From 1b5a021d43ee8c6a74dbe9ad46aa7375a93d5680 Mon Sep 17 00:00:00 2001
From: "commit-queue@webkit.org"
 <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue, 17 Apr 2012 15:20:01 +0000
Subject: [PATCH] REGRESSION (r105453): Crash when handling touch events
 https://bugs.webkit.org/show_bug.cgi?id=81958

Patch by Yong Li <yoli@rim.com> on 2012-04-17
Reviewed by Antonio Gomes.

.:

Add a manual test for this issue because DumpRenderTree
currently cannot send a group of touch points with
different touch states in one shot.

* ManualTests/resources/iframe-reloaded-on-touch.html: Added.
* ManualTests/touch-stale-iframe-crash.html: Added.

Source/WebCore:

Always perform sanity checks when handling every touch point
because the node and document may have been destroyed or detached.

ManualTests/touch-stale-iframe-crash.html added.
(DumpRenderTree doesn't support transiting touch states in one shot yet)

* page/EventHandler.cpp:
(WebCore::EventHandler::handleTouchEvent):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@114379 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 ChangeLog                                           | 14 ++++++++++++++
 ManualTests/resources/iframe-reloaded-on-touch.html |  3 +++
 ManualTests/touch-stale-iframe-crash.html           |  4 ++++
 Source/WebCore/ChangeLog                            | 16 ++++++++++++++++
 Source/WebCore/page/EventHandler.cpp                |  9 ++++++++-
 5 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 ManualTests/resources/iframe-reloaded-on-touch.html
 create mode 100644 ManualTests/touch-stale-iframe-crash.html

diff --git a/ChangeLog b/ChangeLog
index 179d303..89cb1175 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,17 @@
+2012-04-17  Yong Li  <yoli@rim.com>
+
+        REGRESSION (r105453): Crash when handling touch events
+        https://bugs.webkit.org/show_bug.cgi?id=81958
+
+        Reviewed by Antonio Gomes.
+
+        Add a manual test for this issue because DumpRenderTree
+        currently cannot send a group of touch points with
+        different touch states in one shot.
+
+        * ManualTests/resources/iframe-reloaded-on-touch.html: Added.
+        * ManualTests/touch-stale-iframe-crash.html: Added.
+
 2012-04-17  Kent Tamura  <tkent@chromium.org>
 
         Calendar Picker: Support RTL layout
diff --git a/ManualTests/resources/iframe-reloaded-on-touch.html b/ManualTests/resources/iframe-reloaded-on-touch.html
new file mode 100644
index 0000000..0fa98c5
--- /dev/null
+++ b/ManualTests/resources/iframe-reloaded-on-touch.html
@@ -0,0 +1,3 @@
+<body>
+<div ontouchstart="window.location.reload()" style="background-color:green;height:200px;width:200px">Touch me</div>
+</body>
diff --git a/ManualTests/touch-stale-iframe-crash.html b/ManualTests/touch-stale-iframe-crash.html
new file mode 100644
index 0000000..58751f3b3
--- /dev/null
+++ b/ManualTests/touch-stale-iframe-crash.html
@@ -0,0 +1,4 @@
+<body>
+<iframe id="iframe" src="resources/iframe-reloaded-on-touch.html"></iframe>
+This test passes if it doesn't crash.
+</body>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 7b62e36..13f3d0f 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2012-04-17  Yong Li  <yoli@rim.com>
+
+        REGRESSION (r105453): Crash when handling touch events
+        https://bugs.webkit.org/show_bug.cgi?id=81958
+
+        Reviewed by Antonio Gomes.
+
+        Always perform sanity checks when handling every touch point
+        because the node and document may have been destroyed or detached.
+
+        ManualTests/touch-stale-iframe-crash.html added.
+        (DumpRenderTree doesn't support transiting touch states in one shot yet)
+
+        * page/EventHandler.cpp:
+        (WebCore::EventHandler::handleTouchEvent):
+
 2012-04-17  Allan Sandfeld Jensen  <allan.jensen@nokia.com>
 
         Asserts in XMLHttpRequestProgressEventThrottle
diff --git a/Source/WebCore/page/EventHandler.cpp b/Source/WebCore/page/EventHandler.cpp
index 64e18f8..30d5323 100644
--- a/Source/WebCore/page/EventHandler.cpp
+++ b/Source/WebCore/page/EventHandler.cpp
@@ -3496,8 +3496,15 @@ bool EventHandler::handleTouchEvent(const PlatformTouchEvent& event)
 
         if (!touchTarget.get())
             continue;
+        Document* doc = touchTarget->toNode()->document();
+        if (!doc)
+            continue;
+        if (!doc->hasListenerType(Document::TOUCH_LISTENER))
+            continue;
+        Frame* targetFrame = doc->frame();
+        if (!targetFrame)
+            continue;
 
-        Frame* targetFrame = touchTarget->toNode()->document()->frame();
         if (m_frame != targetFrame) {
             // pagePoint should always be relative to the target elements containing frame.
             pagePoint = documentPointForWindowPoint(targetFrame, point.pos());
-- 
1.8.3.1