See https://code.google.com/p/chromium/issues/detail?id=180046 for instructions on reproducing the issue. The member |m_gestureScrollOnImplThread| is not set to false after a fling gesture on the fast path because no GestureScrollEnd is sent after a fling (this is the only place outside of the WHCHI constructor where the member is set to false). As a result, GestureScrollUpdate events belonging to a non-fling gesture scroll that takes place immediately after the fling are always handled on the fast path, even in cases where the slow path should be handling these GestureScrollUpdate events.
Created attachment 191370 [details] WIP, not for review
Created attachment 191527 [details] WIP, not for review
Created attachment 191575 [details] Patch
Comment on attachment 191575 [details] Patch Rejecting attachment 191575 [details] from commit-queue. Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=webkit-commit-queue.appspot.com', '--bot-id=gce-cq-02', 'build', '--no-clean', '--no-update', '--build-style=release', '--port=chromium-xvfb']" exit_code: 2 cwd: /mnt/git/webkit-commit-queue Last 500 characters of output: ::MatchAndExplainImpl(testing::internal::false_type, const Class&, testing::MatchResultListener*) const [with Class = WebKit::WebSize, FieldType = int] ../../Source/WebKit/chromium/testing/gmock/include/gmock/gmock-matchers.h:1783: note: bool testing::internal::FieldMatcher<Class, FieldType>::MatchAndExplainImpl(testing::internal::true_type, const Class*, testing::MatchResultListener*) const [with Class = WebKit::WebSize, FieldType = int] ninja: build stopped: subcommand failed. Full output: http://webkit-commit-queue.appspot.com/results/17056117
Created attachment 191826 [details] Patch for landing after compile issue fixed
Comment on attachment 191826 [details] Patch for landing after compile issue fixed Clearing flags on attachment: 191826 Committed r144980: <http://trac.webkit.org/changeset/144980>
All reviewed patches have been landed. Closing bug.