Reviewed by Darin.
Fix http://bugzilla.opendarwin.org/show_bug.cgi?id=8272
Use of window.open & window.close can cause crash
* platform/PlatformMouseEvent.h:
(WebCore::PlatformMouseEvent::PlatformMouseEvent):
* platform/mac/PlatformMouseEventMac.mm:
(WebCore::PlatformMouseEvent::PlatformMouseEvent):
The default constructor now creates a "zero" event, and a new one was added to create the "current" one.
* bridge/mac/FrameMac.mm:
(WebCore::FrameMac::handleMouseMoveEvent):
* rendering/RenderFormElement.cpp:
(WebCore::RenderFormElement::clicked):
Updated for the above changes.
* platform/gdk/MouseEventGdk.cpp:
* platform/gdk/TemporaryLinkStubs.cpp:
(PlatformMouseEvent::PlatformMouseEvent):
* platform/win/MouseEventWin.cpp:
* platform/win/TemporaryLinkStubs.cpp:
(PlatformMouseEvent::PlatformMouseEvent):
Trying not to break other platforms.
* manual-tests/invalid-mouse-event.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@15544 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index c22b1dc..6a0dac7 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,32 @@
+2006-07-19 Alexey Proskuryakov <ap@nypop.com>
+
+ Reviewed by Darin.
+
+ Fix http://bugzilla.opendarwin.org/show_bug.cgi?id=8272
+ Use of window.open & window.close can cause crash
+
+ * platform/PlatformMouseEvent.h:
+ (WebCore::PlatformMouseEvent::PlatformMouseEvent):
+ * platform/mac/PlatformMouseEventMac.mm:
+ (WebCore::PlatformMouseEvent::PlatformMouseEvent):
+ The default constructor now creates a "zero" event, and a new one was added to create the "current" one.
+
+ * bridge/mac/FrameMac.mm:
+ (WebCore::FrameMac::handleMouseMoveEvent):
+ * rendering/RenderFormElement.cpp:
+ (WebCore::RenderFormElement::clicked):
+ Updated for the above changes.
+
+ * platform/gdk/MouseEventGdk.cpp:
+ * platform/gdk/TemporaryLinkStubs.cpp:
+ (PlatformMouseEvent::PlatformMouseEvent):
+ * platform/win/MouseEventWin.cpp:
+ * platform/win/TemporaryLinkStubs.cpp:
+ (PlatformMouseEvent::PlatformMouseEvent):
+ Trying not to break other platforms.
+
+ * manual-tests/invalid-mouse-event.html: Added.
+
2006-07-20 Maciej Stachowiak <mjs@apple.com>
Reviewed by Anders.
diff --git a/WebCore/bridge/mac/FrameMac.mm b/WebCore/bridge/mac/FrameMac.mm
index a587b93..82ed4b2 100644
--- a/WebCore/bridge/mac/FrameMac.mm
+++ b/WebCore/bridge/mac/FrameMac.mm
@@ -1733,7 +1733,7 @@
BOOL startedDrag = [_bridge startDraggingImage:dragImage at:dragLoc operation:srcOp event:_currentEvent sourceIsDHTML:_dragSrcIsDHTML DHTMLWroteData:wcWrotePasteboard];
if (!startedDrag && _dragSrcMayBeDHTML) {
// WebKit canned the drag at the last minute - we owe _dragSrc a DRAGEND event
- PlatformMouseEvent event;
+ PlatformMouseEvent event(PlatformMouseEvent::currentEvent);
dispatchDragSrcEvent(dragendEvent, event);
_mouseDownMayStartDrag = false;
}
diff --git a/WebCore/manual-tests/invalid-mouse-event.html b/WebCore/manual-tests/invalid-mouse-event.html
new file mode 100644
index 0000000..44b3b9d
--- /dev/null
+++ b/WebCore/manual-tests/invalid-mouse-event.html
@@ -0,0 +1,23 @@
+<p>Test for <a href="http://bugzilla.opendarwin.org/show_bug.cgi?id=8272">bug 8272</a>:
+Use of window.open & window.close can cause crash.</p>
+<ol>
+ <li>(Get a dual processor Mac.)</li>
+ <li>Disable popup blocking in Safari.</li>
+ <li>Click the Start button.</li>
+ <li>As the test runs, move the mouse around.</li>
+ <li>If Safari doesn't crash in a while, interrupt the test by pressing Cmd+W.</li>
+</ol>
+
+<button onclick="window.open('invalid-mouse-event.html?2', '', '');">Start</button>
+
+<script>
+
+if (location.search) {
+ if (location.search == "?1") {
+ window.opener.location = window.opener.location;
+ window.close();
+ } else {
+ window.open('invalid-mouse-event.html?1', '', '');
+ }
+}
+</script>
diff --git a/WebCore/platform/PlatformMouseEvent.h b/WebCore/platform/PlatformMouseEvent.h
index a51e22a..13be8d1 100644
--- a/WebCore/platform/PlatformMouseEvent.h
+++ b/WebCore/platform/PlatformMouseEvent.h
@@ -53,7 +53,20 @@
class PlatformMouseEvent {
public:
- PlatformMouseEvent(); // "current event"
+ static const struct CurrentEventTag {} currentEvent;
+
+ PlatformMouseEvent()
+ : m_button(LeftButton)
+ , m_clickCount(0)
+ , m_shiftKey(false)
+ , m_ctrlKey(false)
+ , m_altKey(false)
+ , m_metaKey(false)
+ {
+ }
+
+ PlatformMouseEvent(const CurrentEventTag&);
+
PlatformMouseEvent(const IntPoint& pos, const IntPoint& globalPos, MouseButton button,
int clickCount, bool shift, bool ctrl, bool alt, bool meta)
: m_position(pos), m_globalPosition(globalPos), m_button(button)
diff --git a/WebCore/platform/gdk/MouseEventGdk.cpp b/WebCore/platform/gdk/MouseEventGdk.cpp
index 93ee934..6fde2217 100644
--- a/WebCore/platform/gdk/MouseEventGdk.cpp
+++ b/WebCore/platform/gdk/MouseEventGdk.cpp
@@ -32,6 +32,8 @@
namespace WebCore {
+const PlatformMouseEvent::CurrentEventTag PlatformMouseEvent::currentEvent = {};
+
// FIXME: Would be even better to figure out which modifier is Alt instead of always using GDK_MOD1_MASK.
PlatformMouseEvent::PlatformMouseEvent(GdkEvent* event)
diff --git a/WebCore/platform/gdk/TemporaryLinkStubs.cpp b/WebCore/platform/gdk/TemporaryLinkStubs.cpp
index dfb546d..ffac985 100644
--- a/WebCore/platform/gdk/TemporaryLinkStubs.cpp
+++ b/WebCore/platform/gdk/TemporaryLinkStubs.cpp
@@ -157,7 +157,7 @@
Cursor::Cursor(Image*) { notImplemented(); }
-PlatformMouseEvent::PlatformMouseEvent() { notImplemented(); }
+PlatformMouseEvent::PlatformMouseEvent(const CurrentEventTag&) { notImplemented(); }
String WebCore::searchableIndexIntroduction() { notImplemented(); return String(); }
int WebCore::findNextSentenceFromIndex(UChar const*, int, int, bool) { notImplemented(); return 0; }
diff --git a/WebCore/platform/mac/PlatformMouseEventMac.mm b/WebCore/platform/mac/PlatformMouseEventMac.mm
index 39be2f3..aebc5b1 100644
--- a/WebCore/platform/mac/PlatformMouseEventMac.mm
+++ b/WebCore/platform/mac/PlatformMouseEventMac.mm
@@ -29,6 +29,8 @@
namespace WebCore {
+const PlatformMouseEvent::CurrentEventTag PlatformMouseEvent::currentEvent = {};
+
static MouseButton mouseButtonForEvent(NSEvent *event)
{
switch ([event type]) {
@@ -123,7 +125,7 @@
{
}
-PlatformMouseEvent::PlatformMouseEvent()
+PlatformMouseEvent::PlatformMouseEvent(const CurrentEventTag&)
: m_button(LeftButton), m_clickCount(0), m_shiftKey(false), m_ctrlKey(false), m_altKey(false), m_metaKey(false)
{
NSEvent* event = [NSApp currentEvent];
diff --git a/WebCore/platform/win/MouseEventWin.cpp b/WebCore/platform/win/MouseEventWin.cpp
index b1c1ad9..e8233ba 100644
--- a/WebCore/platform/win/MouseEventWin.cpp
+++ b/WebCore/platform/win/MouseEventWin.cpp
@@ -29,6 +29,8 @@
namespace WebCore {
+const PlatformMouseEvent::CurrentEventTag PlatformMouseEvent::currentEvent = {};
+
#define HIGH_BIT_MASK_SHORT 0x8000
static IntPoint positionForEvent(HWND hWnd, LPARAM lParam)
diff --git a/WebCore/platform/win/TemporaryLinkStubs.cpp b/WebCore/platform/win/TemporaryLinkStubs.cpp
index 1c114f6..8f29101 100644
--- a/WebCore/platform/win/TemporaryLinkStubs.cpp
+++ b/WebCore/platform/win/TemporaryLinkStubs.cpp
@@ -155,7 +155,7 @@
Cursor::Cursor(Image*) { notImplemented(); }
-PlatformMouseEvent::PlatformMouseEvent() { notImplemented(); }
+PlatformMouseEvent::PlatformMouseEvent(const CurrentEventTag&) { notImplemented(); }
String WebCore::searchableIndexIntroduction() { notImplemented(); return String(); }
int WebCore::findNextSentenceFromIndex(UChar const*,int,int,bool) { notImplemented(); return 0; }
diff --git a/WebCore/rendering/RenderFormElement.cpp b/WebCore/rendering/RenderFormElement.cpp
index 6d8e2b0..a5c0bf5 100644
--- a/WebCore/rendering/RenderFormElement.cpp
+++ b/WebCore/rendering/RenderFormElement.cpp
@@ -84,7 +84,7 @@
void RenderFormElement::clicked(Widget*)
{
RenderArena* arena = ref();
- PlatformMouseEvent event; // gets "current event"
+ PlatformMouseEvent event(PlatformMouseEvent::currentEvent);
if (node())
static_cast<EventTargetNode*>(node())->dispatchMouseEvent(event, clickEvent, event.clickCount());
deref(arena);
