Title: [167805] trunk
- Revision
- 167805
- Author
- [email protected]
- Date
- 2014-04-25 07:28:24 -0700 (Fri, 25 Apr 2014)
Log Message
Web process is crashed during dispatching touchEvent created by JS.
https://bugs.webkit.org/show_bug.cgi?id=113225
Patch by Miyoung Shin <[email protected]> on 2014-04-25
Reviewed by Benjamin Poulain.
TouchEvent created by JS should have the necessary attributes
of touches, targetTouches and changedTouches.
It should be verified weather there are touchLists before dispatching touch event.
Source/WebCore:
Test: fast/events/touch/create-touch-event-without-touchList.html
* dom/EventDispatcher.cpp:
(WebCore::EventDispatcher::dispatchEvent):
(WebCore::EventPath::updateTouchLists):
(WebCore::addRelatedNodeResolversForTouchList): Deleted.
LayoutTests:
* fast/events/touch/create-touch-event-without-touchList-expected.txt: Added.
* fast/events/touch/create-touch-event-without-touchList.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (167804 => 167805)
--- trunk/LayoutTests/ChangeLog 2014-04-25 14:17:54 UTC (rev 167804)
+++ trunk/LayoutTests/ChangeLog 2014-04-25 14:28:24 UTC (rev 167805)
@@ -1,3 +1,17 @@
+2014-04-25 Miyoung Shin <[email protected]>
+
+ Web process is crashed during dispatching touchEvent created by JS.
+ https://bugs.webkit.org/show_bug.cgi?id=113225
+
+ Reviewed by Benjamin Poulain.
+
+ TouchEvent created by JS should have the necessary attributes
+ of touches, targetTouches and changedTouches.
+ It should be verified weather there are touchLists before dispatching touch event.
+
+ * fast/events/touch/create-touch-event-without-touchList-expected.txt: Added.
+ * fast/events/touch/create-touch-event-without-touchList.html: Added.
+
2014-04-25 Radu Stavila <[email protected]>
[CSS Regions] Overflow selection doesn't work properly
Added: trunk/LayoutTests/fast/events/touch/create-touch-event-without-touchList-expected.txt (0 => 167805)
--- trunk/LayoutTests/fast/events/touch/create-touch-event-without-touchList-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/events/touch/create-touch-event-without-touchList-expected.txt 2014-04-25 14:28:24 UTC (rev 167805)
@@ -0,0 +1,3 @@
+Should not crash when trying to dispath touchEvent without touchList properties
+
+PASSED
Added: trunk/LayoutTests/fast/events/touch/create-touch-event-without-touchList.html (0 => 167805)
--- trunk/LayoutTests/fast/events/touch/create-touch-event-without-touchList.html (rev 0)
+++ trunk/LayoutTests/fast/events/touch/create-touch-event-without-touchList.html 2014-04-25 14:28:24 UTC (rev 167805)
@@ -0,0 +1,27 @@
+<html>
+<script>
+ function runTest() {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ var name = 'touchstart';
+ var handler = function(){
+ document.removeEventListener(name, handler, true);
+ };
+
+ try {
+ document.addEventListener(name, handler, true);
+ var event = document.createEvent('TouchEvent');
+ event.initTouchEvent(name);
+ document.dispatchEvent(event);
+ }
+ catch(e){ }
+
+ document.getElementById("console").innerHTML = "PASSED";
+}
+</script>
+<body _onload_="runTest()">
+<p>Should not crash when trying to dispath touchEvent without touchList properties</p>
+<div id="console"></div>
+</body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (167804 => 167805)
--- trunk/Source/WebCore/ChangeLog 2014-04-25 14:17:54 UTC (rev 167804)
+++ trunk/Source/WebCore/ChangeLog 2014-04-25 14:28:24 UTC (rev 167805)
@@ -1,3 +1,21 @@
+2014-04-25 Miyoung Shin <[email protected]>
+
+ Web process is crashed during dispatching touchEvent created by JS.
+ https://bugs.webkit.org/show_bug.cgi?id=113225
+
+ Reviewed by Benjamin Poulain.
+
+ TouchEvent created by JS should have the necessary attributes
+ of touches, targetTouches and changedTouches.
+ It should be verified weather there are touchLists before dispatching touch event.
+
+ Test: fast/events/touch/create-touch-event-without-touchList.html
+
+ * dom/EventDispatcher.cpp:
+ (WebCore::EventDispatcher::dispatchEvent):
+ (WebCore::EventPath::updateTouchLists):
+ (WebCore::addRelatedNodeResolversForTouchList): Deleted.
+
2014-04-25 Philippe Normand <[email protected]>
[GTK] File webkitRelativePath attribute was removed in r163483
Modified: trunk/Source/WebCore/dom/EventDispatcher.cpp (167804 => 167805)
--- trunk/Source/WebCore/dom/EventDispatcher.cpp 2014-04-25 14:17:54 UTC (rev 167804)
+++ trunk/Source/WebCore/dom/EventDispatcher.cpp 2014-04-25 14:28:24 UTC (rev 167805)
@@ -88,7 +88,7 @@
EventContext& contextAt(size_t i) { return *m_path[i]; }
#if ENABLE(TOUCH_EVENTS)
- void updateTouchLists(const TouchEvent&);
+ bool updateTouchLists(const TouchEvent&);
#endif
void setRelatedTarget(Node& origin, EventTarget&);
@@ -339,8 +339,10 @@
if (EventTarget* relatedTarget = event->relatedTarget())
eventPath.setRelatedTarget(*node, *relatedTarget);
#if ENABLE(TOUCH_EVENTS) && !PLATFORM(IOS)
- if (event->isTouchEvent())
- eventPath.updateTouchLists(*toTouchEvent(event.get()));
+ if (event->isTouchEvent()) {
+ if (!eventPath.updateTouchLists(*toTouchEvent(event.get())))
+ return true;
+ }
#endif
ChildNodesLazySnapshot::takeChildNodesLazySnapshot();
@@ -459,8 +461,11 @@
touchTargetResolvers.append(EventRelatedNodeResolver(*touchList->item(i), type));
}
-void EventPath::updateTouchLists(const TouchEvent& touchEvent)
+bool EventPath::updateTouchLists(const TouchEvent& touchEvent)
{
+ if (!touchEvent.touches() || !touchEvent.targetTouches() || !touchEvent.changedTouches())
+ return false;
+
Vector<EventRelatedNodeResolver, 16> touchTargetResolvers;
const size_t touchNodeCount = touchEvent.touches()->length() + touchEvent.targetTouches()->length() + touchEvent.changedTouches()->length();
touchTargetResolvers.reserveInitialCapacity(touchNodeCount);
@@ -481,6 +486,7 @@
context.touchList(currentResolver.touchListType())->append(currentResolver.touch()->cloneWithNewTarget(nodeInCurrentTreeScope));
}
}
+ return true;
}
#endif
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
