https://bugs.webkit.org/show_bug.cgi?id=76462
Reviewed by Ryosuke Niwa.
Source/WebCore:
handleMouseMoveEvent call in EventHandler::mouseMoved can
blow away the frame from underneath. Protect it with a frameview
refptr.
Test: fast/events/mouse-moved-remove-frame-crash.html
* page/EventHandler.cpp:
(WebCore::EventHandler::mouseMoved):
LayoutTests:
* fast/events/mouse-moved-remove-frame-crash-expected.txt: Added.
* fast/events/mouse-moved-remove-frame-crash.html: Added.
* fast/events/resources/mouse-move.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@105212
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2012-01-17 Abhishek Arya <inferno@chromium.org>
+
+ Crash in in WebCore::EventHandler::mouseMoved.
+ https://bugs.webkit.org/show_bug.cgi?id=76462
+
+ Reviewed by Ryosuke Niwa.
+
+ * fast/events/mouse-moved-remove-frame-crash-expected.txt: Added.
+ * fast/events/mouse-moved-remove-frame-crash.html: Added.
+ * fast/events/resources/mouse-move.html: Added.
+
2012-01-17 Alexis Menard <alexis.menard@openbossa.org>
Increase test coverage for -webkit-border-image.
--- /dev/null
+<!DOCTYPE html>
+<html>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+function onMouseMove()
+{
+ document.body.innerHTML = "PASS";
+
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+
+function runTest()
+{
+ root = document.getElementById('root').contentDocument;
+ root.addEventListener('mousemove', onMouseMove, 0);
+ eventSender.mouseMoveTo(1, 1);
+ eventSender.mouseMoveTo(0, 0);
+}
+</script>
+<style>body { margin: 0px; }</style>
+<object data="resources/mouse-move.html" id="root" onload="runTest()"></object>
+</html>
--- /dev/null
+<div id="test"></div><iframe src="#test"></iframe>
+
+2012-01-17 Abhishek Arya <inferno@chromium.org>
+
+ Crash in in WebCore::EventHandler::mouseMoved.
+ https://bugs.webkit.org/show_bug.cgi?id=76462
+
+ Reviewed by Ryosuke Niwa.
+
+ handleMouseMoveEvent call in EventHandler::mouseMoved can
+ blow away the frame from underneath. Protect it with a frameview
+ refptr.
+
+ Test: fast/events/mouse-moved-remove-frame-crash.html
+
+ * page/EventHandler.cpp:
+ (WebCore::EventHandler::mouseMoved):
+
2012-01-17 Sam Weinig <sam@webkit.org>
Add helper macro for forward declaring objective-c classes
bool EventHandler::mouseMoved(const PlatformMouseEvent& event)
{
+ RefPtr<FrameView> protector(m_frame->view());
+
HitTestResult hoveredNode = HitTestResult(LayoutPoint());
bool result = handleMouseMoveEvent(event, &hoveredNode);