New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 838873 link

Starred by 2 users
Status: Fixed
Owner:
spqc...@chromium.org
Last visit > 30 days ago
Closed: May 2018
Cc:
guidou@chromium.org
spqc...@chromium.org
sadrul@chromium.org
ccameron@chromium.org
terelius@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug



Sign in to add a comment

Compositor::ScrollLayerTo dereferences WeakPtr without checking it first

Project Member Reported by eladalon@chromium.org, May 2 2018 
Compositor::ScrollLayerTo dereferences WeakPtr without checking it first.

Comment 1 by eladalon@chromium.org, May 2 2018

Cc: sadrul@chromium.org spqc...@chromium.org ccameron@chromium.org
It also seems to hand the WeakPtr to ScrollInputHandler, which then extracts a raw pointer out of it. If the lifetime is managed correctly because these objects do not outlive the WeakPtr, it's not immediately apparent from the code.

Comment 2 by rsleevi@chromium.org, May 2 2018 

More problematically, this exposes a WeakPtr as part of its public interface, which is a rather risky anti-pattern.

To better understand why this is an anti-pattern that hides lifetime management issues (which can quickly become security issues), https://groups.google.com/a/chromium.org/forum/#!msg/chromium-dev/Oy3uuiTSwDk/5UDyRJcpJsUJ has a broader write-up of some of the patterns for safe and unsafe WeakPtr usage.

Comment 3 by eladalon@chromium.org, May 2 2018

Owner: spqc...@chromium.org
Project Member

Comment 4 by bugdroid1@chromium.org, May 2 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d0ccb1593848ce8b7a4f081068dcaea0012f07ec

commit d0ccb1593848ce8b7a4f081068dcaea0012f07ec
Author: Elad Alon <eladalon@chromium.org>
Date: Wed May 02 19:02:25 2018

Fix unsafe use of WeakPtr by Compositor and ScrollInputHandler

This CL will just highlight the problem. Passing the CL to
Sarah Chan, who will fix.

Bug:  838873 
Change-Id: If0878c717a572fb7d9522fa85e3a6c1d4f002151
Reviewed-on: https://chromium-review.googlesource.com/1039368
Commit-Queue: Elad Alon <eladalon@chromium.org>
Reviewed-by: ccameron <ccameron@chromium.org>
Cr-Commit-Position: refs/heads/master@{#555494}
[modify] https://crrev.com/d0ccb1593848ce8b7a4f081068dcaea0012f07ec/ui/compositor/compositor.cc
[modify] https://crrev.com/d0ccb1593848ce8b7a4f081068dcaea0012f07ec/ui/compositor/overscroll/scroll_input_handler.cc

Comment 5 by spqc...@chromium.org, May 3 2018

Status: Started (was: Assigned)
Project Member

Comment 6 by bugdroid1@chromium.org, May 11 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5b3c55bc76146c28789986b8f3784634ae76ac94

commit 5b3c55bc76146c28789986b8f3784634ae76ac94
Author: spqchan <spqchan@chromium.org>
Date: Fri May 11 04:44:56 2018

Fix InputHandler WeakPtr handling in Compositor and ScrollInputHandler

Bug:  838873 
Change-Id: I22e5a8a54d372abc84993ef1cd33e4325856cb6b
Reviewed-on: https://chromium-review.googlesource.com/1042726
Reviewed-by: Sadrul Chowdhury <sadrul@chromium.org>
Reviewed-by: Elad Alon <eladalon@chromium.org>
Commit-Queue: Sarah Chan <spqchan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#557796}
[modify] https://crrev.com/5b3c55bc76146c28789986b8f3784634ae76ac94/ui/compositor/compositor.cc
[modify] https://crrev.com/5b3c55bc76146c28789986b8f3784634ae76ac94/ui/compositor/overscroll/scroll_input_handler.cc
[modify] https://crrev.com/5b3c55bc76146c28789986b8f3784634ae76ac94/ui/compositor/overscroll/scroll_input_handler.h

Comment 7 by spqc...@chromium.org, May 11 2018

Status: Fixed (was: Started)

Sign in to add a comment