From 7f034a1734d634dd1fdb3b64817d5828b5e46922 Mon Sep 17 00:00:00 2001
From: Ben Murdoch <benm@google.com>
Date: Thu, 6 May 2010 15:49:14 +0100
Subject: Fix a ref counting bug in touch event handling. The RefPtr returned
 from m_originatingTouchPointTargets.take() was only in scope for the duration
 of the else block but we saved the raw pointer it wrapped. When the else
 block ended, the RefPtr destroyed itself, also deleting it's enclosed pointer
 if it held the final ref. But we had a saved copy of this raw pointer and
 then went on to use it later.

Fix bug 2543728.

Change-Id: I90e17693e15bff0969f103b5947d004837189c44
---
 WebCore/page/EventHandler.cpp | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'WebCore/page/EventHandler.cpp')

diff --git a/WebCore/page/EventHandler.cpp b/WebCore/page/EventHandler.cpp
index 5904934..2e07b6a 100644
--- a/WebCore/page/EventHandler.cpp
+++ b/WebCore/page/EventHandler.cpp
@@ -2602,21 +2602,21 @@ bool EventHandler::handleTouchEvent(const PlatformTouchEvent& event)
 
         // Increment the platform touch id by 1 to avoid storing a key of 0 in the hashmap.
         unsigned touchPointTargetKey = point.id() + 1;
-        EventTarget* touchTarget = 0;
+        RefPtr<EventTarget> touchTarget;
         if (point.state() == PlatformTouchPoint::TouchPressed) {
             m_originatingTouchPointTargets.set(touchPointTargetKey, target);
             touchTarget = target;
         } else if (point.state() == PlatformTouchPoint::TouchReleased || point.state() == PlatformTouchPoint::TouchCancelled) {
             // The target should be the original target for this touch, so get it from the hashmap. As it's a release or cancel
             // we also remove it from the map.
-            touchTarget = m_originatingTouchPointTargets.take(touchPointTargetKey).get();
+            touchTarget = m_originatingTouchPointTargets.take(touchPointTargetKey);
         } else
-            touchTarget = m_originatingTouchPointTargets.get(touchPointTargetKey).get();
+            touchTarget = m_originatingTouchPointTargets.get(touchPointTargetKey);
 
-        if (!touchTarget)
+        if (!touchTarget.get())
             continue;
 
-        RefPtr<Touch> touch = Touch::create(doc->frame(), touchTarget, point.id(),
+        RefPtr<Touch> touch = Touch::create(doc->frame(), touchTarget.get(), point.id(),
                                             point.screenPos().x(), point.screenPos().y(),
                                             adjustedPageX, adjustedPageY);
 
-- 
cgit v1.1