-
Scott Violet authored
The use after free would happen if the animation duration was 0. The reason is RotateHidingWindowAnimationObserver would end up being destroyed when the animation was started. This is because if the animation completes immediately, then RotateHidingWindowAnimationObserver deletes itself, and AddLayerAnimationsForRotate tries to use RotateHidingWindowAnimationObserver after scheduling the aniation. The fix is to only create the observer if the animation hasn't completed. I had originally tried to disable animations if the duration is 0, as there is no point in doing any work. Unfortunately this proves quite problematic. In addition to animating, the animations may update other state, such as the bounds. I settled for adding a comment as to being careful in disabling animations. My suspicion is there are likely problems with disabling animations, but that's for another day. BUG=1154677 TEST=covered by tests Change-Id: I9f63d5c65a86c59d5ad82a8805e66a9a51ccc4b9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2570101 Commit-Queue: Scott Violet <sky@chromium.org> Auto-Submit: Scott Violet <sky@chromium.org> Reviewed-by:
Mitsuru Oshima <oshima@chromium.org> Cr-Commit-Position: refs/heads/master@{#836189}
52b8f739
