diff options
author | Ben Murdoch <benm@google.com> | 2010-05-06 15:49:14 +0100 |
---|---|---|
committer | Ben Murdoch <benm@google.com> | 2010-05-06 15:54:34 +0100 |
commit | 7f034a1734d634dd1fdb3b64817d5828b5e46922 (patch) | |
tree | 4cc1831e32d1da542cbc63fbf327c37844e28528 | |
parent | da713c0266664dc15b021e99cca31cadc5bd2bdc (diff) | |
download | external_webkit-7f034a1734d634dd1fdb3b64817d5828b5e46922.zip external_webkit-7f034a1734d634dd1fdb3b64817d5828b5e46922.tar.gz external_webkit-7f034a1734d634dd1fdb3b64817d5828b5e46922.tar.bz2 |
Fix a ref counting bug in touch event handling. The RefPtr returned from m_originatingTouchPointTargets.take() was only in scope
for the duration of the else block but we saved the raw pointer it wrapped. When the else block ended, the RefPtr destroyed itself, also
deleting it's enclosed pointer if it held the final ref. But we had a saved copy of this raw pointer and then went on to use
it later.
Fix bug 2543728.
Change-Id: I90e17693e15bff0969f103b5947d004837189c44
-rw-r--r-- | WebCore/page/EventHandler.cpp | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/WebCore/page/EventHandler.cpp b/WebCore/page/EventHandler.cpp index 5904934..2e07b6a 100644 --- a/WebCore/page/EventHandler.cpp +++ b/WebCore/page/EventHandler.cpp @@ -2602,21 +2602,21 @@ bool EventHandler::handleTouchEvent(const PlatformTouchEvent& event) // Increment the platform touch id by 1 to avoid storing a key of 0 in the hashmap. unsigned touchPointTargetKey = point.id() + 1; - EventTarget* touchTarget = 0; + RefPtr<EventTarget> touchTarget; if (point.state() == PlatformTouchPoint::TouchPressed) { m_originatingTouchPointTargets.set(touchPointTargetKey, target); touchTarget = target; } else if (point.state() == PlatformTouchPoint::TouchReleased || point.state() == PlatformTouchPoint::TouchCancelled) { // The target should be the original target for this touch, so get it from the hashmap. As it's a release or cancel // we also remove it from the map. - touchTarget = m_originatingTouchPointTargets.take(touchPointTargetKey).get(); + touchTarget = m_originatingTouchPointTargets.take(touchPointTargetKey); } else - touchTarget = m_originatingTouchPointTargets.get(touchPointTargetKey).get(); + touchTarget = m_originatingTouchPointTargets.get(touchPointTargetKey); - if (!touchTarget) + if (!touchTarget.get()) continue; - RefPtr<Touch> touch = Touch::create(doc->frame(), touchTarget, point.id(), + RefPtr<Touch> touch = Touch::create(doc->frame(), touchTarget.get(), point.id(), point.screenPos().x(), point.screenPos().y(), adjustedPageX, adjustedPageY); |