Bug 38514

Summary: Crash in handleTouchEvent: using dangling node ptrs in hashmap
Product: WebKit Reporter: Ben Murdoch <benm>
Component: WebCore Misc.Assignee: Ben Murdoch <benm>
Status: RESOLVED FIXED    
Severity: Normal CC: android-webkit-unforking, commit-queue, gdk, hausmann
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 32485    
Attachments:
Description Flags
Proposed patch and test.
none
Proposed patch and test. none

Ben Murdoch
Reported 2010-05-04 04:12:40 PDT
If you visit a page that uses touch events and trigger a navigation whilst your finger is still pressed down (and that causes the Node's of the old page to be deleted) then when you lift your finger on the new page we take the old (now dangling) node ptr from the m_originatingTouchPointsTargets map and try to ref it in the Touch constructor which causes a crash. The fix is to empty the map when the event handlers are cleared. Patch and layout test to follow.
Attachments
Proposed patch and test. (5.31 KB, patch)
2010-05-04 05:26 PDT, Ben Murdoch 		no flags
DetailsFormatted DiffDiff
Proposed patch and test. (5.33 KB, patch)
2010-05-04 05:29 PDT, Ben Murdoch 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Ben Murdoch
Comment 1 2010-05-04 05:26:34 PDT
Created attachment 55011 [details] Proposed patch and test. Proposed patch.
Ben Murdoch
Comment 2 2010-05-04 05:29:43 PDT
Created attachment 55012 [details] Proposed patch and test. Change comments in the test slightly.
WebKit Commit Bot
Comment 3 2010-05-04 08:30:17 PDT
Comment on attachment 55012 [details] Proposed patch and test. Clearing flags on attachment: 55012 Committed r58760: <http://trac.webkit.org/changeset/58760>
WebKit Commit Bot
Comment 4 2010-05-04 08:30:24 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.