Wheel event callback removing the window causes crash in WebCore.
authorsimon.fraser@apple.com <simon.fraser@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 19 Feb 2016 22:59:25 +0000 (22:59 +0000)
committersimon.fraser@apple.com <simon.fraser@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 19 Feb 2016 22:59:25 +0000 (22:59 +0000)
commit8e256f9ad7a603e472e2695acba7cbddac86a5c3
tree9c913da3d16fc707ab2e42cf4e524e77a3a5cf29
parent631c17ecef640febf9c092d7230b69313e403c40
Wheel event callback removing the window causes crash in WebCore.
https://bugs.webkit.org/show_bug.cgi?id=150871

Reviewed by Brent Fulgham.

Source/WebCore:

Null check the FrameView before using it, since the iframe may have been removed
from its parent document inside the event handler.

The new test triggered a cross-load side-effect, where wheel event filtering wasn't
reset between page loads. Fix by calling clearLatchedState() in EventHandler::clear(),
which resets the filtering.

Test: fast/events/wheel-event-destroys-frame.html

* page/EventHandler.cpp:
(WebCore::EventHandler::clear):
* page/WheelEventDeltaFilter.cpp:
(WebCore::WheelEventDeltaFilter::filteredDelta):
* page/mac/EventHandlerMac.mm:
(WebCore::EventHandler::platformCompleteWheelEvent):
* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::scrollTo):

LayoutTests:

* fast/events/wheel-event-destroys-frame-expected.txt: Added.
* fast/events/wheel-event-destroys-frame.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@196837 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/events/wheel-event-destroys-frame-expected.txt [new file with mode: 0644]
LayoutTests/fast/events/wheel-event-destroys-frame.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/EventHandler.cpp
Source/WebCore/page/WheelEventDeltaFilter.cpp
Source/WebCore/page/mac/EventHandlerMac.mm
Source/WebCore/rendering/RenderLayer.cpp