[Webkit-unassigned] [Bug 34700] New: [CRASH] WebCore crashes when element is removed from within 2-dimensional mouse wheel event handler.

Mon Feb 8 02:17:00 PST 2010

https://bugs.webkit.org/show_bug.cgi?id=34700

           Summary: [CRASH] WebCore crashes when element is removed from
                    within 2-dimensional mouse wheel event handler.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: pfeldman at chromium.org
                CC: hyatt at apple.com, timothy at hatcher.name

#0    0x044f953d in WebCore::RenderObject::enclosingBox at RenderObject.cpp:556
#1    0x03f03fce in WebCore::scrollAndAcceptEvent at EventHandler.cpp:116
#2    0x03f044ee in WebCore::EventHandler::handleWheelEvent at
EventHandler.cpp:1869
#3    0x03f1166a in WebCore::EventHandler::wheelEvent at EventHandlerMac.mm:120
#4    0x0034aa5a in -[WebHTMLView scrollWheel:] at WebHTMLView.mm:3319
#5    0x902ac731 in -[NSWindow sendEvent:]

http://trac.webkit.org/browser/trunk/WebCore/page/EventHandler.cpp
Lines 1865-1869.

Looks like if node is removed in line 1868, subsequent 1869 will crash.

// Just break up into two scrolls if we need to.  Diagonal movement on
1866                // a MacBook pro is an example of a 2-dimensional mouse
wheel event (where both deltaX and deltaY can be set).
1867                Node* stopNode = m_previousWheelScrolledNode.get();
1868                scrollAndAcceptEvent(e.deltaX(), ScrollLeft, ScrollRight,
e, node, &stopNode);
1869                scrollAndAcceptEvent(e.deltaY(), ScrollUp, ScrollDown, e,
node, &stopNode);

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.