diff options
| author | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-10-28 21:54:08 +0000 |
|---|---|---|
| committer | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-10-28 21:54:08 +0000 |
| commit | 241639dd034255478926cf4e7dea7447717220cc (patch) | |
| tree | f195e9e508fb13861020865fff013b4d93c3dd52 /webkit/glue/webplugin_impl.cc | |
| parent | 8907d0469ed010147265c95017102d1d976565f3 (diff) | |
| download | chromium_src-241639dd034255478926cf4e7dea7447717220cc.zip chromium_src-241639dd034255478926cf4e7dea7447717220cc.tar.gz chromium_src-241639dd034255478926cf4e7dea7447717220cc.tar.bz2 | |
Proposed fix for http://b/issue?id=1362948, which is a crash in the rendererwhen we invoke the setCursor call on the parent view in WebPluginImpl::handleEvent.
This crash occurs because the plugin is deleted in the context of a mouse down event. This could occur by invoking a javascript function via NPN_Evaluate. On return from the HandleEvent sync call we attempt to retreive the parent frame, which
returns NULL and hence the crash.
The fix is to retreive the parent frameview at the start of the WebPluginImpl::handleMouseEvent function and use it whereever needed.
Added a unit test which deletes the plugin instance in a mousemove event.R=jamBug=1362948
Review URL: http://codereview.chromium.org/8178
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@4094 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'webkit/glue/webplugin_impl.cc')
| -rw-r--r-- | webkit/glue/webplugin_impl.cc | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/webkit/glue/webplugin_impl.cc b/webkit/glue/webplugin_impl.cc index 496de7f..36d7fc6 100644 --- a/webkit/glue/webplugin_impl.cc +++ b/webkit/glue/webplugin_impl.cc @@ -786,9 +786,13 @@ void WebPluginImpl::handleEvent(WebCore::Event* event) { void WebPluginImpl::handleMouseEvent(WebCore::MouseEvent* event) { #if defined(OS_WIN) DCHECK(parent()->isFrameView()); + // We cache the parent FrameView here as the plugin widget could be deleted + // in the call to HandleEvent. See http://b/issue?id=1362948 + WebCore::FrameView* parent_view = static_cast<WebCore::FrameView*>(parent()); + WebCore::IntPoint p = - static_cast<WebCore::FrameView*>(parent())->contentsToWindow( - WebCore::IntPoint(event->pageX(), event->pageY())); + parent_view->contentsToWindow(WebCore::IntPoint(event->pageX(), + event->pageY())); NPEvent np_event; np_event.lParam = static_cast<uint32>(MAKELPARAM(p.x(), p.y())); np_event.wParam = 0; @@ -867,7 +871,7 @@ void WebPluginImpl::handleMouseEvent(WebCore::MouseEvent* event) { // A windowless plugin can change the cursor in response to the WM_MOUSEMOVE // event. We need to reflect the changed cursor in the frame view as the // the mouse is moved in the boundaries of the windowless plugin. - parent()->setCursor(WebCore::PlatformCursor(current_web_cursor)); + parent_view->setCursor(WebCore::PlatformCursor(current_web_cursor)); #else NOTIMPLEMENTED(); #endif |