Title: [139365] trunk/Source/WebCore
- Revision
- 139365
- Author
- [email protected]
- Date
- 2013-01-10 13:52:40 -0800 (Thu, 10 Jan 2013)
Log Message
Regression(r129944): Heap-use-after-free in WebCore::computeNonFastScrollableRegion
https://bugs.webkit.org/show_bug.cgi?id=99515
Reviewed by Simon Fraser.
The object used-after-freed is a destructed FrameView that is still in the m_scrollableAreas set of the parent FrameView. Actually it has been removed from m_scrollableAreas when setParent(0), but then is added back in updateScrollableAreaSet() because its frameViewParent() is still not 0 (though parent() is already 0).
No new tests. The heap-use-after-free doesn't always cause crash so it can't be stably tested with a test case. Memory analysis tools like asan discovered the heap-use-after-free and verified that the patch can fix the issue.
* page/FrameView.cpp:
(WebCore::FrameView::parentFrameView): Checks if the FrameView has been removed from the parent.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (139364 => 139365)
--- trunk/Source/WebCore/ChangeLog 2013-01-10 21:49:28 UTC (rev 139364)
+++ trunk/Source/WebCore/ChangeLog 2013-01-10 21:52:40 UTC (rev 139365)
@@ -1,3 +1,17 @@
+2013-01-10 Xianzhu Wang <[email protected]>
+
+ Regression(r129944): Heap-use-after-free in WebCore::computeNonFastScrollableRegion
+ https://bugs.webkit.org/show_bug.cgi?id=99515
+
+ Reviewed by Simon Fraser.
+
+ The object used-after-freed is a destructed FrameView that is still in the m_scrollableAreas set of the parent FrameView. Actually it has been removed from m_scrollableAreas when setParent(0), but then is added back in updateScrollableAreaSet() because its frameViewParent() is still not 0 (though parent() is already 0).
+
+ No new tests. The heap-use-after-free doesn't always cause crash so it can't be stably tested with a test case. Memory analysis tools like asan discovered the heap-use-after-free and verified that the patch can fix the issue.
+
+ * page/FrameView.cpp:
+ (WebCore::FrameView::parentFrameView): Checks if the FrameView has been removed from the parent.
+
2013-01-10 John Mellor <[email protected]>
Fix scale of screen.width, window.outerWidth and @media device-width when page scale not applied in compositor.
Modified: trunk/Source/WebCore/page/FrameView.cpp (139364 => 139365)
--- trunk/Source/WebCore/page/FrameView.cpp 2013-01-10 21:49:28 UTC (rev 139364)
+++ trunk/Source/WebCore/page/FrameView.cpp 2013-01-10 21:52:40 UTC (rev 139365)
@@ -3109,6 +3109,9 @@
FrameView* FrameView::parentFrameView() const
{
+ if (!parent())
+ return 0;
+
if (Frame* parentFrame = m_frame->tree()->parent())
return parentFrame->view();
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
