Pressing mouse button inside a dragstart event causes a crash
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 28 Apr 2013 03:43:25 +0000 (03:43 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 28 Apr 2013 03:43:25 +0000 (03:43 +0000)
https://bugs.webkit.org/show_bug.cgi?id=115296

Reviewed by Darin Adler.

Source/WebCore:

Add a missing null pointer check. We should better encapsulate the states in DragState in the long term
but this is good enough for now.

Test: fast/events/mousedown-inside-dragstart-should-not-cause-crash.html

* page/EventHandler.cpp:
(WebCore::EventHandler::handleDrag):

LayoutTests:

Added a regression test. While the bug report involves opening inspector and setting a breakpoint,
a simpler reduction that uses eventSender significantly reduces the complexity.

* fast/events/mousedown-inside-dragstart-should-not-cause-crash-expected.txt: Added.
* fast/events/mousedown-inside-dragstart-should-not-cause-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@149254 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/events/mousedown-inside-dragstart-should-not-cause-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/events/mousedown-inside-dragstart-should-not-cause-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/EventHandler.cpp

index 04ec033253c45cc73baa83aab554e5aee0fa1ddd..8b3ade7cab09794c6e9445eb96706c2b9bfeb78f 100644 (file)
@@ -1,3 +1,16 @@
+2013-04-27  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Pressing mouse button inside a dragstart event causes a crash
+        https://bugs.webkit.org/show_bug.cgi?id=115296
+
+        Reviewed by Darin Adler.
+
+        Added a regression test. While the bug report involves opening inspector and setting a breakpoint,
+        a simpler reduction that uses eventSender significantly reduces the complexity.
+
+        * fast/events/mousedown-inside-dragstart-should-not-cause-crash-expected.txt: Added.
+        * fast/events/mousedown-inside-dragstart-should-not-cause-crash.html: Added.
+
 2013-04-25  Geoffrey Garen  <ggaren@apple.com>
 
         Cleaned up pre/post inc/dec in bytecode
diff --git a/LayoutTests/fast/events/mousedown-inside-dragstart-should-not-cause-crash-expected.txt b/LayoutTests/fast/events/mousedown-inside-dragstart-should-not-cause-crash-expected.txt
new file mode 100644 (file)
index 0000000..7892340
--- /dev/null
@@ -0,0 +1,4 @@
+This tests pressing a mouse button down inside a dragstart event.
+This happens when a user sets a breakpoint of a dragstart event handler in Inspector, and clicks somewhere on the page while the script is paused at the breakpoint. WebKit should not crash.
+
+PASS - mouse up and down inside a dragstart did not crash WebKit
diff --git a/LayoutTests/fast/events/mousedown-inside-dragstart-should-not-cause-crash.html b/LayoutTests/fast/events/mousedown-inside-dragstart-should-not-cause-crash.html
new file mode 100644 (file)
index 0000000..b916a83
--- /dev/null
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p id="description">
+This tests pressing a mouse button down inside a dragstart event.<br>
+This happens when a user sets a breakpoint of a dragstart event handler in Inspector,
+and clicks somewhere on the page while the script is paused at the breakpoint. WebKit should not crash.
+</p>
+<div id="container"><span id="target" draggable="true" ondragstart="onDragStart()">drag me</span></div>
+<script>
+
+if (!window.testRunner || !window.eventSender)
+    document.body.innerHTML = 'This test requires eventSender';
+else {
+    testRunner.dumpAsText();
+
+    var target = document.getElementById('target');
+    var called = false;
+
+    function onDragStart() {
+        called = true;
+        eventSender.mouseUp();
+        eventSender.mouseDown();
+    }
+
+    eventSender.mouseMoveTo(target.offsetLeft + target.offsetWidth / 2, target.offsetTop + target.offsetHeight / 2);
+    eventSender.mouseDown();
+    eventSender.leapForward(100);
+    eventSender.mouseMoveTo(500, 500);
+    eventSender.mouseUp();
+
+    document.getElementById('container').textContent = called ? 'PASS - mouse up and down inside a dragstart did not crash WebKit'
+        : 'FAIL - dragstart was never fired.';
+}
+
+</script>
+</body>
+</html>
index 8694e442a519f4265240e0393255d1356e151827..1a6ee5fea34b73afa7565994301b72632d5ac73c 100644 (file)
@@ -1,3 +1,18 @@
+2013-04-27  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Pressing mouse button inside a dragstart event causes a crash
+        https://bugs.webkit.org/show_bug.cgi?id=115296
+
+        Reviewed by Darin Adler.
+
+        Add a missing null pointer check. We should better encapsulate the states in DragState in the long term
+        but this is good enough for now.
+
+        Test: fast/events/mousedown-inside-dragstart-should-not-cause-crash.html
+
+        * page/EventHandler.cpp:
+        (WebCore::EventHandler::handleDrag):
+
 2013-04-27  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
 
         Unreviewed build fix when disabling video and video-track.
index ff1343137f9c0145da08b2db552d633b748c46a5..e07dc40d729316ffa5cb3b7faec843bc2059fd61 100644 (file)
@@ -3598,7 +3598,7 @@ bool EventHandler::handleDrag(const MouseEventWithHitTestResults& event, CheckDr
             m_mouseDownMayStartDrag = false;
             return true;
         }
-        if (dragState().shouldDispatchEvents()) {
+        if (dragState().m_dragSrc && dragState().shouldDispatchEvents()) {
             // Drag was canned at the last minute - we owe m_dragSrc a DRAGEND event
             dispatchDragSrcEvent(eventNames().dragendEvent, event.event());
             m_mouseDownMayStartDrag = false;