REGRESSION (r105453): Crash when handling touch events
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 17 Apr 2012 15:20:01 +0000 (15:20 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 17 Apr 2012 15:20:01 +0000 (15:20 +0000)
https://bugs.webkit.org/show_bug.cgi?id=81958

Patch by Yong Li <yoli@rim.com> on 2012-04-17
Reviewed by Antonio Gomes.

.:

Add a manual test for this issue because DumpRenderTree
currently cannot send a group of touch points with
different touch states in one shot.

* ManualTests/resources/iframe-reloaded-on-touch.html: Added.
* ManualTests/touch-stale-iframe-crash.html: Added.

Source/WebCore:

Always perform sanity checks when handling every touch point
because the node and document may have been destroyed or detached.

ManualTests/touch-stale-iframe-crash.html added.
(DumpRenderTree doesn't support transiting touch states in one shot yet)

* page/EventHandler.cpp:
(WebCore::EventHandler::handleTouchEvent):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@114379 268f45cc-cd09-0410-ab3c-d52691b4dbfc

ChangeLog
ManualTests/resources/iframe-reloaded-on-touch.html [new file with mode: 0644]
ManualTests/touch-stale-iframe-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/EventHandler.cpp

index 179d303..89cb117 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,17 @@
+2012-04-17  Yong Li  <yoli@rim.com>
+
+        REGRESSION (r105453): Crash when handling touch events
+        https://bugs.webkit.org/show_bug.cgi?id=81958
+
+        Reviewed by Antonio Gomes.
+
+        Add a manual test for this issue because DumpRenderTree
+        currently cannot send a group of touch points with
+        different touch states in one shot.
+
+        * ManualTests/resources/iframe-reloaded-on-touch.html: Added.
+        * ManualTests/touch-stale-iframe-crash.html: Added.
+
 2012-04-17  Kent Tamura  <tkent@chromium.org>
 
         Calendar Picker: Support RTL layout
diff --git a/ManualTests/resources/iframe-reloaded-on-touch.html b/ManualTests/resources/iframe-reloaded-on-touch.html
new file mode 100644 (file)
index 0000000..0fa98c5
--- /dev/null
@@ -0,0 +1,3 @@
+<body>
+<div ontouchstart="window.location.reload()" style="background-color:green;height:200px;width:200px">Touch me</div>
+</body>
diff --git a/ManualTests/touch-stale-iframe-crash.html b/ManualTests/touch-stale-iframe-crash.html
new file mode 100644 (file)
index 0000000..58751f3
--- /dev/null
@@ -0,0 +1,4 @@
+<body>
+<iframe id="iframe" src="resources/iframe-reloaded-on-touch.html"></iframe>
+This test passes if it doesn't crash.
+</body>
index 7b62e36..13f3d0f 100644 (file)
@@ -1,3 +1,19 @@
+2012-04-17  Yong Li  <yoli@rim.com>
+
+        REGRESSION (r105453): Crash when handling touch events
+        https://bugs.webkit.org/show_bug.cgi?id=81958
+
+        Reviewed by Antonio Gomes.
+
+        Always perform sanity checks when handling every touch point
+        because the node and document may have been destroyed or detached.
+
+        ManualTests/touch-stale-iframe-crash.html added.
+        (DumpRenderTree doesn't support transiting touch states in one shot yet)
+
+        * page/EventHandler.cpp:
+        (WebCore::EventHandler::handleTouchEvent):
+
 2012-04-17  Allan Sandfeld Jensen  <allan.jensen@nokia.com>
 
         Asserts in XMLHttpRequestProgressEventThrottle
index 64e18f8..30d5323 100644 (file)
@@ -3496,8 +3496,15 @@ bool EventHandler::handleTouchEvent(const PlatformTouchEvent& event)
 
         if (!touchTarget.get())
             continue;
+        Document* doc = touchTarget->toNode()->document();
+        if (!doc)
+            continue;
+        if (!doc->hasListenerType(Document::TOUCH_LISTENER))
+            continue;
+        Frame* targetFrame = doc->frame();
+        if (!targetFrame)
+            continue;
 
-        Frame* targetFrame = touchTarget->toNode()->document()->frame();
         if (m_frame != targetFrame) {
             // pagePoint should always be relative to the target elements containing frame.
             pagePoint = documentPointForWindowPoint(targetFrame, point.pos());