+        * fast/events/touch/resources/send-touch-up.html: Added.
+        * fast/events/touch/touch-stale-node-crash-expected.txt: Added.
+        * fast/events/touch/touch-stale-node-crash.html: Added.
+
 2010-05-04  Jeremy Moskovich  <jeremy@chromium.org>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-05-04  Ben Murdoch  <benm@google.com>
+
+        Reviewed by Simon Hausmann.
+
+        Crash in handleTouchEvent: using dangling node ptrs in hashmap
+        https://bugs.webkit.org/show_bug.cgi?id=38514
+
+        When navigating away from a page, if you have your finger still
+        pressed and then lift it on the new page we see a crash if the
+        node got deleted as we still have a dangling pointer in the
+        m_originatingTouchPointTargets hashmap and try to use it as the
+        receiver to dispatch a touchend event.
+
+        Test: fast/events/touch/touch-stale-node-crash.html
+
+        * page/EventHandler.cpp:
+        (WebCore::EventHandler::clear): Clear the hashmap of touch targets.
+
 2010-05-04  Joseph Pecoraro  <joepeck@webkit.org>
 

trunk/WebCore/page/EventHandler.cpp

@@ -232 +232 @@
     m_latchedWheelEventNode = 0;
     m_previousWheelScrolledNode = 0;
+#if ENABLE(TOUCH_EVENTS)
+    m_originatingTouchPointTargets.clear();
+#endif
 }