Crash at WebCore::Document::absoluteRegionForEventTargets
authorsimon.fraser@apple.com <simon.fraser@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 30 Apr 2015 01:38:20 +0000 (01:38 +0000)
committersimon.fraser@apple.com <simon.fraser@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 30 Apr 2015 01:38:20 +0000 (01:38 +0000)
commit99b2f8f785cf390b17d5b732ffd285a48de8071b
tree1dffd81b4786289af73d493201c1266a1c057888
parent2aefc8254c8dbfe2020709f7a9172ff52a81b80a
Crash at WebCore::Document::absoluteRegionForEventTargets
https://bugs.webkit.org/show_bug.cgi?id=144426
rdar://problem/20502166

Reviewed by Tim Horton.

Source/WebCore:

When a frame had wheel event handlers, we would register the document itself
as a handler in its parent document. This is problematic, because there's not
code path that removes it when the frame is destroyed.

It turns out we don't need to do this at all; the non-fast scrollable region
already takes handlers in subframes into account.

Tests: fast/events/wheelevent-in-frame.html
       fast/events/wheelevent-in-reattached-frame.html

* dom/Document.cpp:
(WebCore::Document::didAddWheelEventHandler):
(WebCore::Document::didRemoveWheelEventHandler):

LayoutTests:

Test that disconnects a frame with a wheel event handler then GCs, and one that
disconnects are reconnects. In both case, the parent document should have zero
wheel event handlers registered on it.

* fast/events/wheelevent-in-frame-expected.txt: Added.
* fast/events/wheelevent-in-frame.html: Added.
* fast/events/wheelevent-in-reattached-frame-expected.txt: Added.
* fast/events/wheelevent-in-reattached-frame.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@183600 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/events/wheelevent-in-frame-expected.txt [new file with mode: 0644]
LayoutTests/fast/events/wheelevent-in-frame.html [new file with mode: 0644]
LayoutTests/fast/events/wheelevent-in-reattached-frame-expected.txt [new file with mode: 0644]
LayoutTests/fast/events/wheelevent-in-reattached-frame.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp