Handle instantiation of scroll linked animations with uninitialized scroll source.

This changes fixes Issue 976633: Null-dereference READ in blink::ScrollTimeline::GetDocument. I can't recreate the crash scenario, but I suspect that it's a racing condition when ScrollTimeline is created with uninitialized document.scrollingElement. The fix is to initialize ScrollTimeline.document with the document passed in the constructor instead of consulting the scroll source. Bug: 976633 Change-Id: I76a7b660e543e3a0ea9512554bb194813a203a2f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1670074Reviewed-by: Robert Flack <flackr@chromium.org> Commit-Queue: Olga Gerchikov <gerchiko@microsoft.com> Cr-Commit-Position: refs/heads/master@{#671457}

Handle instantiation of scroll linked animations with uninitialized scroll source.
This changes fixes Issue 976633: Null-dereference READ in blink::ScrollTimeline::GetDocument. I can't recreate the crash scenario, but I suspect that it's a racing condition when ScrollTimeline is created with uninitialized document.scrollingElement. The fix is to initialize ScrollTimeline.document with the document passed in the constructor instead of consulting the scroll source. Bug: 976633 Change-Id: I76a7b660e543e3a0ea9512554bb194813a203a2f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1670074Reviewed-by: Robert Flack <flackr@chromium.org> Commit-Queue: Olga Gerchikov <gerchiko@microsoft.com> Cr-Commit-Position: refs/heads/master@{#671457}
60944f94 · Olga Gerchikov · Commit Bot · 89cad226 · 60944f94 · 60944f94
Commit 60944f94 authored Jun 21, 2019 by Olga Gerchikov Committed by Commit Bot Jun 21, 2019
4 changed files
--- a/third_party/blink/renderer/core/animation/scroll_timeline.cc
+++ b/third_party/blink/renderer/core/animation/scroll_timeline.cc
@@ -109,18 +109,20 @@ ScrollTimeline* ScrollTimeline::Create(Document& document,
  }

  return MakeGarbageCollected<ScrollTimeline>(
-      scroll_source, orientation, start_scroll_offset, end_scroll_offset,
-      options->timeRange().GetAsDouble(),
+      &document, scroll_source, orientation, start_scroll_offset,
+      end_scroll_offset, options->timeRange().GetAsDouble(),
      Timing::StringToFillMode(options->fill()));
 }

-ScrollTimeline::ScrollTimeline(Element* scroll_source,
+ScrollTimeline::ScrollTimeline(Document* document,
+                               Element* scroll_source,
                               ScrollDirection orientation,
                               CSSPrimitiveValue* start_scroll_offset,
                               CSSPrimitiveValue* end_scroll_offset,
                               double time_range,
                               Timing::FillMode fill)
-    : scroll_source_(scroll_source),
+    : document_(document),
+      scroll_source_(scroll_source),
      resolved_scroll_source_(ResolveScrollSource(scroll_source_)),
      orientation_(orientation),
      start_scroll_offset_(start_scroll_offset),
@@ -348,6 +350,7 @@ void ScrollTimeline::AnimationDetached(Animation*) {
 }

 void ScrollTimeline::Trace(blink::Visitor* visitor) {
+  visitor->Trace(document_);
  visitor->Trace(scroll_source_);
  visitor->Trace(resolved_scroll_source_);
  visitor->Trace(start_scroll_offset_);

--- a/third_party/blink/renderer/core/animation/scroll_timeline.h
+++ b/third_party/blink/renderer/core/animation/scroll_timeline.h
@@ -40,7 +40,8 @@ class CORE_EXPORT ScrollTimeline final : public AnimationTimeline {
                                ScrollTimelineOptions*,
                                ExceptionState&);

-  ScrollTimeline(Element*,
+  ScrollTimeline(Document*,
+                 Element*,
                 ScrollDirection,
                 CSSPrimitiveValue*,
                 CSSPrimitiveValue*,
@@ -50,7 +51,7 @@ class CORE_EXPORT ScrollTimeline final : public AnimationTimeline {
  // AnimationTimeline implementation.
  double currentTime(bool& is_null) final;
  bool IsScrollTimeline() const override { return true; }
-  Document* GetDocument() override { return &scroll_source_->GetDocument(); }
+  Document* GetDocument() override { return document_; }
  // ScrollTimeline is not active if scrollSource is null, does not currently
  // have a CSS layout box, or if its layout box is not a scroll container.
  // https://github.com/WICG/scroll-animations/issues/31
@@ -96,6 +97,7 @@ class CORE_EXPORT ScrollTimeline final : public AnimationTimeline {
  static bool HasActiveScrollTimeline(Node* node);

 private:
+  Member<Document> document_;
  // Use |scroll_source_| only to implement the web-exposed API but use
  // resolved_scroll_source_ to actually access the scroll related properties.
  Member<Element> scroll_source_;

--- a/third_party/blink/renderer/core/animation/scroll_timeline_test.cc
+++ b/third_party/blink/renderer/core/animation/scroll_timeline_test.cc
@@ -231,7 +231,7 @@ TEST_F(ScrollTimelineTest, AttachOrDetachAnimationWithNullScrollSource) {
  CSSPrimitiveValue* start_scroll_offset = nullptr;
  CSSPrimitiveValue* end_scroll_offset = nullptr;
  ScrollTimeline* scroll_timeline = MakeGarbageCollected<ScrollTimeline>(
-      scroll_source, ScrollTimeline::Block, start_scroll_offset,
+      &GetDocument(), scroll_source, ScrollTimeline::Block, start_scroll_offset,
      end_scroll_offset, 100, Timing::FillMode::NONE);

  // Sanity checks.

--- a/third_party/blink/renderer/core/animation/scroll_timeline_util_test.cc
+++ b/third_party/blink/renderer/core/animation/scroll_timeline_util_test.cc
@@ -82,7 +82,7 @@ TEST_F(ScrollTimelineUtilTest, ToCompositorScrollTimelineNullScrollSource) {
  CSSPrimitiveValue* start_scroll_offset = nullptr;
  CSSPrimitiveValue* end_scroll_offset = nullptr;
  ScrollTimeline* timeline = MakeGarbageCollected<ScrollTimeline>(
-      scroll_source, ScrollTimeline::Block, start_scroll_offset,
+      &GetDocument(), scroll_source, ScrollTimeline::Block, start_scroll_offset,
      end_scroll_offset, 100, Timing::FillMode::NONE);

  std::unique_ptr<CompositorScrollTimeline> compositor_timeline =