chromeos: fix possible uaf in AppsGridView

I'm working on a separate patch that seems to be tripping over this. The specific sequence is: . ItemRemoveAnimationDelegate is created for a view. . We're in shutdown, meaning the widget is closing. . ~AppsGridView is called . ~AppsGridView calls RemoveAllChildViews(true). . View::DoRemoveChildView() is called for the view that is animating. . View::DoRemoveChildView() calls AppsGridView::ViewHierarchyChanged(). . This cancels the animation, deleting ~ItemRemoveAnimationDelegate. . ~ItemRemoveAnimationDelegate is called, which deletes the view. . View::DoRemoveChildView() continues on with a now deleted view. The fix is to cancel the animations in ~AppsGridView before calling RemoveAllChildViews(). Doing that means we aren't attempting to delete a view while View is trying to clean it up. As my other patch readily trips over this, I'm not adding a test. BUG=none TEST=none Change-Id: I88f1640ed512d762f4f52efb6748317c048c64a4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1605220Reviewed-by: Xiyuan Xia <xiyuan@chromium.org> Commit-Queue: Scott Violet <sky@chromium.org> Cr-Commit-Position: refs/heads/master@{#658713}

chromeos: fix possible uaf in AppsGridView
I'm working on a separate patch that seems to be tripping over this. The specific sequence is: . ItemRemoveAnimationDelegate is created for a view. . We're in shutdown, meaning the widget is closing. . ~AppsGridView is called . ~AppsGridView calls RemoveAllChildViews(true). . View::DoRemoveChildView() is called for the view that is animating. . View::DoRemoveChildView() calls AppsGridView::ViewHierarchyChanged(). . This cancels the animation, deleting ~ItemRemoveAnimationDelegate. . ~ItemRemoveAnimationDelegate is called, which deletes the view. . View::DoRemoveChildView() continues on with a now deleted view. The fix is to cancel the animations in ~AppsGridView before calling RemoveAllChildViews(). Doing that means we aren't attempting to delete a view while View is trying to clean it up. As my other patch readily trips over this, I'm not adding a test. BUG=none TEST=none Change-Id: I88f1640ed512d762f4f52efb6748317c048c64a4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1605220Reviewed-by: Xiyuan Xia <xiyuan@chromium.org> Commit-Queue: Scott Violet <sky@chromium.org> Cr-Commit-Position: refs/heads/master@{#658713}
4fd4b80a · Scott Violet · Commit Bot · 2709517d · 4fd4b80a
Commit 4fd4b80a authored May 10, 2019 by Scott Violet Committed by Commit Bot May 10, 2019
Show whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

ash/app_list/views/apps_grid_view.cc ash/app_list/views/apps_grid_view.cc +6 -0

No files found.
--- a/ash/app_list/views/apps_grid_view.cc
+++ b/ash/app_list/views/apps_grid_view.cc
@@ -359,6 +359,12 @@ AppsGridView::~AppsGridView() {
  if (item_list_)
    item_list_->RemoveObserver(this);
+  // Cancel animations now, otherwise RemoveAllChildViews() may call back to
+  // ViewHierarchyChanged() during removal, which can lead to double deletes
+  // (because ViewHierarchyChanged() may attempt to delete a view that is part
+  // way through deletion).
+  bounds_animator_.Cancel();
  view_model_.Clear();
  RemoveAllChildViews(true);
 }