Changeset 139365 in webkit


Ignore:
Timestamp:
Jan 10, 2013, 1:52:40 PM (13 years ago)
Author:
wangxianzhu@chromium.org
Message:

Regression(r129944): Heap-use-after-free in WebCore::computeNonFastScrollableRegion
https://bugs.webkit.org/show_bug.cgi?id=99515

Reviewed by Simon Fraser.

The object used-after-freed is a destructed FrameView that is still in the m_scrollableAreas set of the parent FrameView. Actually it has been removed from m_scrollableAreas when setParent(0), but then is added back in updateScrollableAreaSet() because its frameViewParent() is still not 0 (though parent() is already 0).

No new tests. The heap-use-after-free doesn't always cause crash so it can't be stably tested with a test case. Memory analysis tools like asan discovered the heap-use-after-free and verified that the patch can fix the issue.

  • page/FrameView.cpp:

(WebCore::FrameView::parentFrameView): Checks if the FrameView has been removed from the parent.

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r139356 r139365  
     12013-01-10  Xianzhu Wang  <wangxianzhu@chromium.org>
     2
     3        Regression(r129944): Heap-use-after-free in WebCore::computeNonFastScrollableRegion
     4        https://bugs.webkit.org/show_bug.cgi?id=99515
     5
     6        Reviewed by Simon Fraser.
     7
     8        The object used-after-freed is a destructed FrameView that is still in the m_scrollableAreas set of the parent FrameView. Actually it has been removed from m_scrollableAreas when setParent(0), but then is added back in updateScrollableAreaSet() because its frameViewParent() is still not 0 (though parent() is already 0).
     9
     10        No new tests. The heap-use-after-free doesn't always cause crash so it can't be stably tested with a test case. Memory analysis tools like asan discovered the heap-use-after-free and verified that the patch can fix the issue.
     11
     12        * page/FrameView.cpp:
     13        (WebCore::FrameView::parentFrameView): Checks if the FrameView has been removed from the parent.
     14
    1152013-01-10  John Mellor  <johnme@chromium.org>
    216

  • trunk/Source/WebCore/page/FrameView.cpp

    r139024 r139365  
    31103110FrameView* FrameView::parentFrameView() const
    31113111{
     3112    if (!parent())
     3113        return 0;
     3114
    31123115    if (Frame* parentFrame = m_frame->tree()->parent())
    31133116        return parentFrame->view();
Note: See TracChangeset for help on using the changeset viewer.