Title: [177711] trunk/Source/WebCore
- Revision
- 177711
- Author
- [email protected]
- Date
- 2014-12-23 17:11:17 -0800 (Tue, 23 Dec 2014)
Log Message
[Mac] Fix nullptr dereference in EventHandler::platformPrepareForWheelEvents().
<https://webkit.org/b/139923>
<rdar://problem/19182531>
Reviewed by Chris Dumez.
Don't dereference 'wheelEventTarget' until we know it's non-null.
This manifested as a crash in Node::renderBox() with some versions of LLVM.
The compiler was free to assume that the ContainerNode* 'candidate' in
findEnclosingScrollableContainer() would always be non-null on the first
iteration of the loop.
I suspect that we can get here with a null 'wheelEventTarget' during the
rubberbanding phase of a wheel scroll; if the cursor is sitting over the
exposed "gutter" area.
* page/mac/EventHandlerMac.mm:
(WebCore::findEnclosingScrollableContainer):
(WebCore::EventHandler::platformPrepareForWheelEvents):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (177710 => 177711)
--- trunk/Source/WebCore/ChangeLog 2014-12-24 01:09:14 UTC (rev 177710)
+++ trunk/Source/WebCore/ChangeLog 2014-12-24 01:11:17 UTC (rev 177711)
@@ -1,3 +1,26 @@
+2014-12-23 Andreas Kling <[email protected]>
+
+ [Mac] Fix nullptr dereference in EventHandler::platformPrepareForWheelEvents().
+ <https://webkit.org/b/139923>
+ <rdar://problem/19182531>
+
+ Reviewed by Chris Dumez.
+
+ Don't dereference 'wheelEventTarget' until we know it's non-null.
+ This manifested as a crash in Node::renderBox() with some versions of LLVM.
+
+ The compiler was free to assume that the ContainerNode* 'candidate' in
+ findEnclosingScrollableContainer() would always be non-null on the first
+ iteration of the loop.
+
+ I suspect that we can get here with a null 'wheelEventTarget' during the
+ rubberbanding phase of a wheel scroll; if the cursor is sitting over the
+ exposed "gutter" area.
+
+ * page/mac/EventHandlerMac.mm:
+ (WebCore::findEnclosingScrollableContainer):
+ (WebCore::EventHandler::platformPrepareForWheelEvents):
+
2014-12-23 Timothy Horton <[email protected]>
Install a TextIndicator for link immediate actions
Modified: trunk/Source/WebCore/page/mac/EventHandlerMac.mm (177710 => 177711)
--- trunk/Source/WebCore/page/mac/EventHandlerMac.mm 2014-12-24 01:09:14 UTC (rev 177710)
+++ trunk/Source/WebCore/page/mac/EventHandlerMac.mm 2014-12-24 01:11:17 UTC (rev 177711)
@@ -736,11 +736,11 @@
return PlatformEvent::CtrlKey | PlatformEvent::AltKey;
}
-static ContainerNode* findEnclosingScrollableContainer(ContainerNode& node)
+static ContainerNode* findEnclosingScrollableContainer(ContainerNode* node)
{
// Find the first node with a valid scrollable area starting with the current
// node and traversing its parents (or shadow hosts).
- for (ContainerNode* candidate = &node; candidate; candidate = candidate->parentOrShadowHostNode()) {
+ for (ContainerNode* candidate = node; candidate; candidate = candidate->parentOrShadowHostNode()) {
RenderBox* box = candidate->renderBox();
if (box && box->canBeScrolledAndHasScrollableArea())
return candidate;
@@ -839,7 +839,7 @@
scrollableContainer = wheelEventTarget;
scrollableArea = scrollViewForEventTarget(wheelEventTarget.get());
} else {
- scrollableContainer = findEnclosingScrollableContainer(*wheelEventTarget);
+ scrollableContainer = findEnclosingScrollableContainer(wheelEventTarget.get());
if (scrollableContainer) {
if (RenderBox* box = scrollableContainer->renderBox()) {
if (is<RenderListBox>(*box))
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
