Changeset 58948 in webkit


Ignore:
Timestamp:
May 7, 2010 8:04:58 AM (14 years ago)
Author:
eric@webkit.org
Message:

2010-05-07 Ben Murdoch <benm@google.com>

Reviewed by Darin Adler.

Potential crash in EventHandler::handleTouchEvent
https://bugs.webkit.org/show_bug.cgi?id=38646

Fix a ref counting bug that can cause a crash if the m_originatingouchPointTargets
hashmap holds the last ref to an EventTarget when the user lifts their finger.

This is very hard to reproduce in a consistent way and clearly a
simple logic error in the code, therefore no new tests.

  • page/EventHandler.cpp: (WebCore::EventHandler::handleTouchEvent): Don't let the RefPtr we get back from

the hasmap go out of scope so soon as it could delete the wrapped ptr if the
hashmap held the last ref (and we use the raw ptr that the RefPtr
wraps later in the WebCore::Touch constructor).

Location:
trunk/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/WebCore/ChangeLog

    r58946 r58948  
     12010-05-07  Ben Murdoch  <benm@google.com>
     2
     3        Reviewed by Darin Adler.
     4
     5        Potential crash in EventHandler::handleTouchEvent
     6        https://bugs.webkit.org/show_bug.cgi?id=38646
     7
     8        Fix a ref counting bug that can cause a crash if the m_originatingouchPointTargets
     9        hashmap holds the last ref to an EventTarget when the user lifts their finger.
     10
     11        This is very hard to reproduce in a consistent way and clearly a
     12        simple logic error in the code, therefore no new tests.
     13
     14        * page/EventHandler.cpp:
     15        (WebCore::EventHandler::handleTouchEvent): Don't let the RefPtr we get back from
     16            the hasmap go out of scope so soon as it could delete the wrapped ptr if the
     17            hashmap held the last ref (and we use the raw ptr that the RefPtr
     18            wraps later in the WebCore::Touch constructor).
     19
    1202010-05-07  Gustavo Noronha Silva  <gustavo.noronha@collabora.co.uk>
    221

  • trunk/WebCore/page/EventHandler.cpp

    r58910 r58948  
    27832783        // Increment the platform touch id by 1 to avoid storing a key of 0 in the hashmap.
    27842784        unsigned touchPointTargetKey = point.id() + 1;
    2785         EventTarget* touchTarget = 0;
     2785        RefPtr<EventTarget> touchTarget;
    27862786        if (point.state() == PlatformTouchPoint::TouchPressed) {
    27872787            m_originatingTouchPointTargets.set(touchPointTargetKey, target);
     
    27902790            // The target should be the original target for this touch, so get it from the hashmap. As it's a release or cancel
    27912791            // we also remove it from the map.
    2792             touchTarget = m_originatingTouchPointTargets.take(touchPointTargetKey).get();
     2792            touchTarget = m_originatingTouchPointTargets.take(touchPointTargetKey);
    27932793        } else
    2794             touchTarget = m_originatingTouchPointTargets.get(touchPointTargetKey).get();
    2795 
    2796         if (!touchTarget)
     2794            touchTarget = m_originatingTouchPointTargets.get(touchPointTargetKey);
     2795
     2796        if (!touchTarget.get())
    27972797            continue;
    27982798
    2799         RefPtr<Touch> touch = Touch::create(doc->frame(), touchTarget, point.id(),
     2799        RefPtr<Touch> touch = Touch::create(doc->frame(), touchTarget.get(), point.id(),
    28002800                                            point.screenPos().x(), point.screenPos().y(),
    28012801                                            adjustedPageX, adjustedPageY);
Note: See TracChangeset for help on using the changeset viewer.