[webkit-changes] [121909] trunk

Thu, 05 Jul 2012 09:22:00 -0700

Title: [121909] trunk
Revision
121909
Author
[email protected]
Date
2012-07-05 09:21:43 -0700 (Thu, 05 Jul 2012)

Log Message

[Chromium] Clear m_currentInputEvent after handled by pointerLockMouseEvent().
https://bugs.webkit.org/show_bug.cgi?id=90391

Source/WebKit/chromium:

WebViewImpl::handleInputEvent was keeping a pointer to an input event that would
later be accessed. When in pointer lock, that pointer was not being cleared.
Code modified to use TemporaryChange to automatically clear the pointer at all
method exit points.

Reviewed by Abhishek Arya.

* src/WebViewImpl.cpp:
(WebKit::WebViewImpl::handleInputEvent):

LayoutTests:

Test that reproduces bug 90391:
Enable pointer lock, receive mouse move, call window.open, don't crash.

Reviewed by Abhishek Arya.

* pointer-lock/bug90391-move-then-window-open-crash-expected.txt: Added.
* pointer-lock/bug90391-move-then-window-open-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (121908 => 121909)


--- trunk/LayoutTests/ChangeLog	2012-07-05 16:13:48 UTC (rev 121908)
+++ trunk/LayoutTests/ChangeLog	2012-07-05 16:21:43 UTC (rev 121909)
@@ -1,3 +1,16 @@
+2012-07-05  Vincent Scheib  <[email protected]>
+
+        [Chromium] Clear m_currentInputEvent after handled by pointerLockMouseEvent().
+        https://bugs.webkit.org/show_bug.cgi?id=90391
+
+        Test that reproduces bug 90391:
+        Enable pointer lock, receive mouse move, call window.open, don't crash.
+
+        Reviewed by Abhishek Arya.
+
+        * pointer-lock/bug90391-move-then-window-open-crash-expected.txt: Added.
+        * pointer-lock/bug90391-move-then-window-open-crash.html: Added.
+
 2012-07-05  John Mellor  <[email protected]>
 
         Text Autosizing: Add test framework and simple test.

Added: trunk/LayoutTests/pointer-lock/bug90391-move-then-window-open-crash-expected.txt (0 => 121909)


--- trunk/LayoutTests/pointer-lock/bug90391-move-then-window-open-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/pointer-lock/bug90391-move-then-window-open-crash-expected.txt	2012-07-05 16:21:43 UTC (rev 121909)
@@ -0,0 +1,15 @@
+bug 90391: pointer lock mouse move events then window.open should not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+     Locking targetdiv1.
+PASS document.onwebkitpointerlockchange event received.
+     Sending mouse move events.
+     Calling window.open.
+PASS Didn't crash
+PASS successfullyParsed is true
+
+TEST COMPLETE
+doNextStep for manual testing
+
Property changes on: trunk/LayoutTests/pointer-lock/bug90391-move-then-window-open-crash-expected.txt
___________________________________________________________________

Added: svn:eol-style

Added: trunk/LayoutTests/pointer-lock/bug90391-move-then-window-open-crash.html (0 => 121909)


--- trunk/LayoutTests/pointer-lock/bug90391-move-then-window-open-crash.html	                        (rev 0)
+++ trunk/LayoutTests/pointer-lock/bug90391-move-then-window-open-crash.html	2012-07-05 16:21:43 UTC (rev 121909)
@@ -0,0 +1,64 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<div>
+  <button _onclick_="doNextStep('manual');">doNextStep for manual testing</button>
+  <div id="target1"></div>
+</div>
+<script>
+    description("bug 90391: pointer lock mouse move events then window.open should not crash.")
+    window.jsTestIsAsync = true;
+
+    targetdiv1 = document.getElementById("target1");
+
+    currentStep = 0;
+    function doNextStep(manual)
+    {
+        if (!window.layoutTestController && !manual)
+            return;
+        if (currentStep < todo.length)
+            setTimeout(function () { todo[currentStep++](); }, 0);
+        else if (currentStep++ == todo.length)
+            setTimeout(function () { finishJSTest(); }, 0);
+    }
+    todo = [
+        function () {
+            debug("     Locking targetdiv1.")
+            targetdiv1.webkitRequestPointerLock();
+            document._onwebkitpointerlockchange_ = function () {
+                document._onwebkitpointerlockchange_ = null;
+                testPassed("document.onwebkitpointerlockchange event received.");
+                doNextStep('manual');
+            };
+        },
+        function () {
+            debug("     Sending mouse move events.")
+            var mouseMoveEvents = 0;
+            targetdiv1._onmousemove_ = function () {
+                if (++mouseMoveEvents == 2) {
+                    targetdiv1._onmousemove_ = null;
+                    doNextStep('manual');
+                }
+            }
+            if (window.eventSender) {
+              eventSender.mouseMoveTo(100, 100);
+              eventSender.mouseMoveTo(200, 200);
+            }
+        },
+        function () {
+            debug("     Calling window.open.")
+            gc();
+            window.open();
+            testPassed("Didn't crash");
+            document.webkitExitPointerLock();
+            doNextStep('manual');
+        },
+    ];
+    doNextStep();
+</script>
+<script src=""
+</body>
+</html>
Property changes on: trunk/LayoutTests/pointer-lock/bug90391-move-then-window-open-crash.html
___________________________________________________________________

Added: svn:eol-style

Modified: trunk/Source/WebKit/chromium/ChangeLog (121908 => 121909)


--- trunk/Source/WebKit/chromium/ChangeLog	2012-07-05 16:13:48 UTC (rev 121908)
+++ trunk/Source/WebKit/chromium/ChangeLog	2012-07-05 16:21:43 UTC (rev 121909)
@@ -1,3 +1,18 @@
+2012-07-05  Vincent Scheib  <[email protected]>
+
+        [Chromium] Clear m_currentInputEvent after handled by pointerLockMouseEvent().
+        https://bugs.webkit.org/show_bug.cgi?id=90391
+
+        WebViewImpl::handleInputEvent was keeping a pointer to an input event that would
+        later be accessed. When in pointer lock, that pointer was not being cleared.
+        Code modified to use TemporaryChange to automatically clear the pointer at all
+        method exit points.
+
+        Reviewed by Abhishek Arya.
+
+        * src/WebViewImpl.cpp:
+        (WebKit::WebViewImpl::handleInputEvent):
+
 2012-07-05  John Mellor  <[email protected]>
 
         Text Autosizing: Add test framework and simple test.

Modified: trunk/Source/WebKit/chromium/src/WebViewImpl.cpp (121908 => 121909)


--- trunk/Source/WebKit/chromium/src/WebViewImpl.cpp	2012-07-05 16:13:48 UTC (rev 121908)
+++ trunk/Source/WebKit/chromium/src/WebViewImpl.cpp	2012-07-05 16:21:43 UTC (rev 121909)
@@ -164,6 +164,7 @@
 #include <wtf/CurrentTime.h>
 #include <wtf/MainThread.h>
 #include <wtf/RefPtr.h>
+#include <wtf/TemporaryChange.h>
 #include <wtf/Uint8ClampedArray.h>
 
 #if ENABLE(GESTURE_EVENTS)
@@ -1760,7 +1761,7 @@
     if (m_ignoreInputEvents)
         return false;
 
-    m_currentInputEvent = &inputEvent;
+    TemporaryChange<const WebInputEvent*>(m_currentInputEvent, &inputEvent);
 
 #if ENABLE(POINTER_LOCK)
     if (isPointerLocked() && WebInputEvent::isMouseEventType(inputEvent.type)) {
@@ -1798,12 +1799,10 @@
         node->dispatchMouseEvent(
               PlatformMouseEventBuilder(mainFrameImpl()->frameView(), *static_cast<const WebMouseEvent*>(&inputEvent)),
               eventType, static_cast<const WebMouseEvent*>(&inputEvent)->clickCount);
-        m_currentInputEvent = 0;
         return true;
     }
 
     bool handled = PageWidgetDelegate::handleInputEvent(m_page.get(), *this, inputEvent);
-    m_currentInputEvent = 0;
     return handled;
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to