[Webkit-unassigned] [Bug 141931] New: EventHandler references deleted Scrollbar

Mon Feb 23 15:48:19 PST 2015

https://bugs.webkit.org/show_bug.cgi?id=141931

            Bug ID: 141931
           Summary: EventHandler references deleted Scrollbar
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: bfulgham at webkit.org

The EventHandler class holds a RefPtr of the last Scrollbar used during an event. If the Scrollbar is destroyed (as well as its underlying RenderLayer), the EventHandler keeps the Scrollbar from being deleted. However, the underlying ScrollableArea has already been destroyed at this point, leaving this "m_lastScrollbarUnderMouse" Scrollbar holding a reference to deleted memory. This can happen during EventHandling related to scrollbars, and should be prevented.

Prior to r180474, this was avoided by using a "disconnectFromScrollableArea" method to set the internal ScrollableArea to null, and relying on internal nullptr checks to avoid dereferencing the null value.

But this behavior is not correct either; we should not artificially prolong the life of a Scrollbar simply because of an implementation detail of the EventHandler class.

Instead, EventHandler should be notified when the Scrollbar has been destroyed, and stop trying to use it when this happens.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150223/81757d75/attachment-0002.html>