From 733f86be4130b247e90d479f76f81a3f88400126 Mon Sep 17 00:00:00 2001 From: deepak1556 Date: Mon, 12 Jul 2021 00:44:15 -0700 Subject: [PATCH 1/3] chore: cherry-pick 9bab573a37 from chromium Refs https://chromium-review.googlesource.com/c/chromium/src/+/3010140 --- patches/chromium/.patches | 12 +++++ ...svgimage_page_after_document_install.patch | 48 +++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 patches/chromium/set_svgimage_page_after_document_install.patch diff --git a/patches/chromium/.patches b/patches/chromium/.patches index 9eb0415ba6eb4..f7aa8ddf3272f 100644 --- a/patches/chromium/.patches +++ b/patches/chromium/.patches @@ -138,3 +138,15 @@ cherry-pick-910e9e40d376.patch cherry-pick-d9556a80a790.patch cherry-pick-ee6aee64e24c.patch webview_fullscreen.patch +disable_unload_metrics.patch +fix_add_check_for_sandbox_then_result.patch +extend_apply_webpreferences.patch +fix_expose_decrementcapturercount_in_web_contents_impl.patch +add_setter_for_browsermainloop_result_code.patch +make_include_of_stack_trace_h_unconditional.patch +build_libc_as_static_library.patch +build_do_not_depend_on_packed_resource_integrity.patch +refactor_restore_base_adaptcallbackforrepeating.patch +hack_to_allow_gclient_sync_with_host_os_mac_on_linux_in_ci.patch +don_t_run_pcscan_notifythreadcreated_if_pcscan_is_disabled.patch +set_svgimage_page_after_document_install.patch diff --git a/patches/chromium/set_svgimage_page_after_document_install.patch b/patches/chromium/set_svgimage_page_after_document_install.patch new file mode 100644 index 0000000000000..2582248a894e9 --- /dev/null +++ b/patches/chromium/set_svgimage_page_after_document_install.patch @@ -0,0 +1,48 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fredrik=20S=C3=B6derqvist?= +Date: Fri, 9 Jul 2021 08:44:55 +0000 +Subject: Set SVGImage::page_ after document install +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We can end up having the associated ImageResource call +SVGImage::ResetAnimation() before the Document has been associated with +the SVGImage's LocalFrame, but after the link to the initial Document +was severed, if a GC is triggered within that window and ends up +collecting the last observer of the ImageResource. + +By assigning |SVGImage::page_| after the installing the document, we +close this hole since SVGImage::RootElement() (called by +SVGImage::ResetAnimation()) will now observe a null Page and return null +without attempting to dereference the document. + +Bug: 1216190 +Change-Id: I26e08848e5b9bd52e3377841eee35e4acc03d320 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3010140 +Reviewed-by: Stephen Chenney +Commit-Queue: Fredrik Söderquist +Cr-Commit-Position: refs/heads/master@{#899922} + +diff --git a/third_party/blink/renderer/core/svg/graphics/svg_image.cc b/third_party/blink/renderer/core/svg/graphics/svg_image.cc +index b23ad2192bec4d1cac9d704074d12c9e00d4d2f5..ff2bf69be27f0afcb6a9909e716495e8d4a127ef 100644 +--- a/third_party/blink/renderer/core/svg/graphics/svg_image.cc ++++ b/third_party/blink/renderer/core/svg/graphics/svg_image.cc +@@ -851,12 +851,15 @@ Image::SizeAvailability SVGImage::DataChanged(bool all_data_received) { + // SVG Images are transparent. + frame->View()->SetBaseBackgroundColor(Color::kTransparent); + +- page_ = page; +- + TRACE_EVENT0("blink", "SVGImage::dataChanged::load"); + + frame->ForceSynchronousDocumentInstall("image/svg+xml", Data()); + ++ // Set up our Page reference after installing our document. This avoids ++ // tripping on a non-existing (null) Document if a GC is triggered during the ++ // set up and ends up collecting the last owner/observer of this image. ++ page_ = page; ++ + // Intrinsic sizing relies on computed style (e.g. font-size and + // writing-mode). + frame->GetDocument()->UpdateStyleAndLayoutTree(); From 4e917d35f93b106dfc4af0f912278104bfdee269 Mon Sep 17 00:00:00 2001 From: Robo Date: Mon, 12 Jul 2021 22:09:05 -0700 Subject: [PATCH 2/3] Update .patches --- patches/chromium/.patches | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/patches/chromium/.patches b/patches/chromium/.patches index f7aa8ddf3272f..ab21884b6e75e 100644 --- a/patches/chromium/.patches +++ b/patches/chromium/.patches @@ -138,15 +138,4 @@ cherry-pick-910e9e40d376.patch cherry-pick-d9556a80a790.patch cherry-pick-ee6aee64e24c.patch webview_fullscreen.patch -disable_unload_metrics.patch -fix_add_check_for_sandbox_then_result.patch -extend_apply_webpreferences.patch -fix_expose_decrementcapturercount_in_web_contents_impl.patch -add_setter_for_browsermainloop_result_code.patch -make_include_of_stack_trace_h_unconditional.patch -build_libc_as_static_library.patch -build_do_not_depend_on_packed_resource_integrity.patch -refactor_restore_base_adaptcallbackforrepeating.patch -hack_to_allow_gclient_sync_with_host_os_mac_on_linux_in_ci.patch -don_t_run_pcscan_notifythreadcreated_if_pcscan_is_disabled.patch set_svgimage_page_after_document_install.patch From 68ef0ea97475746528fb85a2a1c6550b0ac61155 Mon Sep 17 00:00:00 2001 From: PatchUp <73610968+patchup[bot]@users.noreply.github.com> Date: Tue, 13 Jul 2021 05:21:13 +0000 Subject: [PATCH 3/3] chore: update patches --- .../chromium/set_svgimage_page_after_document_install.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/patches/chromium/set_svgimage_page_after_document_install.patch b/patches/chromium/set_svgimage_page_after_document_install.patch index 2582248a894e9..aff3f3f672aa5 100644 --- a/patches/chromium/set_svgimage_page_after_document_install.patch +++ b/patches/chromium/set_svgimage_page_after_document_install.patch @@ -25,10 +25,10 @@ Commit-Queue: Fredrik Söderquist Cr-Commit-Position: refs/heads/master@{#899922} diff --git a/third_party/blink/renderer/core/svg/graphics/svg_image.cc b/third_party/blink/renderer/core/svg/graphics/svg_image.cc -index b23ad2192bec4d1cac9d704074d12c9e00d4d2f5..ff2bf69be27f0afcb6a9909e716495e8d4a127ef 100644 +index 2ce8a78b3537c72206e2d3e6d55f9cc1fc5d3208..0dec91614edb0caa6f8e473f027c3be7b8bf1e4e 100644 --- a/third_party/blink/renderer/core/svg/graphics/svg_image.cc +++ b/third_party/blink/renderer/core/svg/graphics/svg_image.cc -@@ -851,12 +851,15 @@ Image::SizeAvailability SVGImage::DataChanged(bool all_data_received) { +@@ -830,12 +830,15 @@ Image::SizeAvailability SVGImage::DataChanged(bool all_data_received) { // SVG Images are transparent. frame->View()->SetBaseBackgroundColor(Color::kTransparent);