diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index 2dedb6c0569538820d9253e739364fc13c60e3b1..a507a6927ac90bb5d9103813446a65dab96b6b3c 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,16 @@ +2012-07-05 Vincent Scheib + + [Chromium] Clear m_currentInputEvent after handled by pointerLockMouseEvent(). + https://bugs.webkit.org/show_bug.cgi?id=90391 + + Test that reproduces bug 90391: + Enable pointer lock, receive mouse move, call window.open, don't crash. + + Reviewed by Abhishek Arya. + + * pointer-lock/bug90391-move-then-window-open-crash-expected.txt: Added. + * pointer-lock/bug90391-move-then-window-open-crash.html: Added. + 2012-07-05 John Mellor Text Autosizing: Add test framework and simple test. diff --git a/LayoutTests/pointer-lock/bug90391-move-then-window-open-crash-expected.txt b/LayoutTests/pointer-lock/bug90391-move-then-window-open-crash-expected.txt new file mode 100644 index 0000000000000000000000000000000000000000..0d1035c4a2523e6d6b9f6778337900d1d5a817d3 --- /dev/null +++ b/LayoutTests/pointer-lock/bug90391-move-then-window-open-crash-expected.txt @@ -0,0 +1,15 @@ +bug 90391: pointer lock mouse move events then window.open should not crash. + +On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". + + + Locking targetdiv1. +PASS document.onwebkitpointerlockchange event received. + Sending mouse move events. + Calling window.open. +PASS Didn't crash +PASS successfullyParsed is true + +TEST COMPLETE +doNextStep for manual testing + diff --git a/LayoutTests/pointer-lock/bug90391-move-then-window-open-crash.html b/LayoutTests/pointer-lock/bug90391-move-then-window-open-crash.html new file mode 100644 index 0000000000000000000000000000000000000000..ccf4131aecf6f5379508a3d6c63ced8fc4cecca0 --- /dev/null +++ b/LayoutTests/pointer-lock/bug90391-move-then-window-open-crash.html @@ -0,0 +1,64 @@ + + + + + + +
+ +
+
+ + + + diff --git a/Source/WebKit/chromium/ChangeLog b/Source/WebKit/chromium/ChangeLog index 8c251f910a9df976f9344b110b88ddd7743e008f..bccd0e55d921d778f80d736a61c4644c76b98b08 100644 --- a/Source/WebKit/chromium/ChangeLog +++ b/Source/WebKit/chromium/ChangeLog @@ -1,3 +1,18 @@ +2012-07-05 Vincent Scheib + + [Chromium] Clear m_currentInputEvent after handled by pointerLockMouseEvent(). + https://bugs.webkit.org/show_bug.cgi?id=90391 + + WebViewImpl::handleInputEvent was keeping a pointer to an input event that would + later be accessed. When in pointer lock, that pointer was not being cleared. + Code modified to use TemporaryChange to automatically clear the pointer at all + method exit points. + + Reviewed by Abhishek Arya. + + * src/WebViewImpl.cpp: + (WebKit::WebViewImpl::handleInputEvent): + 2012-07-05 John Mellor Text Autosizing: Add test framework and simple test. diff --git a/Source/WebKit/chromium/src/WebViewImpl.cpp b/Source/WebKit/chromium/src/WebViewImpl.cpp index b3fddef1e7a0aa06914870bee519fad373e70f07..8368d1c26e381a06ac18a5ca3b16549711dab6df 100644 --- a/Source/WebKit/chromium/src/WebViewImpl.cpp +++ b/Source/WebKit/chromium/src/WebViewImpl.cpp @@ -164,6 +164,7 @@ #include #include #include +#include #include #if ENABLE(GESTURE_EVENTS) @@ -1760,7 +1761,7 @@ bool WebViewImpl::handleInputEvent(const WebInputEvent& inputEvent) if (m_ignoreInputEvents) return false; - m_currentInputEvent = &inputEvent; + TemporaryChange(m_currentInputEvent, &inputEvent); #if ENABLE(POINTER_LOCK) if (isPointerLocked() && WebInputEvent::isMouseEventType(inputEvent.type)) { @@ -1798,12 +1799,10 @@ bool WebViewImpl::handleInputEvent(const WebInputEvent& inputEvent) node->dispatchMouseEvent( PlatformMouseEventBuilder(mainFrameImpl()->frameView(), *static_cast(&inputEvent)), eventType, static_cast(&inputEvent)->clickCount); - m_currentInputEvent = 0; return true; } bool handled = PageWidgetDelegate::handleInputEvent(m_page.get(), *this, inputEvent); - m_currentInputEvent = 0; return handled; }