Crashes in ViewGestureController::beginSwipeGesture when swiping in rapid succession
authortimothy_horton@apple.com <timothy_horton@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 27 Aug 2014 00:16:52 +0000 (00:16 +0000)
committertimothy_horton@apple.com <timothy_horton@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 27 Aug 2014 00:16:52 +0000 (00:16 +0000)
commit61c2bb6157a27628d823be8b4f61206d22ff9a15
tree4ffa3f341e74746fb111e975e5db2604e7609f5f
parent0bbb36e4ae48b9ba53cb0cc4193d633d723fad75
Crashes in ViewGestureController::beginSwipeGesture when swiping in rapid succession
https://bugs.webkit.org/show_bug.cgi?id=136271
<rdar://problem/17923694>

Reviewed by Simon Fraser.

It was possible to get into trackSwipeGesture while another swipe was still
occurring, because the guard against this happening depended on m_pendingSwipeReason
never being set while a swipe was occurring. However, if the very first scroll event
had sufficient magnitude, we would still set m_pendingSwipeReason to InsufficientMagnitude,
and then *never clear it*, leading to a path around the guard against multiple live swipes.
This in turn allowed stale layers in m_liveSwipeLayers, which lead to the crash.

* UIProcess/mac/ViewGestureControllerMac.mm:
(WebKit::ViewGestureController::handleScrollWheelEvent):
Don't unset m_pendingSwipeReason before calling trackSwipeGesture;
trackSwipeGesture will do it itself.

Don't set m_pendingSwipeReason to InsufficientMagnitude
if the event actually *has* sufficient magnitude to start a swipe.

(WebKit::ViewGestureController::trackSwipeGesture):
Assert that we don't have an active gesture while starting a swipe.

Reset m_pendingSwipeReason, because the swipe is no longer pending!

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@172988 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebKit2/ChangeLog
Source/WebKit2/UIProcess/mac/ViewGestureControllerMac.mm