summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBen Murdoch <benm@google.com>2010-05-06 15:49:14 +0100
committerBen Murdoch <benm@google.com>2010-05-06 15:54:34 +0100
commit7f034a1734d634dd1fdb3b64817d5828b5e46922 (patch)
tree4cc1831e32d1da542cbc63fbf327c37844e28528
parentda713c0266664dc15b021e99cca31cadc5bd2bdc (diff)
downloadexternal_webkit-7f034a1734d634dd1fdb3b64817d5828b5e46922.zip
external_webkit-7f034a1734d634dd1fdb3b64817d5828b5e46922.tar.gz
external_webkit-7f034a1734d634dd1fdb3b64817d5828b5e46922.tar.bz2
Fix a ref counting bug in touch event handling. The RefPtr returned from m_originatingTouchPointTargets.take() was only in scope
for the duration of the else block but we saved the raw pointer it wrapped. When the else block ended, the RefPtr destroyed itself, also deleting it's enclosed pointer if it held the final ref. But we had a saved copy of this raw pointer and then went on to use it later. Fix bug 2543728. Change-Id: I90e17693e15bff0969f103b5947d004837189c44
-rw-r--r--WebCore/page/EventHandler.cpp10
1 files changed, 5 insertions, 5 deletions
diff --git a/WebCore/page/EventHandler.cpp b/WebCore/page/EventHandler.cpp
index 5904934..2e07b6a 100644
--- a/WebCore/page/EventHandler.cpp
+++ b/WebCore/page/EventHandler.cpp
@@ -2602,21 +2602,21 @@ bool EventHandler::handleTouchEvent(const PlatformTouchEvent& event)
// Increment the platform touch id by 1 to avoid storing a key of 0 in the hashmap.
unsigned touchPointTargetKey = point.id() + 1;
- EventTarget* touchTarget = 0;
+ RefPtr<EventTarget> touchTarget;
if (point.state() == PlatformTouchPoint::TouchPressed) {
m_originatingTouchPointTargets.set(touchPointTargetKey, target);
touchTarget = target;
} else if (point.state() == PlatformTouchPoint::TouchReleased || point.state() == PlatformTouchPoint::TouchCancelled) {
// The target should be the original target for this touch, so get it from the hashmap. As it's a release or cancel
// we also remove it from the map.
- touchTarget = m_originatingTouchPointTargets.take(touchPointTargetKey).get();
+ touchTarget = m_originatingTouchPointTargets.take(touchPointTargetKey);
} else
- touchTarget = m_originatingTouchPointTargets.get(touchPointTargetKey).get();
+ touchTarget = m_originatingTouchPointTargets.get(touchPointTargetKey);
- if (!touchTarget)
+ if (!touchTarget.get())
continue;
- RefPtr<Touch> touch = Touch::create(doc->frame(), touchTarget, point.id(),
+ RefPtr<Touch> touch = Touch::create(doc->frame(), touchTarget.get(), point.id(),
point.screenPos().x(), point.screenPos().y(),
adjustedPageX, adjustedPageY);