[webkit-changes] [172988] trunk/Source/WebKit2

Tue, 26 Aug 2014 17:17:09 -0700

Title: [172988] trunk/Source/WebKit2
Revision
172988
Author
[email protected]
Date
2014-08-26 17:16:52 -0700 (Tue, 26 Aug 2014)

Log Message

Crashes in ViewGestureController::beginSwipeGesture when swiping in rapid succession
https://bugs.webkit.org/show_bug.cgi?id=136271
<rdar://problem/17923694>

Reviewed by Simon Fraser.

It was possible to get into trackSwipeGesture while another swipe was still
occurring, because the guard against this happening depended on m_pendingSwipeReason
never being set while a swipe was occurring. However, if the very first scroll event
had sufficient magnitude, we would still set m_pendingSwipeReason to InsufficientMagnitude,
and then *never clear it*, leading to a path around the guard against multiple live swipes.
This in turn allowed stale layers in m_liveSwipeLayers, which lead to the crash.

* UIProcess/mac/ViewGestureControllerMac.mm:
(WebKit::ViewGestureController::handleScrollWheelEvent):
Don't unset m_pendingSwipeReason before calling trackSwipeGesture;
trackSwipeGesture will do it itself.

Don't set m_pendingSwipeReason to InsufficientMagnitude
if the event actually *has* sufficient magnitude to start a swipe.

(WebKit::ViewGestureController::trackSwipeGesture):
Assert that we don't have an active gesture while starting a swipe.

Reset m_pendingSwipeReason, because the swipe is no longer pending!

Modified Paths

Diff

Modified: trunk/Source/WebKit2/ChangeLog (172987 => 172988)


--- trunk/Source/WebKit2/ChangeLog	2014-08-27 00:03:21 UTC (rev 172987)
+++ trunk/Source/WebKit2/ChangeLog	2014-08-27 00:16:52 UTC (rev 172988)
@@ -1,3 +1,31 @@
+2014-08-26  Tim Horton  <[email protected]>
+
+        Crashes in ViewGestureController::beginSwipeGesture when swiping in rapid succession
+        https://bugs.webkit.org/show_bug.cgi?id=136271
+        <rdar://problem/17923694>
+
+        Reviewed by Simon Fraser.
+
+        It was possible to get into trackSwipeGesture while another swipe was still
+        occurring, because the guard against this happening depended on m_pendingSwipeReason
+        never being set while a swipe was occurring. However, if the very first scroll event
+        had sufficient magnitude, we would still set m_pendingSwipeReason to InsufficientMagnitude,
+        and then *never clear it*, leading to a path around the guard against multiple live swipes.
+        This in turn allowed stale layers in m_liveSwipeLayers, which lead to the crash.
+
+        * UIProcess/mac/ViewGestureControllerMac.mm:
+        (WebKit::ViewGestureController::handleScrollWheelEvent):
+        Don't unset m_pendingSwipeReason before calling trackSwipeGesture;
+        trackSwipeGesture will do it itself.
+
+        Don't set m_pendingSwipeReason to InsufficientMagnitude
+        if the event actually *has* sufficient magnitude to start a swipe.
+
+        (WebKit::ViewGestureController::trackSwipeGesture):
+        Assert that we don't have an active gesture while starting a swipe.
+
+        Reset m_pendingSwipeReason, because the swipe is no longer pending!
+
 2014-08-26  Andy Estes  <[email protected]>
 
         [Cocoa] Some projects are incorrectly installed to $BUILT_PRODUCTS_DIR

Modified: trunk/Source/WebKit2/UIProcess/mac/ViewGestureControllerMac.mm (172987 => 172988)


--- trunk/Source/WebKit2/UIProcess/mac/ViewGestureControllerMac.mm	2014-08-27 00:03:21 UTC (rev 172987)
+++ trunk/Source/WebKit2/UIProcess/mac/ViewGestureControllerMac.mm	2014-08-27 00:16:52 UTC (rev 172988)
@@ -324,7 +324,6 @@
 
     if (m_pendingSwipeReason == PendingSwipeReason::InsufficientMagnitude) {
         if (deltaIsSufficientToBeginSwipe(event)) {
-            m_pendingSwipeReason = PendingSwipeReason::None;
             trackSwipeGesture(event, m_pendingSwipeDirection);
             return true;
         }
@@ -343,8 +342,8 @@
         return false;
     }
 
-    m_pendingSwipeReason = PendingSwipeReason::InsufficientMagnitude;
     if (!deltaIsSufficientToBeginSwipe(event)) {
+        m_pendingSwipeReason = PendingSwipeReason::InsufficientMagnitude;
         m_pendingSwipeDirection = direction;
         return true;
     }
@@ -375,6 +374,9 @@
 
 void ViewGestureController::trackSwipeGesture(NSEvent *event, SwipeDirection direction)
 {
+    ASSERT(m_activeGestureType == ViewGestureType::None);
+    m_pendingSwipeReason = PendingSwipeReason::None;
+
     m_webPageProxy.recordNavigationSnapshot();
 
     CGFloat maxProgress = (direction == SwipeDirection::Left) ? 1 : 0;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to