Bug 1856716 - Ensure that we hold a strong reference to the APZ event state. r=hiro

- Ensure that we hold a strong reference to the APZ event state before
   calling ProcessSingleTap, as ProcessSingleTap fires events.
 - Mark ProcessSingleTap as MOZ_CAN_RUN_SCRIPT since it can fire events.

Differential Revision: https://phabricator.services.mozilla.com/D190228

Author: dlrobertson

dom/ipc/BrowserChild.cpp

@@ -1341,17 +1341,19 @@ mozilla::ipc::IPCResult BrowserChild::RecvHandleTap(
   switch (aType) {
     case GeckoContentController::TapType::eSingleTap:
       if (mBrowserChildMessageManager) {
-        mAPZEventState->ProcessSingleTap(point, scale, aModifiers, 1,
-                                         aInputBlockId);
+        RefPtr<APZEventState> eventState(mAPZEventState);
+        eventState->ProcessSingleTap(point, scale, aModifiers, 1,
+                                     aInputBlockId);
       }
       break;
     case GeckoContentController::TapType::eDoubleTap:
       HandleDoubleTap(point, aModifiers, aGuid);
       break;
     case GeckoContentController::TapType::eSecondTap:
       if (mBrowserChildMessageManager) {
-        mAPZEventState->ProcessSingleTap(point, scale, aModifiers, 2,
-                                         aInputBlockId);
+        RefPtr<APZEventState> eventState(mAPZEventState);
+        eventState->ProcessSingleTap(point, scale, aModifiers, 2,
+                                     aInputBlockId);
       }
       break;
     case GeckoContentController::TapType::eLongTap:

gfx/layers/apz/util/APZEventState.h

@@ -57,6 +57,7 @@ class APZEventState final {
 
   NS_INLINE_DECL_REFCOUNTING(APZEventState);
 
+  MOZ_CAN_RUN_SCRIPT
   void ProcessSingleTap(const CSSPoint& aPoint,
                         const CSSToLayoutDeviceScale& aScale,
                         Modifiers aModifiers, int32_t aClickCount,

gfx/layers/apz/util/ChromeProcessController.cpp

@@ -193,17 +193,19 @@ void ChromeProcessController::HandleTap(
   InputAPZContext context(aGuid, aInputBlockId, nsEventStatus_eSentinel);
 
   switch (aType) {
-    case TapType::eSingleTap:
-      mAPZEventState->ProcessSingleTap(point, scale, aModifiers, 1,
-                                       aInputBlockId);
+    case TapType::eSingleTap: {
+      RefPtr<APZEventState> eventState(mAPZEventState);
+      eventState->ProcessSingleTap(point, scale, aModifiers, 1, aInputBlockId);
       break;
+    }
     case TapType::eDoubleTap:
       HandleDoubleTap(point, aModifiers, aGuid);
       break;
-    case TapType::eSecondTap:
-      mAPZEventState->ProcessSingleTap(point, scale, aModifiers, 2,
-                                       aInputBlockId);
+    case TapType::eSecondTap: {
+      RefPtr<APZEventState> eventState(mAPZEventState);
+      eventState->ProcessSingleTap(point, scale, aModifiers, 2, aInputBlockId);
       break;
+    }
     case TapType::eLongTap: {
       RefPtr<APZEventState> eventState(mAPZEventState);
       eventState->ProcessLongTap(presShell, point, scale, aModifiers,