Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(226)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 180553004: Fix use-after-free of m_currentSpeechUtterance. (Closed)

Created:
6 years, 10 months ago by dmazzoni
Modified:
6 years, 9 months ago
Reviewers:
abarth-chromium
CC:
blink-reviews
Base URL:
https://chromium.googlesource.com/chromium/blink.git@master
Visibility:
Public.

Description

Fix use-after-free of m_currentSpeechUtterance. SpeechSynthesis.cpp incorrectly assumed that calling m_platformSpeechSynthesizer->cancel() would immediately call didFinishSpeaking or speakingErrorOccurred, which would null out m_currentSpeechUtterance. This assumption was true in WebKit/Mac, but Chromium's platform implementation is asynchronous, so that call may come later. Fix the issue and simplify the logic by getting rid of the raw pointer to the current utterance altogether. Now the RefPtr at the front of the utterance queue is the current utterance, and the platform implementation is allowed to fire events on utterances that are no longer in the queue. BUG=344881 R=abarth@chromium.org Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=168092 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=168169 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=168171

Patch Set 1 #

Patch Set 2 : Added test #

Patch Set 3 : Fix nullptr cast #

Patch Set 4 : Fix nullptr again? #

Unified diffs Side-by-side diffs Delta from patch set Stats (+75 lines, -34 lines) Patch
A LayoutTests/fast/speechsynthesis/speech-synthesis-cancel-twice.html View 1 1 chunk +25 lines, -0 lines 0 comments Download
A + LayoutTests/fast/speechsynthesis/speech-synthesis-cancel-twice-expected.txt View 1 1 chunk +1 line, -2 lines 0 comments Download
M Source/modules/speech/SpeechSynthesis.h View 1 chunk +4 lines, -2 lines 0 comments Download
M Source/modules/speech/SpeechSynthesis.cpp View 1 2 3 8 chunks +33 lines, -28 lines 0 comments Download
M Source/modules/speech/testing/PlatformSpeechSynthesizerMock.h View 1 1 chunk +2 lines, -0 lines 0 comments Download
M Source/modules/speech/testing/PlatformSpeechSynthesizerMock.cpp View 1 3 chunks +10 lines, -2 lines 0 comments Download

Messages

Total messages: 8 (0 generated)
dmazzoni
6 years, 10 months ago (2014-02-26 00:08:22 UTC) #1
abarth-chromium
Please include a test, even if it only triggers under ASAN or only fails occasionally. ...
6 years, 10 months ago (2014-02-26 06:27:28 UTC) #2
dmazzoni
On 2014/02/26 06:27:28, abarth wrote: > Please include a test, even if it only triggers ...
6 years, 10 months ago (2014-02-26 08:06:46 UTC) #3
abarth-chromium
LGTM Thanks for making the mock more like the real thing.
6 years, 10 months ago (2014-02-26 18:57:33 UTC) #4
dmazzoni
Committed patchset #2 manually as r168092 (presubmit successful).
6 years, 9 months ago (2014-02-28 08:20:11 UTC) #5
apavlov
A revert of this CL has been created in https://codereview.chromium.org/184263003/ by apavlov@chromium.org. The reason for ...
6 years, 9 months ago (2014-02-28 09:26:46 UTC) #6
dmazzoni
Committed patchset #4 manually as r168169 (presubmit successful).
6 years, 9 months ago (2014-02-28 23:42:13 UTC) #7
dmazzoni
6 years, 9 months ago (2014-02-28 23:51:05 UTC) #8
Message was sent while issue was closed. 
Committed patchset #4 manually as r168171 (tree was closed).

Powered by Google App Engine
This is Rietveld 408576698