Issue 645208 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	wjmaclean@chromium.org
Closed:	Sep 2016
Cc:	kenrb@chromium.org creis@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	1
Type:	Bug

Sending blink::WebGestureEvent() to SendGestureScrollEvent() crashes in debug builds.

Project Member Reported by wjmaclean@chromium.org, Sep 8 2016

Issue description

Version: Tip of Tree
OS: all

What steps will reproduce the problem?
(1) start chrome with --site-per-process
(2) navigate to a page that contains a cross-site subframe
(3) touch scroll the subframe to its extent, and then a bit more (to cause scrolls to bubble to parent frame)
(4) tap anywhere in the parent frame

What is the expected output?

Nothing unusual should happen.

What do you see instead?

The browser crashes on a DCHECK in RenderWidgetHostInputEventRouter::SendGestureScrollEnd()

Please use labels and text to provide additional information.

This happens due to a DCHECK in the function that expects the event passed to the function to have a specific type. Instead the event has undefined type, and the browser crashes.

Fixing this now since it makes development in debug builds (or DCHECK enabled release builds) difficult.

Project Member

Comment 1 by bugdroid1@chromium.org, Sep 9 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1e99661f52c63318493bb12f05701405da3b42ea

commit 1e99661f52c63318493bb12f05701405da3b42ea
Author: wjmaclean <wjmaclean@chromium.org>
Date: Fri Sep 09 12:37:11 2016

Dummy WebGestureEvent() sent to SendGestureScrollEvent() needs proper type.

At present, debug builds of Chrome can crash if your touch scrolling in
a cross-site iframe with --site-per-process enabled, and then you tap
in the parent frame. This happens when a 'dummy' WebGestureEvent is sent
to RenderWidgetHostInputEventRouter::SendGestureScrollEvent() without
defining its type. Since the function DCHECKs the type of the input
event, this causes a crash. This CL makes sure the event has an
appropriate type.

BUG= 645208 

Review-Url: https://codereview.chromium.org/2323093002
Cr-Commit-Position: refs/heads/master@{#417566}

[modify] https://crrev.com/1e99661f52c63318493bb12f05701405da3b42ea/content/browser/renderer_host/render_widget_host_input_event_router.cc

Comment 2 by wjmaclean@chromium.org, Sep 15 2016

Status: Fixed (was: Assigned)

►

Issue 645208 link

Issue metadata

Sending blink::WebGestureEvent() to SendGestureScrollEvent() crashes in debug builds.

Issue description

Comment 1 by bugdroid1@chromium.org, Sep 9 2016

Comment 1 Deleted

Comment 2 by wjmaclean@chromium.org, Sep 15 2016

Comment 2 Deleted

Sign in to add a comment