Skip to site navigation (Press enter)

[webkit-changes] [90769] trunk/Source/WebCore

japhet Mon, 11 Jul 2011 11:48:40 -0700

Title: [90769] trunk/Source/WebCore

Revision: 90769
Author: jap...@chromium.org
Date: 2011-07-11 11:48:34 -0700 (Mon, 11 Jul 2011)

Log Message

[Chromium] Ensure we don't crash when an
HTMLSelectElement mouse release event removes
the element from the DOM.
https://bugs.webkit.org/show_bug.cgi?id=64295


Reviewed by Dimitri Glazkov.

Manual test only because the crash requires a
real popup menu, which DRT doesn't provide.

* manual-tests/chromium/popup-menu-crash.html: Added.
* platform/chromium/PopupMenuChromium.cpp:
(WebCore::PopupContainer::handleMouseReleaseEvent):

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/platform/chromium/PopupMenuChromium.cpp

Added Paths

trunk/Source/WebCore/manual-tests/chromium/popup-menu-crash.html

Diff

Modified: trunk/Source/WebCore/ChangeLog (90768 => 90769)


--- trunk/Source/WebCore/ChangeLog	2011-07-11 18:39:14 UTC (rev 90768)
+++ trunk/Source/WebCore/ChangeLog	2011-07-11 18:48:34 UTC (rev 90769)
@@ -1,3 +1,19 @@
+2011-07-11  Nate Chapin  <jap...@chromium.org>
+
+        [Chromium] Ensure we don't crash when an
+        HTMLSelectElement mouse release event removes
+        the element from the DOM.
+        https://bugs.webkit.org/show_bug.cgi?id=64295
+
+        Reviewed by Dimitri Glazkov.
+
+        Manual test only because the crash requires a
+        real popup menu, which DRT doesn't provide.
+
+        * manual-tests/chromium/popup-menu-crash.html: Added.
+        * platform/chromium/PopupMenuChromium.cpp:
+        (WebCore::PopupContainer::handleMouseReleaseEvent):
+
 2011-07-11  Mike Reed  <r...@google.com>
 
         [skia] remove platform helpers for gradients and patterns

Added: trunk/Source/WebCore/manual-tests/chromium/popup-menu-crash.html (0 => 90769)


--- trunk/Source/WebCore/manual-tests/chromium/popup-menu-crash.html	                        (rev 0)
+++ trunk/Source/WebCore/manual-tests/chromium/popup-menu-crash.html	2011-07-11 18:48:34 UTC (rev 90769)
@@ -0,0 +1,24 @@
+<body id="body">
+This is a test for https://bugs.webkit.org/show_bug.cgi?id=64295. Chromium sometimes crashes in a mouse event on an HTMLSelectElement if the event handler removes the element from the DOM.
+This test is manual because it requires a real select popup menu, which DRT doesn't provide.<br>
+To run, click on the select below, then select "Click me!" on the dropdown menu. We pass if the HTMLSelectElement disappears and we don't crash.
+<script>
+function handleClick(e) {
+    if (e.target.selectedIndex != 1)
+        return;
+
+    document.getElementById("body").removeChild(document.getElementById("formDiv"));
+    var xhr = new XMLHttpRequest();
+    xhr.open('GET', '', true);
+    xhr.send(null);
+}
+</script>
+<div id="formDiv">
+<form>
+<select _onmouseup_="handleClick(event);">
+<option></option>
+<option>Click me!</option>
+</select>
+</form>
+</div>
+</body>

Modified: trunk/Source/WebCore/platform/chromium/PopupMenuChromium.cpp (90768 => 90769)


--- trunk/Source/WebCore/platform/chromium/PopupMenuChromium.cpp	2011-07-11 18:39:14 UTC (rev 90768)
+++ trunk/Source/WebCore/platform/chromium/PopupMenuChromium.cpp	2011-07-11 18:48:34 UTC (rev 90769)
@@ -496,6 +496,7 @@
 
 bool PopupContainer::handleMouseReleaseEvent(const PlatformMouseEvent& event)
 {
+    RefPtr<PopupContainer> protect(this);
     UserGestureIndicator gestureIndicator(DefinitelyProcessingUserGesture);
     return m_listBox->handleMouseReleaseEvent(
         constructRelativeMouseEvent(event, this, m_listBox.get()));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes