235394 – m_lastStyleChangeEventStyle null ptr deref for accelerated CSS Animation with no duration and an implicit keyframe

RESOLVED FIXED 235394

m_lastStyleChangeEventStyle null ptr deref for accelerated CSS Animation with no duration and an implicit keyframe

https://bugs.webkit.org/show_bug.cgi?id=235394

Summary m_lastStyleChangeEventStyle null ptr deref for accelerated CSS Animation with...

Gabriel Nava Marino

Reported 2022-01-19 21:51:50 PST

After bug 235014 was resolved, a new code path was enabled that now requires checking if the animation is relevant before adding an action to the list of m_pendingAcceleratedActions

Attachments
Patch (3.64 KB, patch) 2022-01-19 21:58 PST, Gabriel Nava Marino	no flags	Details Formatted Diff Diff
Patch (3.67 KB, patch) 2022-01-19 22:09 PST, Gabriel Nava Marino	no flags	Details Formatted Diff Diff
Patch (5.24 KB, patch) 2022-01-23 10:06 PST, Antoine Quint	koivisto: review+ ews-feeder: commit-queue-	Details Formatted Diff Diff
Patch for landing (5.21 KB, patch) 2022-01-23 11:34 PST, Antoine Quint	no flags	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Gabriel Nava Marino

Comment 1 2022-01-19 21:58:59 PST

Created attachment 449553 [details] Patch

Gabriel Nava Marino

Comment 2 2022-01-19 21:59:23 PST

Thank you @graouts for helping me identify and recommend the proposed fix.

Gabriel Nava Marino

Comment 3 2022-01-19 22:00:05 PST

<rdar://problem/87701738>

Gabriel Nava Marino

Comment 4 2022-01-19 22:09:30 PST

Created attachment 449554 [details] Patch

Antoine Quint

Comment 5 2022-01-23 10:06:23 PST

Created attachment 449754 [details] Patch

Antti Koivisto

Comment 6 2022-01-23 10:35:55 PST

Comment on attachment 449754 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=449754&action=review > Source/WebCore/animation/KeyframeEffect.cpp:1866 > + auto underlyingStyle = [&]() -> std::unique_ptr<RenderStyle> { Probably don’t need explicit return type.

Antoine Quint

Comment 7 2022-01-23 11:34:50 PST

Created attachment 449759 [details] Patch for landing

EWS

Comment 8 2022-01-23 13:22:30 PST

Committed r288423 (246314@main): <https://commits.webkit.org/246314@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 449759 [details].

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Animations

Assignee

Gabriel Nava Marino

Reported

2022-01-19 21:51 PST

Modified

2022-01-23 13:22 PST History

CC List

5 users Show

URL

Keywords InRadar

Depends on

Blocks