diff options
| author | Cary Clark <cary@android.com> | 2010-08-31 09:20:16 -0400 |
|---|---|---|
| committer | Cary Clark <cary@android.com> | 2010-08-31 09:28:43 -0400 |
| commit | ec079933211eb47479b2624cb6be72257d178c01 (patch) | |
| tree | 81193c99368f40090836f6408456d64e027982a3 /WebKit | |
| parent | 7fbc2518b3a834153730d32761429507c03e7a22 (diff) | |
| download | external_webkit-ec079933211eb47479b2624cb6be72257d178c01.zip external_webkit-ec079933211eb47479b2624cb6be72257d178c01.tar.gz external_webkit-ec079933211eb47479b2624cb6be72257d178c01.tar.bz2 | |
fix monkey crash in nav cache
WebView::motionUp() got the latest nav cache, extracted
some nodes from it with findAt(), then called setNavBounds()
which got a newer cache. The older cache node was sent
to CachedRoot::setCursor() which crashed trying to use
the state pointer.
The flaw was that, although motionUp requests the newest
cache up front, and then setNavBounds() requests the stale
cache, in rare circumstances it can receive a newer cache
as well.
The fix is to replace the setNavBounds() function with a
direct call on the valid cache.
Change-Id: If23ee9222f2b701d916911f4b667185f1c3d3d18
http://b/2316138
Diffstat (limited to 'WebKit')
| -rw-r--r-- | WebKit/android/nav/WebView.cpp | 24 |
1 files changed, 4 insertions, 20 deletions
diff --git a/WebKit/android/nav/WebView.cpp b/WebKit/android/nav/WebView.cpp index e12dc52..c034e4e 100644 --- a/WebKit/android/nav/WebView.cpp +++ b/WebKit/android/nav/WebView.cpp @@ -825,23 +825,6 @@ void selectBestAt(const WebCore::IntRect& rect) sendMoveMouseIfLatest(false); } -WebCore::IntRect getNavBounds() -{ - CachedRoot* root = getFrameCache(DontAllowNewer); - return root ? root->rootHistory()->navBounds() : - WebCore::IntRect(0, 0, 0, 0); -} - -void setNavBounds(const WebCore::IntRect& rect) -{ - CachedRoot* root = getFrameCache(DontAllowNewer); - if (!root) - return; - root->rootHistory()->setNavBounds(rect); -} - - - const CachedNode* m_cacheHitNode; const CachedFrame* m_cacheHitFrame; @@ -865,9 +848,10 @@ bool motionUp(int x, int y, int slop) return 0; const CachedFrame* frame = 0; const CachedNode* result = findAt(root, rect, &frame, &rx, &ry); + CachedHistory* history = root->rootHistory(); if (!result) { DBG_NAV_LOGD("no nodes found root=%p", root); - setNavBounds(rect); + history->setNavBounds(rect); m_viewImpl->m_hasCursorBounds = false; root->hideCursor(); int dx = root->checkForCenter(x, y); @@ -885,8 +869,8 @@ bool motionUp(int x, int y, int slop) // No need to call unadjustBounds below. rx and ry are already adjusted to // the absolute position of the node. WebCore::IntRect navBounds = WebCore::IntRect(rx, ry, 1, 1); - setNavBounds(navBounds); - root->rootHistory()->setMouseBounds(navBounds); + history->setNavBounds(navBounds); + history->setMouseBounds(navBounds); m_viewImpl->updateCursorBounds(root, frame, result); root->setCursor(const_cast<CachedFrame*>(frame), const_cast<CachedNode*>(result)); |