<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[195586] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/195586">195586</a></dd>
<dt>Author</dt> <dd>mario@webkit.org</dd>
<dt>Date</dt> <dd>2016-01-26 01:45:51 -0800 (Tue, 26 Jan 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>[GTK] WebProcess crashes when quickly attempting many DnD operations
https://bugs.webkit.org/show_bug.cgi?id=138468
Reviewed by Michael Catanzaro.
Source/WebKit2:
Do not allow different DnD operations over the same element at the
same time, so that any new attempt to DnD an element happening before
a previous attempt has ended will take precedence, cancelling the older
operation before going ahead with the new one.
This is consistent with how WebCore::EventHandler handles DnD operations,
preventing the web process from crashing in scenarios where the user might
try to perform many DnD operations over the same element very quickly.
* UIProcess/gtk/DragAndDropHandler.cpp:
(WebKit::DragAndDropHandler::DragAndDropHandler): Initialized new member.
(WebKit::DragAndDropHandler::startDrag): Ensure a previous DnD operation
is cancelled before handling the new one that has just started.
(WebKit::DragAndDropHandler::fillDragData): Protect against calling this
function from webkitWebViewBaseDragDataGet for already cancelled operations.
(WebKit::DragAndDropHandler::finishDrag): Protect against calling this
function from webkitWebViewBaseDragEnd for already cancelled operations.
* UIProcess/gtk/DragAndDropHandler.h:
LayoutTests:
New test added to check that the web process does not crash when multiple
DnD operations are quickly attempted over the same draggable element.
* fast/events/drag-and-drop-link-fast-multiple-times-does-not-crash-expected.txt: Added.
* fast/events/drag-and-drop-link-fast-multiple-times-does-not-crash.html: Added.
Added the new test to the failure expectations for mac-wk2, as there's no
suitable implementation of eventSender in place yet (see bug 42194).
* platform/mac-wk2/TestExpectations: Added failure expectation for the new test.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsplatformmacwk2TestExpectations">trunk/LayoutTests/platform/mac-wk2/TestExpectations</a></li>
<li><a href="#trunkSourceWebKit2ChangeLog">trunk/Source/WebKit2/ChangeLog</a></li>
<li><a href="#trunkSourceWebKit2UIProcessgtkDragAndDropHandlercpp">trunk/Source/WebKit2/UIProcess/gtk/DragAndDropHandler.cpp</a></li>
<li><a href="#trunkSourceWebKit2UIProcessgtkDragAndDropHandlerh">trunk/Source/WebKit2/UIProcess/gtk/DragAndDropHandler.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfasteventsdraganddroplinkfastmultipletimesdoesnotcrashexpectedtxt">trunk/LayoutTests/fast/events/drag-and-drop-link-fast-multiple-times-does-not-crash-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfasteventsdraganddroplinkfastmultipletimesdoesnotcrashhtml">trunk/LayoutTests/fast/events/drag-and-drop-link-fast-multiple-times-does-not-crash.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (195585 => 195586)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-01-26 08:17:31 UTC (rev 195585)
+++ trunk/LayoutTests/ChangeLog 2016-01-26 09:45:51 UTC (rev 195586)
</span><span class="lines">@@ -1,3 +1,21 @@
</span><ins>+2016-01-26 Mario Sanchez Prada <mario@endlessm.com>
+
+ [GTK] WebProcess crashes when quickly attempting many DnD operations
+ https://bugs.webkit.org/show_bug.cgi?id=138468
+
+ Reviewed by Michael Catanzaro.
+
+ New test added to check that the web process does not crash when multiple
+ DnD operations are quickly attempted over the same draggable element.
+
+ * fast/events/drag-and-drop-link-fast-multiple-times-does-not-crash-expected.txt: Added.
+ * fast/events/drag-and-drop-link-fast-multiple-times-does-not-crash.html: Added.
+
+ Added the new test to the failure expectations for mac-wk2, as there's no
+ suitable implementation of eventSender in place yet (see bug 42194).
+
+ * platform/mac-wk2/TestExpectations: Added failure expectation for the new test.
+
</ins><span class="cx"> 2016-01-25 Youenn Fablet <youenn.fablet@crf.canon.fr>
</span><span class="cx">
</span><span class="cx"> imported/w3c/web-platform-tests/streams-api/readable-streams/garbage-collection.html asserts frequently
</span></span></pre></div>
<a id="trunkLayoutTestsfasteventsdraganddroplinkfastmultipletimesdoesnotcrashexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/events/drag-and-drop-link-fast-multiple-times-does-not-crash-expected.txt (0 => 195586)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/events/drag-and-drop-link-fast-multiple-times-does-not-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/events/drag-and-drop-link-fast-multiple-times-does-not-crash-expected.txt 2016-01-26 09:45:51 UTC (rev 195586)
</span><span class="lines">@@ -0,0 +1,35 @@
</span><ins>+HTML hyperlink
+
+This test checks that quickly attempting a drag'n'drop operation multiple times over the same element does not crash the web process.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Dragging HTML hyperlink around. Attempt #1
+Dragging HTML hyperlink around. Attempt #2
+Dragging HTML hyperlink around. Attempt #3
+Dragging HTML hyperlink around. Attempt #4
+Dragging HTML hyperlink around. Attempt #5
+Dragging HTML hyperlink around. Attempt #6
+Dragging HTML hyperlink around. Attempt #7
+Dragging HTML hyperlink around. Attempt #8
+Dragging HTML hyperlink around. Attempt #9
+Dragging HTML hyperlink around. Attempt #10
+Dragging HTML hyperlink around. Attempt #11
+Dragging HTML hyperlink around. Attempt #12
+Dragging HTML hyperlink around. Attempt #13
+Dragging HTML hyperlink around. Attempt #14
+Dragging HTML hyperlink around. Attempt #15
+Dragging HTML hyperlink around. Attempt #16
+Dragging HTML hyperlink around. Attempt #17
+Dragging HTML hyperlink around. Attempt #18
+Dragging HTML hyperlink around. Attempt #19
+Dragging HTML hyperlink around. Attempt #20
+
+
+PASS dragHasStarted is true
+PASS dragHasEnded is true
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsfasteventsdraganddroplinkfastmultipletimesdoesnotcrashhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/events/drag-and-drop-link-fast-multiple-times-does-not-crash.html (0 => 195586)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/events/drag-and-drop-link-fast-multiple-times-does-not-crash.html (rev 0)
+++ trunk/LayoutTests/fast/events/drag-and-drop-link-fast-multiple-times-does-not-crash.html 2016-01-26 09:45:51 UTC (rev 195586)
</span><span class="lines">@@ -0,0 +1,89 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+<script>
+window.jsTestIsAsync = true;
+
+var htmlHyperlink;
+var dragBeginPositionX;
+var dragBeginPositionY;
+var dragEndPositionX;
+var dragEndPositionY;
+
+var dragHasStarted = false;
+var dragHasEnded = false;
+var maxNumberOfRuns = 20;
+var currentRun = 0;
+
+function finishTest()
+{
+ debug("<br>");
+ shouldBeTrue("dragHasStarted");
+ shouldBeTrue("dragHasEnded");
+ finishJSTest();
+}
+
+function dragStart(e) {
+ dragHasStarted = true;
+}
+
+function dragEnd(e) {
+ dragHasEnded = true;
+ if (currentRun < maxNumberOfRuns)
+ return;
+ window.setTimeout(finishTest, 0);
+}
+
+function dragAndDrop(beginX, beginY, endX, endY)
+{
+ if (!window.eventSender)
+ return;
+
+ eventSender.mouseMoveTo(beginX, beginY);
+ eventSender.mouseDown();
+ eventSender.leapForward(100);
+ eventSender.mouseMoveTo(endX, endY);
+ eventSender.mouseUp();
+}
+
+function runNextStep()
+{
+ if (currentRun++ >= maxNumberOfRuns)
+ return;
+
+ debug("Dragging HTML hyperlink around. Attempt #" + currentRun);
+ dragAndDrop(dragBeginPositionX, dragBeginPositionY, dragEndPositionX, dragEndPositionY);
+ window.setTimeout(runNextStep, 0);
+}
+
+function runTest()
+{
+ if (!window.testRunner)
+ return;
+
+ htmlHyperlink = document.getElementById("htmlHyperlink");
+
+ htmlHyperlink.ondragstart = dragStart;
+ htmlHyperlink.ondragend = dragEnd;
+
+ dragBeginPositionX = htmlHyperlink.offsetLeft + htmlHyperlink.offsetWidth / 2;
+ dragBeginPositionY = htmlHyperlink.offsetTop + htmlHyperlink.offsetHeight / 2;
+ dragEndPositionX = dragBeginPositionX + htmlHyperlink.offsetWidth + 50;
+ dragEndPositionY = dragBeginPositionY + htmlHyperlink.offsetHeight + 50;
+
+ runNextStep();
+}
+</script>
+</head>
+<body onload="runTest()">
+<p>
+ <a id="htmlHyperlink" href="http://www.whatwg.org/html">HTML hyperlink</a>
+<p>
+<div id="console"></div>
+<script>
+description("This test checks that quickly attempting a drag'n'drop operation multiple times over the same element does not crash the web process.");
+</script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsplatformmacwk2TestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/mac-wk2/TestExpectations (195585 => 195586)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/mac-wk2/TestExpectations 2016-01-26 08:17:31 UTC (rev 195585)
+++ trunk/LayoutTests/platform/mac-wk2/TestExpectations 2016-01-26 09:45:51 UTC (rev 195586)
</span><span class="lines">@@ -90,6 +90,7 @@
</span><span class="cx"> fast/events/drag-and-drop-fire-drag-dragover.html
</span><span class="cx"> fast/events/drag-and-drop.html
</span><span class="cx"> fast/events/drag-and-drop-link.html
</span><ins>+fast/events/drag-and-drop-link-fast-multiple-times-does-not-crash.html
</ins><span class="cx"> fast/events/drag-in-frames.html
</span><span class="cx"> fast/events/drag-parent-node.html
</span><span class="cx"> fast/events/dropzone-001.html
</span></span></pre></div>
<a id="trunkSourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/ChangeLog (195585 => 195586)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/ChangeLog 2016-01-26 08:17:31 UTC (rev 195585)
+++ trunk/Source/WebKit2/ChangeLog 2016-01-26 09:45:51 UTC (rev 195586)
</span><span class="lines">@@ -1,3 +1,29 @@
</span><ins>+2016-01-26 Mario Sanchez Prada <mario@endlessm.com>
+
+ [GTK] WebProcess crashes when quickly attempting many DnD operations
+ https://bugs.webkit.org/show_bug.cgi?id=138468
+
+ Reviewed by Michael Catanzaro.
+
+ Do not allow different DnD operations over the same element at the
+ same time, so that any new attempt to DnD an element happening before
+ a previous attempt has ended will take precedence, cancelling the older
+ operation before going ahead with the new one.
+
+ This is consistent with how WebCore::EventHandler handles DnD operations,
+ preventing the web process from crashing in scenarios where the user might
+ try to perform many DnD operations over the same element very quickly.
+
+ * UIProcess/gtk/DragAndDropHandler.cpp:
+ (WebKit::DragAndDropHandler::DragAndDropHandler): Initialized new member.
+ (WebKit::DragAndDropHandler::startDrag): Ensure a previous DnD operation
+ is cancelled before handling the new one that has just started.
+ (WebKit::DragAndDropHandler::fillDragData): Protect against calling this
+ function from webkitWebViewBaseDragDataGet for already cancelled operations.
+ (WebKit::DragAndDropHandler::finishDrag): Protect against calling this
+ function from webkitWebViewBaseDragEnd for already cancelled operations.
+ * UIProcess/gtk/DragAndDropHandler.h:
+
</ins><span class="cx"> 2016-01-25 Enrica Casucci <enrica@apple.com>
</span><span class="cx">
</span><span class="cx"> Add support for DataDetectors in WK (iOS).
</span></span></pre></div>
<a id="trunkSourceWebKit2UIProcessgtkDragAndDropHandlercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/UIProcess/gtk/DragAndDropHandler.cpp (195585 => 195586)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/UIProcess/gtk/DragAndDropHandler.cpp 2016-01-26 08:17:31 UTC (rev 195585)
+++ trunk/Source/WebKit2/UIProcess/gtk/DragAndDropHandler.cpp 2016-01-26 09:45:51 UTC (rev 195586)
</span><span class="lines">@@ -44,6 +44,7 @@
</span><span class="cx">
</span><span class="cx"> DragAndDropHandler::DragAndDropHandler(WebPageProxy& page)
</span><span class="cx"> : m_page(page)
</span><ins>+ , m_dragContext(nullptr)
</ins><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -110,14 +111,21 @@
</span><span class="cx">
</span><span class="cx"> void DragAndDropHandler::startDrag(const DragData& dragData, PassRefPtr<ShareableBitmap> dragImage)
</span><span class="cx"> {
</span><del>- RefPtr<DataObjectGtk> dataObject = adoptRef(dragData.platformData());
- GRefPtr<GtkTargetList> targetList = adoptGRef(PasteboardHelper::singleton().targetListForDataObject(dataObject.get()));
</del><ins>+ m_draggingDataObject = adoptRef(dragData.platformData());
+
+ GRefPtr<GtkTargetList> targetList = adoptGRef(PasteboardHelper::singleton().targetListForDataObject(m_draggingDataObject.get()));
</ins><span class="cx"> GUniquePtr<GdkEvent> currentEvent(gtk_get_current_event());
</span><span class="cx">
</span><span class="cx"> GdkDragContext* context = gtk_drag_begin(m_page.viewWidget(), targetList.get(), dragOperationToGdkDragActions(dragData.draggingSourceOperationMask()),
</span><span class="cx"> GDK_BUTTON_PRIMARY, currentEvent.get());
</span><del>- m_draggingDataObjects.set(context, dataObject.get());
</del><span class="cx">
</span><ins>+ // WebCore::EventHandler does not support more than one DnD operation at the same time for
+ // a given page, so we should cancel any previous operation whose context we might have
+ // stored, should we receive a new startDrag event before finishing a previous DnD operation.
+ if (m_dragContext)
+ gtk_drag_cancel(m_dragContext.get());
+ m_dragContext = context;
+
</ins><span class="cx"> if (dragImage) {
</span><span class="cx"> RefPtr<cairo_surface_t> image(dragImage->createCairoSurface());
</span><span class="cx"> // Use the center of the drag image as hotspot.
</span><span class="lines">@@ -129,15 +137,28 @@
</span><span class="cx">
</span><span class="cx"> void DragAndDropHandler::fillDragData(GdkDragContext* context, GtkSelectionData* selectionData, unsigned info)
</span><span class="cx"> {
</span><del>- if (DataObjectGtk* dataObject = m_draggingDataObjects.get(context))
- PasteboardHelper::singleton().fillSelectionData(selectionData, info, dataObject);
</del><ins>+ // This can happen when attempting to call finish drag from webkitWebViewBaseDragDataGet()
+ // for a obsolete DnD operation that got previously cancelled in startDrag().
+ if (m_dragContext.get() != context)
+ return;
+
+ ASSERT(m_draggingDataObject);
+ PasteboardHelper::singleton().fillSelectionData(selectionData, info, m_draggingDataObject.get());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void DragAndDropHandler::finishDrag(GdkDragContext* context)
</span><span class="cx"> {
</span><del>- if (!m_draggingDataObjects.remove(context))
</del><ins>+ // This can happen when attempting to call finish drag from webkitWebViewBaseDragEnd()
+ // for a obsolete DnD operation that got previously cancelled in startDrag().
+ if (m_dragContext.get() != context)
</ins><span class="cx"> return;
</span><span class="cx">
</span><ins>+ if (!m_draggingDataObject)
+ return;
+
+ m_dragContext = nullptr;
+ m_draggingDataObject = nullptr;
+
</ins><span class="cx"> GdkDevice* device = gdk_drag_context_get_device(context);
</span><span class="cx"> int x = 0, y = 0;
</span><span class="cx"> gdk_device_get_window_at_position(device, &x, &y);
</span></span></pre></div>
<a id="trunkSourceWebKit2UIProcessgtkDragAndDropHandlerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/UIProcess/gtk/DragAndDropHandler.h (195585 => 195586)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/UIProcess/gtk/DragAndDropHandler.h 2016-01-26 08:17:31 UTC (rev 195585)
+++ trunk/Source/WebKit2/UIProcess/gtk/DragAndDropHandler.h 2016-01-26 09:45:51 UTC (rev 195586)
</span><span class="lines">@@ -74,8 +74,9 @@
</span><span class="cx"> WebCore::DataObjectGtk* requestDragData(GdkDragContext*, const WebCore::IntPoint& position, unsigned time);
</span><span class="cx">
</span><span class="cx"> WebPageProxy& m_page;
</span><ins>+ GRefPtr<GdkDragContext> m_dragContext;
+ RefPtr<WebCore::DataObjectGtk> m_draggingDataObject;
</ins><span class="cx"> HashMap<GdkDragContext*, std::unique_ptr<DroppingContext>> m_droppingContexts;
</span><del>- HashMap<GdkDragContext*, RefPtr<WebCore::DataObjectGtk>> m_draggingDataObjects;
</del><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } // namespace WebKit
</span></span></pre>
</div>
</div>
</body>
</html>