Bug 38514 - Crash in handleTouchEvent: using dangling node ptrs in hashmap
Summary: Crash in handleTouchEvent: using dangling node ptrs in hashmap
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Ben Murdoch
URL:
Keywords:
Depends on:
Blocks: 32485
  Show dependency treegraph
 
Reported: 2010-05-04 04:12 PDT by Ben Murdoch
Modified: 2010-05-04 08:30 PDT (History)
4 users (show)

See Also:

Attachments
Proposed patch and test. (5.31 KB, patch)
2010-05-04 05:26 PDT, Ben Murdoch 		no flags Details | Formatted Diff | Diff
Proposed patch and test. (5.33 KB, patch)
2010-05-04 05:29 PDT, Ben Murdoch 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ben Murdoch 2010-05-04 04:12:40 PDT 
If you visit a page that uses touch events and trigger a navigation whilst your finger is still pressed down (and that causes the Node's of the old page to be deleted) then when you lift your finger on the new page we take the old (now dangling) node ptr from the m_originatingTouchPointsTargets map and try to ref it in the Touch constructor which causes a crash. The fix is to empty the map when the event handlers are cleared.

Patch and layout test to follow.
Comment 1 Ben Murdoch 2010-05-04 05:26:34 PDT 
Created attachment 55011 [details]
Proposed patch and test.

Proposed patch.
Comment 2 Ben Murdoch 2010-05-04 05:29:43 PDT 
Created attachment 55012 [details]
Proposed patch and test.

Change comments in the test slightly.
Comment 3 WebKit Commit Bot 2010-05-04 08:30:17 PDT 
Comment on attachment 55012 [details]
Proposed patch and test.

Clearing flags on attachment: 55012

Committed r58760: <http://trac.webkit.org/changeset/58760>
Comment 4 WebKit Commit Bot 2010-05-04 08:30:24 PDT 
All reviewed patches have been landed.  Closing bug.