Bug 38514

Summary: Crash in handleTouchEvent: using dangling node ptrs in hashmap
Product: WebKit Reporter: Ben Murdoch <benm>
Component: WebCore Misc.Assignee: Ben Murdoch <benm>
Status: RESOLVED FIXED    
Severity: Normal CC: android-webkit-unforking, commit-queue, gdk, hausmann
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 32485    
Attachments:
Description Flags
Proposed patch and test.
none
Proposed patch and test. none

Description Ben Murdoch 2010-05-04 04:12:40 PDT 
If you visit a page that uses touch events and trigger a navigation whilst your finger is still pressed down (and that causes the Node's of the old page to be deleted) then when you lift your finger on the new page we take the old (now dangling) node ptr from the m_originatingTouchPointsTargets map and try to ref it in the Touch constructor which causes a crash. The fix is to empty the map when the event handlers are cleared.

Patch and layout test to follow.
Comment 1 Ben Murdoch 2010-05-04 05:26:34 PDT 
Created attachment 55011 [details]
Proposed patch and test.

Proposed patch.
Comment 2 Ben Murdoch 2010-05-04 05:29:43 PDT 
Created attachment 55012 [details]
Proposed patch and test.

Change comments in the test slightly.
Comment 3 WebKit Commit Bot 2010-05-04 08:30:17 PDT 
Comment on attachment 55012 [details]
Proposed patch and test.

Clearing flags on attachment: 55012

Committed r58760: <http://trac.webkit.org/changeset/58760>
Comment 4 WebKit Commit Bot 2010-05-04 08:30:24 PDT 
All reviewed patches have been landed.  Closing bug.