Bug 309672
| Summary: | [scroll-animations] crash under `StyleOriginatedTimelinesController::unregisterNamedTimeline()` due to iterator mutation | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Antoine Quint <graouts> |
| Component: | Animations | Assignee: | Antoine Quint <graouts> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | graouts, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: |
https://bugs.webkit.org/show_bug.cgi?id=309632 https://bugs.webkit.org/show_bug.cgi?id=308128 https://bugs.webkit.org/show_bug.cgi?id=309897 |
||
Antoine Quint
Consider this part of `StyleOriginatedTimelinesController::unregisterNamedTimeline()`:
```
for (Ref animation : timeline->relevantAnimations()) {
if (RefPtr cssAnimation = dynamicDowncast<CSSAnimation>(animation)) {
if (cssAnimation->owningElement())
cssAnimation->syncStyleOriginatedTimeline();
}
}
```
The call to CSSAnimation::syncStyleOriginatedTimeline() may call `WebAnimation::setTimeline()` which may modify the content of `timeline->relevantAnimations()` that we're iterating on. To address this, we should make a copy of the animation list like we do in `AnimationTimelinesController::updateAnimationsAndSendEvents()`.
Note that a similar bug is being fixed in bug 309632 and an earlier of this crash was made in bug 308128.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Antoine Quint
rdar://172271230
Antoine Quint
Pull request: https://github.com/WebKit/WebKit/pull/60360
EWS
Committed 309059@main (f355fb943c1d): <https://commits.webkit.org/309059@main>
Reviewed commits have been landed. Closing PR #60360 and removing active labels.
EWS
Committed 305413.487@safari-7624-branch (366a4134c635): <https://commits.webkit.org/305413.487@safari-7624-branch>
Reviewed commits have been landed. Closing PR #4674 and removing active labels.