Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: a41d144179205dd1b73ec12e3cb0f19944cfdafe
https://github.com/WebKit/WebKit/commit/a41d144179205dd1b73ec12e3cb0f19944cfdafe
Author: Abrar Rahman Protyasha <[email protected]>
Date: 2025-11-09 (Sun, 09 Nov 2025)
Changed paths:
M Source/WebCore/page/EventHandler.cpp
Log Message:
-----------
REGRESSION(299567@main): Web content process sometimes crashes under
WebPage::didDispatchClickEvent()
https://bugs.webkit.org/show_bug.cgi?id=302199
rdar://164271251
Reviewed by Wenson Hsieh.
In 299567@main, swallowAnyClickEvent was changed to allow execution when
nodeToClick is null but m_clickCaptureElement is set, to properly handle
click events during pointer capture. However, the function unconditionally
dereferenced nodeToClick when calling didDispatchClickEvent, leading to
crashes when clicking with pointer capture active but no node under the
pointer.
The fix introduces a dispatchNode variable that is set to nodeToClick when
available (since it represents the actual physical click location needed
for touch event synthesis), or falls back to clickCaptureElement otherwise.
The call to didDispatchClickEvent is now guarded to only occur when
dispatchNode is non-null.
I was unable to produce an automated test to reproduce the crash. It
seems there is a right timing window we must thread between setting
pointer capture, removing the hit tested node, and dispatching a new
click event to the pointer captured node on a successive tap.
* Source/WebCore/page/EventHandler.cpp:
(WebCore::EventHandler::swallowAnyClickEvent):
Canonical link: https://commits.webkit.org/302771@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
