[webkit-changes] [139345] trunk

Thu, 10 Jan 2013 11:35:14 -0800

Title: [139345] trunk
Revision
139345
Author
le...@chromium.org
Date
2013-01-10 11:29:37 -0800 (Thu, 10 Jan 2013)

Log Message

Regression(r137939): Heap-use-after-free in WebCore::accumulateDocumentEventTargetRects
https://bugs.webkit.org/show_bug.cgi?id=106454

Reviewed by James Robinson.

Source/WebCore:

Correctly removing child Documents from their parent's tracked touch handler maps when detaching and
when their last touch event handler is removed.

Test: fast/events/touch/nested-document-with-touch-handler-detached-crash.html

* dom/Document.cpp:
(WebCore::Document::detach):
(WebCore::Document::didRemoveEventTargetNode):

LayoutTests:

* fast/events/touch/nested-document-with-touch-handler-detached-crash.html: Added.
* fast/events/touch/nested-document-with-touch-handler-detached-crash-expected.txt: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (139344 => 139345)


--- trunk/LayoutTests/ChangeLog	2013-01-10 19:22:49 UTC (rev 139344)
+++ trunk/LayoutTests/ChangeLog	2013-01-10 19:29:37 UTC (rev 139345)
@@ -1,3 +1,13 @@
+2013-01-10  Levi Weintraub  <le...@chromium.org>
+
+        Regression(r137939): Heap-use-after-free in WebCore::accumulateDocumentEventTargetRects
+        https://bugs.webkit.org/show_bug.cgi?id=106454
+
+        Reviewed by James Robinson.
+
+        * fast/events/touch/nested-document-with-touch-handler-detached-crash.html: Added.
+        * fast/events/touch/nested-document-with-touch-handler-detached-crash-expected.txt: Added.
+
 2013-01-10  Ojan Vafai  <o...@chromium.org>
 
         Convert fast/css/positioned-overflow-scroll.html to a check-layout.js test

Added: trunk/LayoutTests/fast/events/touch/nested-document-with-touch-handler-detached-crash-expected.txt (0 => 139345)


--- trunk/LayoutTests/fast/events/touch/nested-document-with-touch-handler-detached-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/events/touch/nested-document-with-touch-handler-detached-crash-expected.txt	2013-01-10 19:29:37 UTC (rev 139345)
@@ -0,0 +1,2 @@
+
+Test passes if DRT doesn't crash.

Added: trunk/LayoutTests/fast/events/touch/nested-document-with-touch-handler-detached-crash.html (0 => 139345)


--- trunk/LayoutTests/fast/events/touch/nested-document-with-touch-handler-detached-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/events/touch/nested-document-with-touch-handler-detached-crash.html	2013-01-10 19:29:37 UTC (rev 139345)
@@ -0,0 +1,15 @@
+<!doctype html>
+<html>
+<body>
+<iframe id="testIframe" srcdoc="<iframe seamless srcdoc='     '> border: 2px solid black"></iframe>
+<div>Test passes if DRT doesn't crash.</div>
+<script>
+if (window.testRunner)
+	testRunner.dumpAsText();
+
+var testIframe = document.getElementById('testIframe');
+var input = testIframe.contentDocument.createElement('input');
+input.type = "RANGE";
+input = 0;
+</script>
+</body>

Modified: trunk/Source/WebCore/ChangeLog (139344 => 139345)


--- trunk/Source/WebCore/ChangeLog	2013-01-10 19:22:49 UTC (rev 139344)
+++ trunk/Source/WebCore/ChangeLog	2013-01-10 19:29:37 UTC (rev 139345)
@@ -1,3 +1,19 @@
+2013-01-10  Levi Weintraub  <le...@chromium.org>
+
+        Regression(r137939): Heap-use-after-free in WebCore::accumulateDocumentEventTargetRects
+        https://bugs.webkit.org/show_bug.cgi?id=106454
+
+        Reviewed by James Robinson.
+
+        Correctly removing child Documents from their parent's tracked touch handler maps when detaching and
+        when their last touch event handler is removed.
+
+        Test: fast/events/touch/nested-document-with-touch-handler-detached-crash.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::detach):
+        (WebCore::Document::didRemoveEventTargetNode):
+
 2013-01-10  Nate Chapin  <jap...@chromium.org>
 
         REGRESSION(r138222): WebDocumentLoaderMac-related leaks seen on Leaks bot

Modified: trunk/Source/WebCore/dom/Document.cpp (139344 => 139345)


--- trunk/Source/WebCore/dom/Document.cpp	2013-01-10 19:22:49 UTC (rev 139344)
+++ trunk/Source/WebCore/dom/Document.cpp	2013-01-10 19:29:37 UTC (rev 139345)
@@ -2117,6 +2117,11 @@
     if (render)
         render->destroy();
 
+#if ENABLE(TOUCH_EVENTS)
+    if (m_touchEventTargets && m_touchEventTargets->size() && parentDocument())
+        parentDocument()->didRemoveEventTargetNode(this);
+#endif
+
     // This is required, as our Frame might delete itself as soon as it detaches
     // us. However, this violates Node::detach() semantics, as it's never
     // possible to re-attach. Eventually Document::detach() should be renamed,
@@ -5659,11 +5664,11 @@
 #if ENABLE(TOUCH_EVENTS)
 void Document::didRemoveEventTargetNode(Node* handler)
 {
-    if (m_touchEventTargets.get())
+    if (m_touchEventTargets) {
         m_touchEventTargets->removeAll(handler);
-    if (handler == this)
-        if (Document* parentDocument = this->parentDocument())
-            parentDocument->didRemoveEventTargetNode(this);
+        if ((handler == this || m_touchEventTargets->isEmpty()) && parentDocument())
+            parentDocument()->didRemoveEventTargetNode(this);
+    }
 }
 #endif
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to