From 8b7877b1c4430dc495ddb01fcc3a0bd4fd55178d Mon Sep 17 00:00:00 2001 From: "inferno@chromium.org" Date: Wed, 18 Jan 2012 00:33:10 +0000 Subject: [PATCH] Crash in in WebCore::EventHandler::mouseMoved. https://bugs.webkit.org/show_bug.cgi?id=76462 Reviewed by Ryosuke Niwa. Source/WebCore: handleMouseMoveEvent call in EventHandler::mouseMoved can blow away the frame from underneath. Protect it with a frameview refptr. Test: fast/events/mouse-moved-remove-frame-crash.html * page/EventHandler.cpp: (WebCore::EventHandler::mouseMoved): LayoutTests: * fast/events/mouse-moved-remove-frame-crash-expected.txt: Added. * fast/events/mouse-moved-remove-frame-crash.html: Added. * fast/events/resources/mouse-move.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@105212 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- LayoutTests/ChangeLog | 11 +++++++++ .../mouse-moved-remove-frame-crash-expected.txt | 1 + .../events/mouse-moved-remove-frame-crash.html | 27 ++++++++++++++++++++++ LayoutTests/fast/events/resources/mouse-move.html | 2 ++ Source/WebCore/ChangeLog | 16 +++++++++++++ Source/WebCore/page/EventHandler.cpp | 2 ++ 6 files changed, 59 insertions(+) create mode 100644 LayoutTests/fast/events/mouse-moved-remove-frame-crash-expected.txt create mode 100644 LayoutTests/fast/events/mouse-moved-remove-frame-crash.html create mode 100644 LayoutTests/fast/events/resources/mouse-move.html diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index e36ce1b..78bc128 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,14 @@ +2012-01-17 Abhishek Arya + + Crash in in WebCore::EventHandler::mouseMoved. + https://bugs.webkit.org/show_bug.cgi?id=76462 + + Reviewed by Ryosuke Niwa. + + * fast/events/mouse-moved-remove-frame-crash-expected.txt: Added. + * fast/events/mouse-moved-remove-frame-crash.html: Added. + * fast/events/resources/mouse-move.html: Added. + 2012-01-17 Alexis Menard Increase test coverage for -webkit-border-image. diff --git a/LayoutTests/fast/events/mouse-moved-remove-frame-crash-expected.txt b/LayoutTests/fast/events/mouse-moved-remove-frame-crash-expected.txt new file mode 100644 index 0000000..7ef22e9 --- /dev/null +++ b/LayoutTests/fast/events/mouse-moved-remove-frame-crash-expected.txt @@ -0,0 +1 @@ +PASS diff --git a/LayoutTests/fast/events/mouse-moved-remove-frame-crash.html b/LayoutTests/fast/events/mouse-moved-remove-frame-crash.html new file mode 100644 index 0000000..3b81d08 --- /dev/null +++ b/LayoutTests/fast/events/mouse-moved-remove-frame-crash.html @@ -0,0 +1,27 @@ + + + + + + diff --git a/LayoutTests/fast/events/resources/mouse-move.html b/LayoutTests/fast/events/resources/mouse-move.html new file mode 100644 index 0000000..8a613bf --- /dev/null +++ b/LayoutTests/fast/events/resources/mouse-move.html @@ -0,0 +1,2 @@ +
+ diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index 45692a8..7b470bb 100644 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -1,3 +1,19 @@ +2012-01-17 Abhishek Arya + + Crash in in WebCore::EventHandler::mouseMoved. + https://bugs.webkit.org/show_bug.cgi?id=76462 + + Reviewed by Ryosuke Niwa. + + handleMouseMoveEvent call in EventHandler::mouseMoved can + blow away the frame from underneath. Protect it with a frameview + refptr. + + Test: fast/events/mouse-moved-remove-frame-crash.html + + * page/EventHandler.cpp: + (WebCore::EventHandler::mouseMoved): + 2012-01-17 Sam Weinig Add helper macro for forward declaring objective-c classes diff --git a/Source/WebCore/page/EventHandler.cpp b/Source/WebCore/page/EventHandler.cpp index 0a337f8..d42b128 100644 --- a/Source/WebCore/page/EventHandler.cpp +++ b/Source/WebCore/page/EventHandler.cpp @@ -1559,6 +1559,8 @@ static RenderLayer* layerForNode(Node* node) bool EventHandler::mouseMoved(const PlatformMouseEvent& event) { + RefPtr protector(m_frame->view()); + HitTestResult hoveredNode = HitTestResult(LayoutPoint()); bool result = handleMouseMoveEvent(event, &hoveredNode); -- 2.7.4