<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[199181] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/199181">199181</a></dd>
<dt>Author</dt> <dd>bfulgham@apple.com</dd>
<dt>Date</dt> <dd>2016-04-07 14:15:34 -0700 (Thu, 07 Apr 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Wheel event callback removing the window causes crash in WebCore.
https://bugs.webkit.org/show_bug.cgi?id=150871
<rdar://problem/23418283>
Reviewed by Simon Fraser.
Source/WebCore:
Null check the FrameView before using it, since the iframe may have been removed
from its parent document inside the event handler.
The new test triggered a cross-load side-effect, where wheel event filtering wasn't
reset between page loads. Fix by calling clearLatchedState() in EventHandler::clear(),
which resets the filtering.
Since the Frame destructor invokes EventHandler::clear, which invokes MainFrame methods,
we run the risk of attempting to dereference destroyed MainFrame elements of the current
Frame object. Instead, clear the EventHandler in the MainFrame destructor.
Finally, confirm that the mainFrame member is not being destroyed in the handful of
places that might attempt to access the mainFrame during object destruction (essentially
cleanup methods).
Test: fast/events/wheel-event-destroys-frame.html
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::clear): Protect against accessing mainFrame content during destruction.
* page/EventHandler.cpp:
(WebCore::EventHandler::clear): Call 'clearLatchedState' instead of endFilteringDeltas.
(WebCore::EventHandler::clearLatchedState): Null-check the filter before calling it.
* page/Frame.cpp:
(WebCore::Frame::~Frame): Do not call 'setView' in the destructor for a MainFrame.
(WebCore::Frame::setView): Check for a null event handler before invoking it.
(WebCore::Frame::setMainFrameWasDestroyed): Added. Mark that the MainFrame
member of the Frame is being destroyed (if the current Frame is a MainFrame) and clear
the EventHandler member so that it doesn't attempt to access mainFrame content.
(WebCore::Frame::mainFrame): When accessing the mainFrame member, assert that the
mainFrame is not being destroyed.
* page/MainFrame.cpp:
(WebCore::MainFrame::~MainFrame): Set the m_recentWheelEventDeltaFilter to nullptr to
prevent attempts to access it during object destruction. Call the new 'setMainFrameWasDestroyed'
method to reset eventHandler and mark the MainFrame as being in the process of destruction.
* page/WheelEventDeltaFilter.cpp:
(WebCore::WheelEventDeltaFilter::filteredDelta): Add logging.
* page/mac/EventHandlerMac.mm:
(WebCore::EventHandler::platformCompleteWheelEvent): Add null check.
* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::scrollTo): Add logging.
LayoutTests:
* fast/events/wheel-event-destroys-frame-expected.txt: Added.
* fast/events/wheel-event-destroys-frame.html: Added.
* platform/ios-simulator/TestExpectations: Skip wheel-event test on iOS.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsplatformiossimulatorTestExpectations">trunk/LayoutTests/platform/ios-simulator/TestExpectations</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreloaderFrameLoadercpp">trunk/Source/WebCore/loader/FrameLoader.cpp</a></li>
<li><a href="#trunkSourceWebCorepageEventHandlercpp">trunk/Source/WebCore/page/EventHandler.cpp</a></li>
<li><a href="#trunkSourceWebCorepageFramecpp">trunk/Source/WebCore/page/Frame.cpp</a></li>
<li><a href="#trunkSourceWebCorepageFrameh">trunk/Source/WebCore/page/Frame.h</a></li>
<li><a href="#trunkSourceWebCorepageMainFramecpp">trunk/Source/WebCore/page/MainFrame.cpp</a></li>
<li><a href="#trunkSourceWebCorepageWheelEventDeltaFiltercpp">trunk/Source/WebCore/page/WheelEventDeltaFilter.cpp</a></li>
<li><a href="#trunkSourceWebCorepagemacEventHandlerMacmm">trunk/Source/WebCore/page/mac/EventHandlerMac.mm</a></li>
<li><a href="#trunkSourceWebCorerenderingRenderLayercpp">trunk/Source/WebCore/rendering/RenderLayer.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfasteventswheeleventdestroysframeexpectedtxt">trunk/LayoutTests/fast/events/wheel-event-destroys-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfasteventswheeleventdestroysframehtml">trunk/LayoutTests/fast/events/wheel-event-destroys-frame.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (199180 => 199181)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-04-07 21:08:40 UTC (rev 199180)
+++ trunk/LayoutTests/ChangeLog 2016-04-07 21:15:34 UTC (rev 199181)
</span><span class="lines">@@ -1,3 +1,15 @@
</span><ins>+2016-04-07 Brent Fulgham <bfulgham@apple.com>
+
+ Wheel event callback removing the window causes crash in WebCore.
+ https://bugs.webkit.org/show_bug.cgi?id=150871
+ <rdar://problem/23418283>
+
+ Reviewed by Simon Fraser.
+
+ * fast/events/wheel-event-destroys-frame-expected.txt: Added.
+ * fast/events/wheel-event-destroys-frame.html: Added.
+ * platform/ios-simulator/TestExpectations: Skip wheel-event test on iOS.
+
</ins><span class="cx"> 2016-04-07 Saam barati <sbarati@apple.com>
</span><span class="cx">
</span><span class="cx"> Initial implementation of annex b.3.3 behavior was incorrect
</span></span></pre></div>
<a id="trunkLayoutTestsfasteventswheeleventdestroysframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/events/wheel-event-destroys-frame-expected.txt (0 => 199181)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/events/wheel-event-destroys-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/events/wheel-event-destroys-frame-expected.txt 2016-04-07 21:15:34 UTC (rev 199181)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+This test should not crash
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestsfasteventswheeleventdestroysframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/events/wheel-event-destroys-frame.html (0 => 199181)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/events/wheel-event-destroys-frame.html (rev 0)
+++ trunk/LayoutTests/fast/events/wheel-event-destroys-frame.html 2016-04-07 21:15:34 UTC (rev 199181)
</span><span class="lines">@@ -0,0 +1,39 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+ <script>
+ if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ }
+
+ function frameLoaded(iframe)
+ {
+ iframe.contentWindow.addEventListener('wheel', function() {
+ // Removing the window during event firing causes crash.
+ window.document.body.removeChild(iframe);
+ window.setTimeout(function() {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, 0);
+ });
+
+ if (!window.eventSender)
+ return;
+
+ var iframeTarget = document.getElementById('iframe');
+ var iframeBounds = iframeTarget.getBoundingClientRect();
+
+ eventSender.mouseMoveTo(iframeBounds.left + 10, iframeBounds.top + 10);
+ eventSender.mouseScrollByWithWheelAndMomentumPhases(0, -1, 'began', 'none');
+ eventSender.mouseScrollByWithWheelAndMomentumPhases(0, -1, 'changed', 'none');
+ eventSender.mouseScrollByWithWheelAndMomentumPhases(0, -1, 'changed', 'none');
+ eventSender.mouseScrollByWithWheelAndMomentumPhases(0, 0, 'ended', 'none');
+ }
+ </script>
+</head>
+<body>
+ <p>This test should not crash</p>
+ <iframe id="iframe" onload="frameLoaded(this)" src="data:text/html,<body>Wheel here</body>"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsplatformiossimulatorTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/ios-simulator/TestExpectations (199180 => 199181)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/ios-simulator/TestExpectations 2016-04-07 21:08:40 UTC (rev 199180)
+++ trunk/LayoutTests/platform/ios-simulator/TestExpectations 2016-04-07 21:15:34 UTC (rev 199181)
</span><span class="lines">@@ -57,6 +57,7 @@
</span><span class="cx"> # No mousewheel events on iOS
</span><span class="cx"> fast/scrolling/iframe-scrollable-after-back.html [ Skip ]
</span><span class="cx"> fast/scrolling/overflow-scrollable-after-back.html [ Skip ]
</span><ins>+fast/events/wheel-event-destroys-frame.html [ Skip ]
</ins><span class="cx">
</span><span class="cx"> # Not supported on iOS
</span><span class="cx"> batterystatus
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (199180 => 199181)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-04-07 21:08:40 UTC (rev 199180)
+++ trunk/Source/WebCore/ChangeLog 2016-04-07 21:15:34 UTC (rev 199181)
</span><span class="lines">@@ -1,3 +1,52 @@
</span><ins>+2016-04-07 Brent Fulgham <bfulgham@apple.com>
+
+ Wheel event callback removing the window causes crash in WebCore.
+ https://bugs.webkit.org/show_bug.cgi?id=150871
+ <rdar://problem/23418283>
+
+ Reviewed by Simon Fraser.
+
+ Null check the FrameView before using it, since the iframe may have been removed
+ from its parent document inside the event handler.
+
+ The new test triggered a cross-load side-effect, where wheel event filtering wasn't
+ reset between page loads. Fix by calling clearLatchedState() in EventHandler::clear(),
+ which resets the filtering.
+
+ Since the Frame destructor invokes EventHandler::clear, which invokes MainFrame methods,
+ we run the risk of attempting to dereference destroyed MainFrame elements of the current
+ Frame object. Instead, clear the EventHandler in the MainFrame destructor.
+
+ Finally, confirm that the mainFrame member is not being destroyed in the handful of
+ places that might attempt to access the mainFrame during object destruction (essentially
+ cleanup methods).
+
+ Test: fast/events/wheel-event-destroys-frame.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::clear): Protect against accessing mainFrame content during destruction.
+ * page/EventHandler.cpp:
+ (WebCore::EventHandler::clear): Call 'clearLatchedState' instead of endFilteringDeltas.
+ (WebCore::EventHandler::clearLatchedState): Null-check the filter before calling it.
+ * page/Frame.cpp:
+ (WebCore::Frame::~Frame): Do not call 'setView' in the destructor for a MainFrame.
+ (WebCore::Frame::setView): Check for a null event handler before invoking it.
+ (WebCore::Frame::setMainFrameWasDestroyed): Added. Mark that the MainFrame
+ member of the Frame is being destroyed (if the current Frame is a MainFrame) and clear
+ the EventHandler member so that it doesn't attempt to access mainFrame content.
+ (WebCore::Frame::mainFrame): When accessing the mainFrame member, assert that the
+ mainFrame is not being destroyed.
+ * page/MainFrame.cpp:
+ (WebCore::MainFrame::~MainFrame): Set the m_recentWheelEventDeltaFilter to nullptr to
+ prevent attempts to access it during object destruction. Call the new 'setMainFrameWasDestroyed'
+ method to reset eventHandler and mark the MainFrame as being in the process of destruction.
+ * page/WheelEventDeltaFilter.cpp:
+ (WebCore::WheelEventDeltaFilter::filteredDelta): Add logging.
+ * page/mac/EventHandlerMac.mm:
+ (WebCore::EventHandler::platformCompleteWheelEvent): Add null check.
+ * rendering/RenderLayer.cpp:
+ (WebCore::RenderLayer::scrollTo): Add logging.
+
</ins><span class="cx"> 2016-04-05 Ada Chan <adachan@apple.com>
</span><span class="cx">
</span><span class="cx"> Rename TextTrackRepresentationiOS to TextTrackRepresentationCocoa and enable on Mac
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderFrameLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (199180 => 199181)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/FrameLoader.cpp 2016-04-07 21:08:40 UTC (rev 199180)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2016-04-07 21:15:34 UTC (rev 199181)
</span><span class="lines">@@ -604,7 +604,11 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> m_frame.selection().prepareForDestruction();
</span><del>- m_frame.eventHandler().clear();
</del><ins>+
+ // We may call this code during object destruction, so need to make sure eventHandler is present.
+ if (auto eventHandler = m_frame.eventHandlerPtr())
+ eventHandler->clear();
+
</ins><span class="cx"> if (clearFrameView && m_frame.view())
</span><span class="cx"> m_frame.view()->clear();
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorepageEventHandlercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/EventHandler.cpp (199180 => 199181)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/EventHandler.cpp 2016-04-07 21:08:40 UTC (rev 199180)
+++ trunk/Source/WebCore/page/EventHandler.cpp 2016-04-07 21:15:34 UTC (rev 199181)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2006-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2006-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2006 Alexey Proskuryakov (ap@webkit.org)
</span><span class="cx"> * Copyright (C) 2012 Digia Plc. and/or its subsidiary(-ies)
</span><span class="cx"> *
</span><span class="lines">@@ -455,9 +455,7 @@
</span><span class="cx"> m_mousePressed = false;
</span><span class="cx"> m_capturesDragging = false;
</span><span class="cx"> m_capturingMouseEventsElement = nullptr;
</span><del>-#if PLATFORM(MAC)
- m_frame.mainFrame().resetLatchingState();
-#endif
</del><ins>+ clearLatchedState();
</ins><span class="cx"> #if ENABLE(TOUCH_EVENTS) && !ENABLE(IOS_TOUCH_EVENTS)
</span><span class="cx"> m_originatingTouchPointTargets.clear();
</span><span class="cx"> m_originatingTouchPointDocument = nullptr;
</span><span class="lines">@@ -2693,7 +2691,8 @@
</span><span class="cx"> #if PLATFORM(MAC)
</span><span class="cx"> m_frame.mainFrame().resetLatchingState();
</span><span class="cx"> #endif
</span><del>- m_frame.mainFrame().wheelEventDeltaFilter()->endFilteringDeltas();
</del><ins>+ if (auto filter = m_frame.mainFrame().wheelEventDeltaFilter())
+ filter->endFilteringDeltas();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void EventHandler::defaultWheelEventHandler(Node* startNode, WheelEvent* wheelEvent)
</span></span></pre></div>
<a id="trunkSourceWebCorepageFramecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/Frame.cpp (199180 => 199181)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/Frame.cpp 2016-04-07 21:08:40 UTC (rev 199180)
+++ trunk/Source/WebCore/page/Frame.cpp 2016-04-07 21:15:34 UTC (rev 199181)
</span><span class="lines">@@ -5,7 +5,7 @@
</span><span class="cx"> * 2000 Simon Hausmann <hausmann@kde.org>
</span><span class="cx"> * 2000 Stefan Schimanski <1Stein@gmx.de>
</span><span class="cx"> * 2001 George Staikos <staikos@kde.org>
</span><del>- * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2004-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2005 Alexey Proskuryakov <ap@nypop.com>
</span><span class="cx"> * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
</span><span class="cx"> * Copyright (C) 2008 Eric Seidel <eric@webkit.org>
</span><span class="lines">@@ -160,7 +160,6 @@
</span><span class="cx"> , m_script(std::make_unique<ScriptController>(*this))
</span><span class="cx"> , m_editor(std::make_unique<Editor>(*this))
</span><span class="cx"> , m_selection(std::make_unique<FrameSelection>(this))
</span><del>- , m_eventHandler(std::make_unique<EventHandler>(*this))
</del><span class="cx"> , m_animationController(std::make_unique<AnimationController>(*this))
</span><span class="cx"> #if PLATFORM(IOS)
</span><span class="cx"> , m_overflowAutoScrollTimer(*this, &Frame::overflowAutoScrollTimerFired)
</span><span class="lines">@@ -169,6 +168,7 @@
</span><span class="cx"> , m_pageZoomFactor(parentPageZoomFactor(this))
</span><span class="cx"> , m_textZoomFactor(parentTextZoomFactor(this))
</span><span class="cx"> , m_activeDOMObjectsAndAnimationsSuspendedCount(0)
</span><ins>+ , m_eventHandler(std::make_unique<EventHandler>(*this))
</ins><span class="cx"> {
</span><span class="cx"> AtomicString::init();
</span><span class="cx"> HTMLNames::init();
</span><span class="lines">@@ -251,7 +251,9 @@
</span><span class="cx"> if (m_view)
</span><span class="cx"> m_view->unscheduleRelayout();
</span><span class="cx">
</span><del>- eventHandler().clear();
</del><ins>+ // This may be called during destruction, so need to do a null check.
+ if (m_eventHandler)
+ m_eventHandler->clear();
</ins><span class="cx">
</span><span class="cx"> m_view = WTFMove(view);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorepageFrameh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/Frame.h (199180 => 199181)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/Frame.h 2016-04-07 21:08:40 UTC (rev 199180)
+++ trunk/Source/WebCore/page/Frame.h 2016-04-07 21:15:34 UTC (rev 199181)
</span><span class="lines">@@ -5,7 +5,7 @@
</span><span class="cx"> * 2000-2001 Simon Hausmann <hausmann@kde.org>
</span><span class="cx"> * 2000-2001 Dirk Mueller <mueller@kde.org>
</span><span class="cx"> * 2000 Stefan Schimanski <1Stein@gmx.de>
</span><del>- * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2004-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
</span><span class="cx"> * Copyright (C) 2008 Eric Seidel <eric@webkit.org>
</span><span class="cx"> *
</span><span class="lines">@@ -151,6 +151,7 @@
</span><span class="cx">
</span><span class="cx"> Editor& editor() const;
</span><span class="cx"> EventHandler& eventHandler() const;
</span><ins>+ EventHandler* eventHandlerPtr() const;
</ins><span class="cx"> FrameLoader& loader() const;
</span><span class="cx"> NavigationScheduler& navigationScheduler() const;
</span><span class="cx"> FrameSelection& selection() const;
</span><span class="lines">@@ -278,6 +279,7 @@
</span><span class="cx">
</span><span class="cx"> protected:
</span><span class="cx"> Frame(Page&, HTMLFrameOwnerElement*, FrameLoaderClient&);
</span><ins>+ void setMainFrameWasDestroyed();
</ins><span class="cx">
</span><span class="cx"> private:
</span><span class="cx"> HashSet<FrameDestructionObserver*> m_destructionObservers;
</span><span class="lines">@@ -296,7 +298,6 @@
</span><span class="cx"> const std::unique_ptr<ScriptController> m_script;
</span><span class="cx"> const std::unique_ptr<Editor> m_editor;
</span><span class="cx"> const std::unique_ptr<FrameSelection> m_selection;
</span><del>- const std::unique_ptr<EventHandler> m_eventHandler;
</del><span class="cx"> const std::unique_ptr<AnimationController> m_animationController;
</span><span class="cx">
</span><span class="cx"> #if ENABLE(DATA_DETECTION)
</span><span class="lines">@@ -326,6 +327,10 @@
</span><span class="cx"> float m_textZoomFactor;
</span><span class="cx">
</span><span class="cx"> int m_activeDOMObjectsAndAnimationsSuspendedCount;
</span><ins>+ bool m_mainFrameWasDestroyed { false };
+
+ protected:
+ std::unique_ptr<EventHandler> m_eventHandler;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> inline void Frame::init()
</span><span class="lines">@@ -398,11 +403,22 @@
</span><span class="cx"> return *m_eventHandler;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ inline EventHandler* Frame::eventHandlerPtr() const
+ {
+ return m_eventHandler.get();
+ }
+
</ins><span class="cx"> inline MainFrame& Frame::mainFrame() const
</span><span class="cx"> {
</span><ins>+ ASSERT_WITH_SECURITY_IMPLICATION(!m_mainFrameWasDestroyed);
</ins><span class="cx"> return m_mainFrame;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ inline void Frame::setMainFrameWasDestroyed()
+ {
+ m_mainFrameWasDestroyed = false;
+ }
+
</ins><span class="cx"> } // namespace WebCore
</span><span class="cx">
</span><span class="cx"> #endif // Frame_h
</span></span></pre></div>
<a id="trunkSourceWebCorepageMainFramecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/MainFrame.cpp (199180 => 199181)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/MainFrame.cpp 2016-04-07 21:08:40 UTC (rev 199180)
+++ trunk/Source/WebCore/page/MainFrame.cpp 2016-04-07 21:15:34 UTC (rev 199181)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -66,6 +66,11 @@
</span><span class="cx"> {
</span><span class="cx"> if (m_diagnosticLoggingClient)
</span><span class="cx"> m_diagnosticLoggingClient->mainFrameDestroyed();
</span><ins>+
+ m_recentWheelEventDeltaFilter = nullptr;
+ m_eventHandler = nullptr;
+
+ setMainFrameWasDestroyed();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> Ref<MainFrame> MainFrame::create(Page& page, PageConfiguration& configuration)
</span></span></pre></div>
<a id="trunkSourceWebCorepageWheelEventDeltaFiltercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/WheelEventDeltaFilter.cpp (199180 => 199181)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/WheelEventDeltaFilter.cpp 2016-04-07 21:08:40 UTC (rev 199180)
+++ trunk/Source/WebCore/page/WheelEventDeltaFilter.cpp 2016-04-07 21:15:34 UTC (rev 199181)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -31,6 +31,8 @@
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> #include "FloatSize.h"
</span><ins>+#include "Logging.h"
+#include "TextStream.h"
</ins><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><span class="lines">@@ -58,6 +60,7 @@
</span><span class="cx">
</span><span class="cx"> FloatSize WheelEventDeltaFilter::filteredDelta() const
</span><span class="cx"> {
</span><ins>+ LOG_WITH_STREAM(Scrolling, stream << "BasicWheelEventDeltaFilter::filteredDelta returning " << m_currentFilteredDelta);
</ins><span class="cx"> return m_currentFilteredDelta;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorepagemacEventHandlerMacmm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/mac/EventHandlerMac.mm (199180 => 199181)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/mac/EventHandlerMac.mm 2016-04-07 21:08:40 UTC (rev 199180)
+++ trunk/Source/WebCore/page/mac/EventHandlerMac.mm 2016-04-07 21:15:34 UTC (rev 199181)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2006, 2007, 2008, 2009, 2014-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2006-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -1049,9 +1049,10 @@
</span><span class="cx">
</span><span class="cx"> bool EventHandler::platformCompleteWheelEvent(const PlatformWheelEvent& wheelEvent, ContainerNode* scrollableContainer, ScrollableArea* scrollableArea)
</span><span class="cx"> {
</span><ins>+ FrameView* view = m_frame.view();
</ins><span class="cx"> // We do another check on the frame view because the event handler can run JS which results in the frame getting destroyed.
</span><del>- ASSERT(m_frame.view());
- FrameView* view = m_frame.view();
</del><ins>+ if (!view)
+ return false;
</ins><span class="cx">
</span><span class="cx"> ScrollLatchingState* latchingState = m_frame.mainFrame().latchingState();
</span><span class="cx"> if (wheelEvent.useLatchedEventElement() && !latchingIsLockedToAncestorOfThisFrame(m_frame) && latchingState && latchingState->scrollableContainer()) {
</span></span></pre></div>
<a id="trunkSourceWebCorerenderingRenderLayercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/rendering/RenderLayer.cpp (199180 => 199181)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/rendering/RenderLayer.cpp 2016-04-07 21:08:40 UTC (rev 199180)
+++ trunk/Source/WebCore/rendering/RenderLayer.cpp 2016-04-07 21:15:34 UTC (rev 199181)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2006-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2006-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Portions are Copyright (C) 1998 Netscape Communications Corporation.
</span><span class="cx"> *
</span><span class="lines">@@ -2346,6 +2346,8 @@
</span><span class="cx"> if (!box)
</span><span class="cx"> return;
</span><span class="cx">
</span><ins>+ LOG_WITH_STREAM(Scrolling, stream << "RenderLayer::scrollTo " << position);
+
</ins><span class="cx"> ScrollPosition newPosition = position;
</span><span class="cx"> if (!box->isHTMLMarquee()) {
</span><span class="cx"> // Ensure that the dimensions will be computed if they need to be (for overflow:hidden blocks).
</span></span></pre>
</div>
</div>
</body>
</html>