Title: [273752] trunk/Source/WebCore
- Revision
- 273752
- Author
- [email protected]
- Date
- 2021-03-02 12:08:20 -0800 (Tue, 02 Mar 2021)
Log Message
Crash under KeyframeEffect::setTarget()
https://bugs.webkit.org/show_bug.cgi?id=222591
<rdar://problem/74281295>
Reviewed by David Kilzer.
The Styleable returned by targetStyleable() holds a reference to the Element that at
this point is m_target (assuming it's non-null). However, once we set the new value
for m_target, if the only reference to the original target was held by this KeyframeEffect,
then that element will be deallocated and by the time we call didChangeTargetStyleable()
it will be gone.
To address, we create a RefPtr<Element> in the scope of KeyframeEffect::setTarget()
protecting the Styleable's element while didChangeTargetStyleable() is called.
* animation/KeyframeEffect.cpp:
(WebCore::KeyframeEffect::setTarget):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (273751 => 273752)
--- trunk/Source/WebCore/ChangeLog 2021-03-02 20:03:12 UTC (rev 273751)
+++ trunk/Source/WebCore/ChangeLog 2021-03-02 20:08:20 UTC (rev 273752)
@@ -1,3 +1,23 @@
+2021-03-02 Antoine Quint <[email protected]>
+
+ Crash under KeyframeEffect::setTarget()
+ https://bugs.webkit.org/show_bug.cgi?id=222591
+ <rdar://problem/74281295>
+
+ Reviewed by David Kilzer.
+
+ The Styleable returned by targetStyleable() holds a reference to the Element that at
+ this point is m_target (assuming it's non-null). However, once we set the new value
+ for m_target, if the only reference to the original target was held by this KeyframeEffect,
+ then that element will be deallocated and by the time we call didChangeTargetStyleable()
+ it will be gone.
+
+ To address, we create a RefPtr<Element> in the scope of KeyframeEffect::setTarget()
+ protecting the Styleable's element while didChangeTargetStyleable() is called.
+
+ * animation/KeyframeEffect.cpp:
+ (WebCore::KeyframeEffect::setTarget):
+
2021-03-02 Lauro Moura <[email protected]>
Unreviewed. Fix -Wreturn-type warnings after r273550
Modified: trunk/Source/WebCore/animation/KeyframeEffect.cpp (273751 => 273752)
--- trunk/Source/WebCore/animation/KeyframeEffect.cpp 2021-03-02 20:03:12 UTC (rev 273751)
+++ trunk/Source/WebCore/animation/KeyframeEffect.cpp 2021-03-02 20:08:20 UTC (rev 273752)
@@ -1162,6 +1162,9 @@
return;
auto& previousTargetStyleable = targetStyleable();
+ RefPtr<Element> protector;
+ if (previousTargetStyleable)
+ protector = makeRefPtr(previousTargetStyleable->element);
m_target = WTFMove(newTarget);
didChangeTargetStyleable(previousTargetStyleable);
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
