Bug 235394

Summary: m_lastStyleChangeEventStyle null ptr deref for accelerated CSS Animation with no duration and an implicit keyframe
Product: WebKit Reporter: Gabriel Nava Marino <gnavamarino>
Component: AnimationsAssignee: Gabriel Nava Marino <gnavamarino>
Status: RESOLVED FIXED    
Severity: Normal CC: dino, graouts, graouts, koivisto, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
koivisto: review+, ews-feeder: commit-queue-
Patch for landing none

Gabriel Nava Marino
Reported 2022-01-19 21:51:50 PST
After bug 235014 was resolved, a new code path was enabled that now requires checking if the animation is relevant before adding an action to the list of m_pendingAcceleratedActions
Attachments
Patch (3.64 KB, patch)
2022-01-19 21:58 PST, Gabriel Nava Marino 		no flags
DetailsFormatted DiffDiff
Patch (3.67 KB, patch)
2022-01-19 22:09 PST, Gabriel Nava Marino 		no flags
DetailsFormatted DiffDiff
Patch (5.24 KB, patch)
2022-01-23 10:06 PST, Antoine Quint 		koivisto: review+
ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch for landing (5.21 KB, patch)
2022-01-23 11:34 PST, Antoine Quint 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Gabriel Nava Marino
Comment 1 2022-01-19 21:58:59 PST
Created attachment 449553 [details] Patch
Gabriel Nava Marino
Comment 2 2022-01-19 21:59:23 PST
Thank you @graouts for helping me identify and recommend the proposed fix.
Gabriel Nava Marino
Comment 3 2022-01-19 22:00:05 PST
<rdar://problem/87701738>
Gabriel Nava Marino
Comment 4 2022-01-19 22:09:30 PST
Created attachment 449554 [details] Patch
Antoine Quint
Comment 5 2022-01-23 10:06:23 PST
Created attachment 449754 [details] Patch
Antti Koivisto
Comment 6 2022-01-23 10:35:55 PST
Comment on attachment 449754 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=449754&action=review > Source/WebCore/animation/KeyframeEffect.cpp:1866 > + auto underlyingStyle = [&]() -> std::unique_ptr<RenderStyle> { Probably don’t need explicit return type.
Antoine Quint
Comment 7 2022-01-23 11:34:50 PST
Created attachment 449759 [details] Patch for landing
EWS
Comment 8 2022-01-23 13:22:30 PST
Committed r288423 (246314@main): <https://commits.webkit.org/246314@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 449759 [details].
Note You need to log in before you can comment on or make changes to this bug.