Title: [288986] branches/safari-613-branch
- Revision
- 288986
- Author
- [email protected]
- Date
- 2022-02-02 12:41:01 -0800 (Wed, 02 Feb 2022)
Log Message
Cherry-pick r288423. rdar://problem/87701738
m_lastStyleChangeEventStyle null ptr deref for accelerated CSS Animation with no duration and an implicit keyframe
https://bugs.webkit.org/show_bug.cgi?id=235394
<rdar://problem/87701738>
Reviewed by Antti Koivisto.
Source/WebCore:
Test: webanimations/accelerated-animation-without-duration-crash.html
In r287827, the fix for bug 235014, we stopped filling implicit keyframes for CSS Animations at creation
time such that the output of getKeyframes() would correctly account for the missing keyframes. This meant
that we have to fill in those implicit keyframes when running an accelerated animation before we pass it
on to GraphicsLayer.
We would always use the value stored by lastStyleChangeEventStyle() with an assert that this value was
never null. However, in the case of an animation that is not relevant, such as a CSS Animation with no
duration, we've never had a chance to set that style since Style::TreeResolver::createAnimatedElementUpdate()
would not see any "relevant" (a term defined by the Web Animations specification to specify an animation
that has an effect on its target) animations.
We now use the renderer's style as a fallback, which is guaranteed to be defined at this stage.
* animation/KeyframeEffect.cpp:
(WebCore::KeyframeEffect::applyPendingAcceleratedActions):
LayoutTests:
New test, created by Gabriel Nava Marino, that creates an accelerated animation with no
duration and with implicit keyframes that would crash prior to this patch.
* webanimations/accelerated-animation-without-duration-crash-expected.txt: Added.
* webanimations/accelerated-animation-without-duration-crash.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@288423 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-613-branch/LayoutTests/ChangeLog (288985 => 288986)
--- branches/safari-613-branch/LayoutTests/ChangeLog 2022-02-02 20:40:59 UTC (rev 288985)
+++ branches/safari-613-branch/LayoutTests/ChangeLog 2022-02-02 20:41:01 UTC (rev 288986)
@@ -1,3 +1,58 @@
+2022-02-02 Russell Epstein <[email protected]>
+
+ Cherry-pick r288423. rdar://problem/87701738
+
+ m_lastStyleChangeEventStyle null ptr deref for accelerated CSS Animation with no duration and an implicit keyframe
+ https://bugs.webkit.org/show_bug.cgi?id=235394
+ <rdar://problem/87701738>
+
+ Reviewed by Antti Koivisto.
+
+ Source/WebCore:
+
+ Test: webanimations/accelerated-animation-without-duration-crash.html
+
+ In r287827, the fix for bug 235014, we stopped filling implicit keyframes for CSS Animations at creation
+ time such that the output of getKeyframes() would correctly account for the missing keyframes. This meant
+ that we have to fill in those implicit keyframes when running an accelerated animation before we pass it
+ on to GraphicsLayer.
+
+ We would always use the value stored by lastStyleChangeEventStyle() with an assert that this value was
+ never null. However, in the case of an animation that is not relevant, such as a CSS Animation with no
+ duration, we've never had a chance to set that style since Style::TreeResolver::createAnimatedElementUpdate()
+ would not see any "relevant" (a term defined by the Web Animations specification to specify an animation
+ that has an effect on its target) animations.
+
+ We now use the renderer's style as a fallback, which is guaranteed to be defined at this stage.
+
+ * animation/KeyframeEffect.cpp:
+ (WebCore::KeyframeEffect::applyPendingAcceleratedActions):
+
+ LayoutTests:
+
+ New test, created by Gabriel Nava Marino, that creates an accelerated animation with no
+ duration and with implicit keyframes that would crash prior to this patch.
+
+ * webanimations/accelerated-animation-without-duration-crash-expected.txt: Added.
+ * webanimations/accelerated-animation-without-duration-crash.html: Added.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@288423 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-01-23 Antoine Quint <[email protected]>
+
+ m_lastStyleChangeEventStyle null ptr deref for accelerated CSS Animation with no duration and an implicit keyframe
+ https://bugs.webkit.org/show_bug.cgi?id=235394
+ <rdar://problem/87701738>
+
+ Reviewed by Antti Koivisto.
+
+ New test, created by Gabriel Nava Marino, that creates an accelerated animation with no
+ duration and with implicit keyframes that would crash prior to this patch.
+
+ * webanimations/accelerated-animation-without-duration-crash-expected.txt: Added.
+ * webanimations/accelerated-animation-without-duration-crash.html: Added.
+
2022-01-31 Russell Epstein <[email protected]>
Cherry-pick r288095. rdar://problem/88286876
Added: branches/safari-613-branch/LayoutTests/webanimations/accelerated-animation-without-duration-crash-expected.txt (0 => 288986)
--- branches/safari-613-branch/LayoutTests/webanimations/accelerated-animation-without-duration-crash-expected.txt (rev 0)
+++ branches/safari-613-branch/LayoutTests/webanimations/accelerated-animation-without-duration-crash-expected.txt 2022-02-02 20:41:01 UTC (rev 288986)
@@ -0,0 +1 @@
+PASS if this doesn't crash
Added: branches/safari-613-branch/LayoutTests/webanimations/accelerated-animation-without-duration-crash.html (0 => 288986)
--- branches/safari-613-branch/LayoutTests/webanimations/accelerated-animation-without-duration-crash.html (rev 0)
+++ branches/safari-613-branch/LayoutTests/webanimations/accelerated-animation-without-duration-crash.html 2022-02-02 20:41:01 UTC (rev 288986)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<style>
+
+html {
+ animation-name: anim;
+ rotate: 0 0 0 0deg;
+}
+
+@keyframes anim {
+ from { filter: invert() }
+}
+
+</style>
+
+<div>PASS if this doesn't crash</div>
+
+<script>
+
+window.testRunner?.dumpAsText();
+
+</script>
Modified: branches/safari-613-branch/Source/WebCore/ChangeLog (288985 => 288986)
--- branches/safari-613-branch/Source/WebCore/ChangeLog 2022-02-02 20:40:59 UTC (rev 288985)
+++ branches/safari-613-branch/Source/WebCore/ChangeLog 2022-02-02 20:41:01 UTC (rev 288986)
@@ -1,3 +1,70 @@
+2022-02-02 Russell Epstein <[email protected]>
+
+ Cherry-pick r288423. rdar://problem/87701738
+
+ m_lastStyleChangeEventStyle null ptr deref for accelerated CSS Animation with no duration and an implicit keyframe
+ https://bugs.webkit.org/show_bug.cgi?id=235394
+ <rdar://problem/87701738>
+
+ Reviewed by Antti Koivisto.
+
+ Source/WebCore:
+
+ Test: webanimations/accelerated-animation-without-duration-crash.html
+
+ In r287827, the fix for bug 235014, we stopped filling implicit keyframes for CSS Animations at creation
+ time such that the output of getKeyframes() would correctly account for the missing keyframes. This meant
+ that we have to fill in those implicit keyframes when running an accelerated animation before we pass it
+ on to GraphicsLayer.
+
+ We would always use the value stored by lastStyleChangeEventStyle() with an assert that this value was
+ never null. However, in the case of an animation that is not relevant, such as a CSS Animation with no
+ duration, we've never had a chance to set that style since Style::TreeResolver::createAnimatedElementUpdate()
+ would not see any "relevant" (a term defined by the Web Animations specification to specify an animation
+ that has an effect on its target) animations.
+
+ We now use the renderer's style as a fallback, which is guaranteed to be defined at this stage.
+
+ * animation/KeyframeEffect.cpp:
+ (WebCore::KeyframeEffect::applyPendingAcceleratedActions):
+
+ LayoutTests:
+
+ New test, created by Gabriel Nava Marino, that creates an accelerated animation with no
+ duration and with implicit keyframes that would crash prior to this patch.
+
+ * webanimations/accelerated-animation-without-duration-crash-expected.txt: Added.
+ * webanimations/accelerated-animation-without-duration-crash.html: Added.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@288423 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-01-23 Antoine Quint <[email protected]>
+
+ m_lastStyleChangeEventStyle null ptr deref for accelerated CSS Animation with no duration and an implicit keyframe
+ https://bugs.webkit.org/show_bug.cgi?id=235394
+ <rdar://problem/87701738>
+
+ Reviewed by Antti Koivisto.
+
+ Test: webanimations/accelerated-animation-without-duration-crash.html
+
+ In r287827, the fix for bug 235014, we stopped filling implicit keyframes for CSS Animations at creation
+ time such that the output of getKeyframes() would correctly account for the missing keyframes. This meant
+ that we have to fill in those implicit keyframes when running an accelerated animation before we pass it
+ on to GraphicsLayer.
+
+ We would always use the value stored by lastStyleChangeEventStyle() with an assert that this value was
+ never null. However, in the case of an animation that is not relevant, such as a CSS Animation with no
+ duration, we've never had a chance to set that style since Style::TreeResolver::createAnimatedElementUpdate()
+ would not see any "relevant" (a term defined by the Web Animations specification to specify an animation
+ that has an effect on its target) animations.
+
+ We now use the renderer's style as a fallback, which is guaranteed to be defined at this stage.
+
+ * animation/KeyframeEffect.cpp:
+ (WebCore::KeyframeEffect::applyPendingAcceleratedActions):
+
2022-02-01 Russell Epstein <[email protected]>
Cherry-pick r288897. rdar://problem/87651247
Modified: branches/safari-613-branch/Source/WebCore/animation/KeyframeEffect.cpp (288985 => 288986)
--- branches/safari-613-branch/Source/WebCore/animation/KeyframeEffect.cpp 2022-02-02 20:40:59 UTC (rev 288985)
+++ branches/safari-613-branch/Source/WebCore/animation/KeyframeEffect.cpp 2022-02-02 20:41:01 UTC (rev 288986)
@@ -1878,15 +1878,17 @@
ASSERT(m_target);
- auto* lastStyleChangeEventStyle = m_target->lastStyleChangeEventStyle(m_pseudoId);
- ASSERT(lastStyleChangeEventStyle);
-
// We need to resolve all animations up to this point to ensure any forward-filling
// effect is accounted for when computing the "from" value for the accelerated animation.
- auto underlyingStyle = RenderStyle::clonePtr(*lastStyleChangeEventStyle);
auto* effectStack = m_target->keyframeEffectStack(m_pseudoId);
ASSERT(effectStack);
+ auto underlyingStyle = [&]() {
+ if (auto* lastStyleChangeEventStyle = m_target->lastStyleChangeEventStyle(m_pseudoId))
+ return RenderStyle::clonePtr(*lastStyleChangeEventStyle);
+ return RenderStyle::clonePtr(renderer->style());
+ }();
+
for (const auto& effect : effectStack->sortedEffects()) {
if (this == effect.get())
break;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
