Modified: trunk/LayoutTests/ChangeLog (106487 => 106488)
--- trunk/LayoutTests/ChangeLog 2012-02-01 21:18:23 UTC (rev 106487)
+++ trunk/LayoutTests/ChangeLog 2012-02-01 21:34:08 UTC (rev 106488)
@@ -1,3 +1,13 @@
+2012-02-01 Ryosuke Niwa <[email protected]>
+
+ Crash in EventHandler::updateDragAndDrop
+ https://bugs.webkit.org/show_bug.cgi?id=77569
+
+ Reviewed by Alexey Proskuryakov.
+
+ * fast/events/remove-target-with-shadow-in-drag-expected.txt: Added.
+ * fast/events/remove-target-with-shadow-in-drag.html: Added.
+
2012-02-01 Szilard Ledan <[email protected]>
Fixed some lines in the date-constructor.js test.
Added: trunk/LayoutTests/fast/events/remove-target-with-shadow-in-drag-expected.txt (0 => 106488)
--- trunk/LayoutTests/fast/events/remove-target-with-shadow-in-drag-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/events/remove-target-with-shadow-in-drag-expected.txt 2012-02-01 21:34:08 UTC (rev 106488)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 34: NOT_FOUND_ERR: DOM Exception 8: An attempt was made to reference a Node in a context where it does not exist.
+CONSOLE MESSAGE: line 34: NOT_FOUND_ERR: DOM Exception 8: An attempt was made to reference a Node in a context where it does not exist.
+PASS. DRT didn't crash.
Added: trunk/LayoutTests/fast/events/remove-target-with-shadow-in-drag.html (0 => 106488)
--- trunk/LayoutTests/fast/events/remove-target-with-shadow-in-drag.html (rev 0)
+++ trunk/LayoutTests/fast/events/remove-target-with-shadow-in-drag.html 2012-02-01 21:34:08 UTC (rev 106488)
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+
+if (!window.layoutTestController)
+ document.writeln("This crash test needs to be ran inside DumpRenderTree");
+
+var target;
+
+function startTest() {
+ if (!window.layoutTestController)
+ return;
+
+ layoutTestController.dumpAsText();
+
+ function mouseMoveToCenterOfElement(element) {
+ eventSender.mouseMoveTo(element.offsetLeft + element.offsetWidth / 2, element.offsetTop + element.offsetHeight / 2);
+ }
+
+ var src = ""
+ mouseMoveToCenterOfElement(src);
+ eventSender.mouseDown();
+ eventSender.leapForward(200);
+
+ target = document.getElementById('target');
+ eventSender.mouseMoveTo(target.offsetLeft + 5, target.offsetTop + 5);
+ eventSender.mouseUp();
+
+ document.body.innerHTML = "PASS. DRT didn't crash."
+}
+
+function trigger() {
+ document.body.removeChild(target);
+ target = null;
+ if (window.GCController)
+ GCController.collect();
+}
+
+</script>
+<img id="src" src="" _onload_="startTest()" draggable="true" _ondrag_="trigger();">
+<textarea id="target" style="width: 500px; height: 500px;">Dropzone</textarea>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (106487 => 106488)
--- trunk/Source/WebCore/ChangeLog 2012-02-01 21:18:23 UTC (rev 106487)
+++ trunk/Source/WebCore/ChangeLog 2012-02-01 21:34:08 UTC (rev 106488)
@@ -1,3 +1,15 @@
+2012-02-01 Ryosuke Niwa <[email protected]>
+
+ Crash in EventHandler::updateDragAndDrop
+ https://bugs.webkit.org/show_bug.cgi?id=77569
+
+ Reviewed by Alexey Proskuryakov.
+
+ Test: fast/events/remove-target-with-shadow-in-drag.html
+
+ * page/EventHandler.cpp:
+ (WebCore::EventHandler::updateDragAndDrop):
+
2012-02-01 Sheriff Bot <[email protected]>
Unreviewed, rolling out r106382.
Modified: trunk/Source/WebCore/page/EventHandler.cpp (106487 => 106488)
--- trunk/Source/WebCore/page/EventHandler.cpp 2012-02-01 21:18:23 UTC (rev 106487)
+++ trunk/Source/WebCore/page/EventHandler.cpp 2012-02-01 21:34:08 UTC (rev 106488)
@@ -1837,7 +1837,7 @@
MouseEventWithHitTestResults mev = prepareMouseEvent(request, event);
// Drag events should never go to text nodes (following IE, and proper mouseover/out dispatch)
- Node* newTarget = targetNode(mev);
+ RefPtr<Node> newTarget = targetNode(mev);
if (newTarget && newTarget->isTextNode())
newTarget = newTarget->parentNode();
if (newTarget)
@@ -1850,7 +1850,7 @@
//
// Moreover, this ordering conforms to section 7.9.4 of the HTML 5 spec. <http://dev.w3.org/html5/spec/Overview.html#drag-and-drop-processing-model>.
Frame* targetFrame;
- if (targetIsFrame(newTarget, targetFrame)) {
+ if (targetIsFrame(newTarget.get(), targetFrame)) {
if (targetFrame)
accept = targetFrame->eventHandler()->updateDragAndDrop(event, clipboard);
} else if (newTarget) {
@@ -1859,9 +1859,9 @@
// for now we don't care if event handler cancels default behavior, since there is none
dispatchDragSrcEvent(eventNames().dragEvent, event);
}
- accept = dispatchDragEvent(eventNames().dragenterEvent, newTarget, event, clipboard);
+ accept = dispatchDragEvent(eventNames().dragenterEvent, newTarget.get(), event, clipboard);
if (!accept)
- accept = findDropZone(newTarget, clipboard);
+ accept = findDropZone(newTarget.get(), clipboard);
}
if (targetIsFrame(m_dragTarget.get(), targetFrame)) {
@@ -1877,7 +1877,7 @@
}
} else {
Frame* targetFrame;
- if (targetIsFrame(newTarget, targetFrame)) {
+ if (targetIsFrame(newTarget.get(), targetFrame)) {
if (targetFrame)
accept = targetFrame->eventHandler()->updateDragAndDrop(event, clipboard);
} else if (newTarget) {
@@ -1886,9 +1886,9 @@
// for now we don't care if event handler cancels default behavior, since there is none
dispatchDragSrcEvent(eventNames().dragEvent, event);
}
- accept = dispatchDragEvent(eventNames().dragoverEvent, newTarget, event, clipboard);
+ accept = dispatchDragEvent(eventNames().dragoverEvent, newTarget.get(), event, clipboard);
if (!accept)
- accept = findDropZone(newTarget, clipboard);
+ accept = findDropZone(newTarget.get(), clipboard);
m_shouldOnlyFireDragOverEvent = false;
}
}
