Reviewers: scheib
CL:
https://codereview.chromium.org/2846993002/Message:
scheib@ PTAL, thanks!
Description:
[PointerLock] Add null check before dispatching click event
BUG=706802
Affected files (+25, -0 lines):
A third_party/WebKit/LayoutTests/external/wpt/pointerevents/pointerlock/pointerlock-remove-element-crash-manual.html
A third_party/WebKit/LayoutTests/external/wpt_automation/pointerevents/pointerlock/pointerlock-remove-element-crash-manual-automation.js
M third_party/WebKit/Source/core/page/PointerLockController.cpp
Index: third_party/WebKit/LayoutTests/external/wpt/pointerevents/pointerlock/pointerlock-remove-element-crash-manual.html
diff --git a/third_party/WebKit/LayoutTests/external/wpt/pointerevents/pointerlock/pointerlock-remove-element-crash-manual.html b/third_party/WebKit/LayoutTests/external/wpt/pointerevents/pointerlock/pointerlock-remove-element-crash-manual.html
new file mode 100644
index 0000000000000000000000000000000000000000..e51faadf7cde3fea61743bbcef950f035820a9ea
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/external/wpt/pointerevents/pointerlock/pointerlock-remove-element-crash-manual.html
@@ -0,0 +1,16 @@
+<!doctype html>
+<title>Removing pointerLockElement on mouseup shouldn't crash</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+setup({explicit_timeout: true});
+document.addEventListener('mousedown', function() {
+ document.getElementById('lock').requestPointerLock();
+ document.addEventListener('mouseup', function() {
+ document.getElementById('lock').remove();
+ done();
+ });
+});
+</script>
+<p>Click anywhere to run the test. If a "PASS" result appears the test passes, otherwise it fails</p>
+<div id="lock"></div>
Index: third_party/WebKit/LayoutTests/external/wpt_automation/pointerevents/pointerlock/pointerlock-remove-element-crash-manual-automation.js
diff --git a/third_party/WebKit/LayoutTests/external/wpt_automation/pointerevents/pointerlock/pointerlock-remove-element-crash-manual-automation.js b/third_party/WebKit/LayoutTests/external/wpt_automation/pointerevents/pointerlock/pointerlock-remove-element-crash-manual-automation.js
new file mode 100644
index 0000000000000000000000000000000000000000..e95f4f37047182805ffd465048f6589d7330ddbc
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/external/wpt_automation/pointerevents/pointerlock/pointerlock-remove-element-crash-manual-automation.js
@@ -0,0 +1,5 @@
+importAutomationScript('/pointerevents/pointerevent_common_input.js');
+
+function inject_input() {
+ return mouseClickInTarget('#lock');
+}
Index: third_party/WebKit/Source/core/page/PointerLockController.cpp
diff --git a/third_party/WebKit/Source/core/page/PointerLockController.cpp b/third_party/WebKit/Source/core/page/PointerLockController.cpp
index 6c00982d5fa06abe5040104b4f7495a1f8a4a626..f9aa43bb099a1c7c5ab1b8665362ec992695742c 100644
--- a/third_party/WebKit/Source/core/page/PointerLockController.cpp
+++ b/third_party/WebKit/Source/core/page/PointerLockController.cpp
@@ -140,6 +140,10 @@ void PointerLockController::DispatchLockedMouseEvent(
element_->DispatchMouseEvent(event, event_type, event.click_count);
+ // Event handlers may remove element.
+ if (!element_)
+ return;
+
// Create click events
if (event_type == EventTypeNames::mouseup) {
element_->DispatchMouseEvent(event, EventTypeNames::click,