Fix poison address in blink::CanvasResourceHost::InitializeForRecording

After allocate a large buffer in memory and creating canvas, it will trigger the garbage collection from v8, which will trigger offscreenCanvas::Dispose to be called. This call will cause the offscreencanvas detached from the |host|. However the |host| is saved as a valid callback in the observer list of the canvas resource provider. Calling this |host| without offscreencanvas causes this access to poison address. In my fix, after garbage collection is triggered and dispose is called, DiscardResourceProvider() is called as well, so it removes itself from the observer list. Bug: 1143662 Change-Id: I82c9a1f70c117b03de9fb64f4849c1f3c4311d1a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2531136Reviewed-by: Juanmi Huertas <juanmihd@chromium.org> Reviewed-by: Jeremy Roman <jbroman@chromium.org> Commit-Queue: Yi Xu <yiyix@chromium.org> Cr-Commit-Position: refs/heads/master@{#826391}

Fix poison address in blink::CanvasResourceHost::InitializeForRecording
After allocate a large buffer in memory and creating canvas, it will trigger the garbage collection from v8, which will trigger offscreenCanvas::Dispose to be called. This call will cause the offscreencanvas detached from the |host|. However the |host| is saved as a valid callback in the observer list of the canvas resource provider. Calling this |host| without offscreencanvas causes this access to poison address. In my fix, after garbage collection is triggered and dispose is called, DiscardResourceProvider() is called as well, so it removes itself from the observer list. Bug: 1143662 Change-Id: I82c9a1f70c117b03de9fb64f4849c1f3c4311d1a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2531136Reviewed-by: Juanmi Huertas <juanmihd@chromium.org> Reviewed-by: Jeremy Roman <jbroman@chromium.org> Commit-Queue: Yi Xu <yiyix@chromium.org> Cr-Commit-Position: refs/heads/master@{#826391}
d0cbe5df · yiyix · Commit Bot · 086f8f3c · d0cbe5df
Commit d0cbe5df authored Nov 11, 2020 by yiyix Committed by Commit Bot Nov 11, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

third_party/blink/renderer/core/offscreencanvas/offscreen_canvas.cc ...y/blink/renderer/core/offscreencanvas/offscreen_canvas.cc +1 -0

No files found.
--- a/third_party/blink/renderer/core/offscreencanvas/offscreen_canvas.cc
+++ b/third_party/blink/renderer/core/offscreencanvas/offscreen_canvas.cc
@@ -106,6 +106,7 @@ void OffscreenCanvas::Commit(scoped_refptr<CanvasResource> canvas_resource,
 void OffscreenCanvas::Dispose() {
  // We need to drop frame dispatcher, to prevent mojo calls from completing.
  frame_dispatcher_ = nullptr;
+  DiscardResourceProvider();
  if (context_) {
    context_->DetachHost();