Issue 195233003: Prevent destruction of self in SMILTimeContainer with 'discard'

Issue 195233003: Prevent destruction of self in SMILTimeContainer with 'discard' (Closed)

Created:
6 years, 9 months ago by fs

Modified:
6 years, 9 months ago

Reviewers:
pdr., f(malita), Stephen Chennney, kouhei (in TOK), rwlbuis

CC:
blink-reviews, ed+blinkwatch_opera.com, shans, rjwright, alancutter (OOO until 2018), Mike Lawther (Google), rwlbuis, kouhei+svg_chromium.org, dstockwell, Timothy Loh, krit, f(malita), gyuyoung.kim_webkit.org, darktears, Stephen Chennney, Steve Block, dino_apple.com, Eric Willigers

Base URL:
svn://svn.chromium.org/blink/trunk

Visibility:
Public.

More Reviews

Description

Prevent destruction of self in SMILTimeContainer with 'discard' If discarding the <svg> root an animation update could end up destroying the SVGSVGElement owning the SMILTimeContainer, leading to use-after-free. Make sure to keep an additional reference to the owning SVGSVGElement across affected callsites. BUG=351316 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=169239

Patch Set 1 #

Total comments: 2

Created: 6 years, 9 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Stats (+32 lines, --1 lines)			Patch
A	LayoutTests/svg/animations/discard-on-svg-crash-2.html	View	1 chunk	+19 lines, -0 lines	0 comments	Download
A +	LayoutTests/svg/animations/discard-on-svg-crash-2-expected.txt	View	0 chunks	+-1 lines, --1 lines	0 comments	Download
M	Source/core/svg/animation/SMILTimeContainer.cpp	View	5 chunks	+14 lines, -0 lines	2 comments	Download

Messages

Total messages: 15 (0 generated)

Expand Messages | Collapse Messages

kouhei (in TOK)

https://codereview.chromium.org/195233003/diff/1/Source/core/svg/animation/SMILTimeContainer.cpp File Source/core/svg/animation/SMILTimeContainer.cpp (right): https://codereview.chromium.org/195233003/diff/1/Source/core/svg/animation/SMILTimeContainer.cpp#newcode337 Source/core/svg/animation/SMILTimeContainer.cpp:337: DiscardScope discardScope(m_ownerSVGElement); Can we put this inside updateAnimationsAndScheduleFrameIfNeeded?

6 years, 9 months ago (2014-03-12 00:30:29 UTC) #2

6 years, 9 months ago (2014-03-12 07:32:13 UTC) #3

pdr.

On 2014/03/12 07:32:13, fs wrote: > https://codereview.chromium.org/195233003/diff/1/Source/core/svg/animation/SMILTimeContainer.cpp > File Source/core/svg/animation/SMILTimeContainer.cpp (right): > > https://codereview.chromium.org/195233003/diff/1/Source/core/svg/animation/SMILTimeContainer.cpp#newcode337 > ...

6 years, 9 months ago (2014-03-13 07:07:23 UTC) #4

kouhei (in TOK)

On 2014/03/13 07:07:23, pdr wrote: > On 2014/03/12 07:32:13, fs wrote: > > > https://codereview.chromium.org/195233003/diff/1/Source/core/svg/animation/SMILTimeContainer.cpp ...

6 years, 9 months ago (2014-03-13 07:30:07 UTC) #5

On 2014/03/13 07:07:23, pdr wrote: > On 2014/03/12 07:32:13, fs wrote: > > > https://codereview.chromium.org/195233003/diff/1/Source/core/svg/animation/SMILTimeContainer.cpp ...

6 years, 9 months ago (2014-03-13 10:06:43 UTC) #6

pdr.

On 2014/03/13 10:06:43, fs wrote: > On 2014/03/13 07:07:23, pdr wrote: > > On 2014/03/12 ...

6 years, 9 months ago (2014-03-13 18:42:50 UTC) #7

On 2014/03/13 10:06:43, fs wrote:
> On 2014/03/13 07:07:23, pdr wrote:
> > On 2014/03/12 07:32:13, fs wrote:
> > >
> >
>
https://codereview.chromium.org/195233003/diff/1/Source/core/svg/animation/SM...
> > > File Source/core/svg/animation/SMILTimeContainer.cpp (right):
> > > 
> > >
> >
>
https://codereview.chromium.org/195233003/diff/1/Source/core/svg/animation/SM...
> > > Source/core/svg/animation/SMILTimeContainer.cpp:337: DiscardScope
> > > discardScope(m_ownerSVGElement);
> > > On 2014/03/12 00:30:30, kouhei wrote:
> > > > Can we put this inside updateAnimationsAndScheduleFrameIfNeeded?
> > > 
> > > No (unfortunately), because on the next line following it here is an
access
> to
> > > |this|.
> > 
> > Kouhei is now an expert in this area and may have some ideas (esp. with how
> > Oilpan might help)
> 
> Yeah (as kouhei already said), this is another situation where Oilpan would
> help...
> 
> > I'm a little worried about protecting the callers to these functions as
well.
> > For example,
> >
>
SVGImage::startAnimation->SVGSVGElement::setCurrentTime->SMILTimeContainer::setElapsed.
> > Do we need to move the DiscardScope up any further?
> > 
> > I'm also worried about accidentally regressing this in a future refactor of
> > SMILTimeContainer. Could the DiscardScope be renamed AnimationUpdater (or
> > similar) and have that protector object be the one to actually call
> > updateAnimationsAndScheduleFrameIfNeeded? This way, it's not possible to
call
> > updateAnimationsAndScheduleFrameIfNeeded without creating this protector
> object.
> 
> I'm not particularly fond of this either, and it's just reasonably
non-intrusive
> fix for the (quickly) addressing the issue. It could certainly make sense to
let
> a helper object handle this (and other things like wake-up scheduling etc.).
> That would probably require some fairly non-trivial refactoring (which had
half
> planned already, so I'll try to throw this in the mix too...).

That sounds reasonable to me. Would you like to land this as-is? If so, LGTM.

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/fs@opera.com/195233003/1

6 years, 9 months ago (2014-03-14 11:38:44 UTC) #10

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

6 years, 9 months ago (2014-03-14 11:38:59 UTC) #11

commit-bot: I haz the power

Try jobs failed on following builders: tryserver.blink on blink_presubmit

6 years, 9 months ago (2014-03-14 11:39:00 UTC) #12

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/fs@opera.com/195233003/1

6 years, 9 months ago (2014-03-14 12:09:23 UTC) #14

Message was sent while issue was closed.

Change committed as 169239

Expand Messages | Collapse Messages