Bug 235394

Summary: m_lastStyleChangeEventStyle null ptr deref for accelerated CSS Animation with no duration and an implicit keyframe
Product: WebKit Reporter: Gabriel Nava Marino <gnavamarino>
Component: AnimationsAssignee: Gabriel Nava Marino <gnavamarino>
Status: RESOLVED FIXED    
Severity: Normal CC: dino, graouts, graouts, koivisto, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
koivisto: review+, ews-feeder: commit-queue-
Patch for landing none

Description Gabriel Nava Marino 2022-01-19 21:51:50 PST 
After bug 235014 was resolved, a new code path was enabled that now requires checking if the animation is relevant before adding an action to the list of m_pendingAcceleratedActions
Comment 1 Gabriel Nava Marino 2022-01-19 21:58:59 PST 
Created attachment 449553 [details]
Patch
Comment 2 Gabriel Nava Marino 2022-01-19 21:59:23 PST 
Thank you @graouts for helping me identify and recommend the proposed fix.
Comment 3 Gabriel Nava Marino 2022-01-19 22:00:05 PST 
 <rdar://problem/87701738>
Comment 4 Gabriel Nava Marino 2022-01-19 22:09:30 PST 
Created attachment 449554 [details]
Patch
Comment 5 Antoine Quint 2022-01-23 10:06:23 PST 
Created attachment 449754 [details]
Patch
Comment 6 Antti Koivisto 2022-01-23 10:35:55 PST 
Comment on attachment 449754 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=449754&action=review

> Source/WebCore/animation/KeyframeEffect.cpp:1866
> +        auto underlyingStyle = [&]() -> std::unique_ptr<RenderStyle> {

Probably don’t need explicit return type.
Comment 7 Antoine Quint 2022-01-23 11:34:50 PST 
Created attachment 449759 [details]
Patch for landing
Comment 8 EWS 2022-01-23 13:22:30 PST 
Committed r288423 (246314@main): <https://commits.webkit.org/246314@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 449759 [details].