POC

Repository: StarCrossPortal/bug-hunting-101 Branch: master Commit: c86d7f11ac7f Files: 63 Total size: 1.4 MB Directory structure: gitextract_pvp47mds/ ├── LEVEL_1/ │ ├── README.md │ ├── exercise_1/ │ │ ├── Buffer11.cpp │ │ ├── README.md │ │ └── poc.html │ ├── exercise_2/ │ │ ├── README.md │ │ └── VertexArray11.cpp │ ├── exercise_3/ │ │ ├── IndexDataManager.cpp │ │ ├── README.md │ │ └── poc.html │ ├── exercise_4/ │ │ ├── README.md │ │ └── mac_scrollbar_animator_impl.mm │ ├── exercise_5/ │ │ ├── README.md │ │ ├── css_interpolation_types_map.cc │ │ └── poc.html │ ├── exercise_6/ │ │ ├── README.md │ │ ├── animatable.cc │ │ ├── effect_input.cc │ │ ├── keyframe_effect.cc │ │ └── poc.html │ └── exercise_7/ │ ├── README.md │ ├── marker.cc │ └── marking-state.h ├── LEVEL_2/ │ ├── README.md │ ├── exercise_1/ │ │ ├── README.md │ │ └── text_searcher_icu.cc │ ├── exercise_2/ │ │ ├── README.md │ │ └── visible_units.cc │ ├── exercise_3/ │ │ ├── README.md │ │ ├── deflate_transformer.cc │ │ └── inflate_transformer.cc │ ├── exercise_4/ │ │ ├── README.md │ │ └── tab_strip_model.cc │ ├── exercise_5/ │ │ ├── README.md │ │ ├── tab_drag_controller.cc │ │ ├── tab_drag_controller.h │ │ ├── tab_strip_model.cc │ │ └── tab_strip_model.h │ ├── exercise_6/ │ │ ├── README.md │ │ └── pdfium_page.cc │ └── exercise_7/ │ ├── README.md │ └── webgl_rendering_context_base.cc ├── LEVEL_3/ │ ├── README.md │ ├── exercise_1/ │ │ ├── README.md │ │ ├── navigation_predictor.cc │ │ └── navigation_predictor.h │ ├── exercise_2/ │ │ ├── README.md │ │ ├── representation-change.cc │ │ └── representation-change.h │ ├── exercise_3/ │ │ ├── README.md │ │ ├── node_channel.cc │ │ ├── node_channel.h │ │ └── user_message_impl.cc │ ├── exercise_4/ │ │ ├── README.md │ │ └── receiver_set.h │ ├── exercise_5/ │ │ ├── README.md │ │ └── page_handler.cc │ ├── exercise_6/ │ │ ├── README.md │ │ ├── ipc_message_pipe_reader.cc │ │ ├── pickle.cc │ │ └── pickle.h │ └── exercise_7/ │ └── README.md ├── README.md └── Template.md ================================================ FILE CONTENTS ================================================ ================================================ FILE: LEVEL_1/README.md ================================================ # LEVEL 1 I will collect some related code and useful descriptions, in order to provide all your demands. But if you feel these not enough, you need to search yourself. Find the bug yourself, and if you feel difficult can see tips or the answer. I believe you can do better than me. ================================================ FILE: LEVEL_1/exercise_1/Buffer11.cpp ================================================ // // Copyright 2014 The ANGLE Project Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. // // Buffer11.cpp Defines the Buffer11 class. #include "libANGLE/renderer/d3d/d3d11/Buffer11.h" #include #include "common/MemoryBuffer.h" #include "libANGLE/Context.h" #include "libANGLE/renderer/d3d/IndexDataManager.h" #include "libANGLE/renderer/d3d/VertexDataManager.h" #include "libANGLE/renderer/d3d/d3d11/Context11.h" #include "libANGLE/renderer/d3d/d3d11/RenderTarget11.h" #include "libANGLE/renderer/d3d/d3d11/Renderer11.h" #include "libANGLE/renderer/d3d/d3d11/formatutils11.h" #include "libANGLE/renderer/d3d/d3d11/renderer11_utils.h" #include "libANGLE/renderer/renderer_utils.h" namespace rx { namespace { template GLuint ReadIndexValueFromIndices(const uint8_t *data, size_t index) { return reinterpret_cast(data)[index]; } typedef GLuint (*ReadIndexValueFunction)(const uint8_t *data, size_t index); enum class CopyResult { RECREATED, NOT_RECREATED, }; void CalculateConstantBufferParams(GLintptr offset, GLsizeiptr size, UINT *outFirstConstant, UINT *outNumConstants) { // The offset must be aligned to 256 bytes (should have been enforced by glBindBufferRange). ASSERT(offset % 256 == 0); // firstConstant and numConstants are expressed in constants of 16-bytes. Furthermore they must // be a multiple of 16 constants. *outFirstConstant = static_cast(offset / 16); // The GL size is not required to be aligned to a 256 bytes boundary. // Round the size up to a 256 bytes boundary then express the results in constants of 16-bytes. *outNumConstants = static_cast(rx::roundUp(size, static_cast(256)) / 16); // Since the size is rounded up, firstConstant + numConstants may be bigger than the actual size // of the buffer. This behaviour is explictly allowed according to the documentation on // ID3D11DeviceContext1::PSSetConstantBuffers1 // https://msdn.microsoft.com/en-us/library/windows/desktop/hh404649%28v=vs.85%29.aspx } } // anonymous namespace namespace gl_d3d11 { D3D11_MAP GetD3DMapTypeFromBits(BufferUsage usage, GLbitfield access) { bool readBit = ((access & GL_MAP_READ_BIT) != 0); bool writeBit = ((access & GL_MAP_WRITE_BIT) != 0); ASSERT(readBit || writeBit); // Note : we ignore the discard bit, because in D3D11, staging buffers // don't accept the map-discard flag (discard only works for DYNAMIC usage) if (readBit && !writeBit) { return D3D11_MAP_READ; } else if (writeBit && !readBit) { // Special case for uniform storage - we only allow full buffer updates. return usage == BUFFER_USAGE_UNIFORM || usage == BUFFER_USAGE_STRUCTURED ? D3D11_MAP_WRITE_DISCARD : D3D11_MAP_WRITE; } else if (writeBit && readBit) { return D3D11_MAP_READ_WRITE; } else { UNREACHABLE(); return D3D11_MAP_READ; } } } // namespace gl_d3d11 // Each instance of Buffer11::BufferStorage is specialized for a class of D3D binding points // - vertex/transform feedback buffers // - index buffers // - pixel unpack buffers // - uniform buffers class Buffer11::BufferStorage : angle::NonCopyable { public: virtual ~BufferStorage() {} DataRevision getDataRevision() const { return mRevision; } BufferUsage getUsage() const { return mUsage; } size_t getSize() const { return mBufferSize; } void setDataRevision(DataRevision rev) { mRevision = rev; } virtual bool isCPUAccessible(GLbitfield access) const = 0; virtual bool isGPUAccessible() const = 0; virtual angle::Result copyFromStorage(const gl::Context *context, BufferStorage *source, size_t sourceOffset, size_t size, size_t destOffset, CopyResult *resultOut) = 0; virtual angle::Result resize(const gl::Context *context, size_t size, bool preserveData) = 0; virtual angle::Result map(const gl::Context *context, size_t offset, size_t length, GLbitfield access, uint8_t **mapPointerOut) = 0; virtual void unmap() = 0; angle::Result setData(const gl::Context *context, const uint8_t *data, size_t offset, size_t size); void setStructureByteStride(unsigned int structureByteStride); protected: BufferStorage(Renderer11 *renderer, BufferUsage usage); Renderer11 *mRenderer; DataRevision mRevision; const BufferUsage mUsage; size_t mBufferSize; }; // A native buffer storage represents an underlying D3D11 buffer for a particular // type of storage. class Buffer11::NativeStorage : public Buffer11::BufferStorage { public: NativeStorage(Renderer11 *renderer, BufferUsage usage, const angle::Subject *onStorageChanged); ~NativeStorage() override; bool isCPUAccessible(GLbitfield access) const override; bool isGPUAccessible() const override { return true; } const d3d11::Buffer &getBuffer() const { return mBuffer; } angle::Result copyFromStorage(const gl::Context *context, BufferStorage *source, size_t sourceOffset, size_t size, size_t destOffset, CopyResult *resultOut) override; angle::Result resize(const gl::Context *context, size_t size, bool preserveData) override; angle::Result map(const gl::Context *context, size_t offset, size_t length, GLbitfield access, uint8_t **mapPointerOut) override; void unmap() override; angle::Result getSRVForFormat(const gl::Context *context, DXGI_FORMAT srvFormat, const d3d11::ShaderResourceView **srvOut); angle::Result getRawUAV(const gl::Context *context, unsigned int offset, unsigned int size, d3d11::UnorderedAccessView **uavOut); protected: d3d11::Buffer mBuffer; const angle::Subject *mOnStorageChanged; private: static void FillBufferDesc(D3D11_BUFFER_DESC *bufferDesc, Renderer11 *renderer, BufferUsage usage, unsigned int bufferSize); void clearSRVs(); void clearUAVs(); std::map mBufferResourceViews; std::map, d3d11::UnorderedAccessView> mBufferRawUAVs; }; class Buffer11::StructuredBufferStorage : public Buffer11::NativeStorage { public: StructuredBufferStorage(Renderer11 *renderer, BufferUsage usage, const angle::Subject *onStorageChanged); ~StructuredBufferStorage() override; angle::Result resizeStructuredBuffer(const gl::Context *context, unsigned int size, unsigned int structureByteStride); angle::Result getStructuredBufferRangeSRV(const gl::Context *context, unsigned int offset, unsigned int size, unsigned int structureByteStride, const d3d11::ShaderResourceView **bufferOut); private: d3d11::ShaderResourceView mStructuredBufferResourceView; }; // A emulated indexed buffer storage represents an underlying D3D11 buffer for data // that has been expanded to match the indices list used. This storage is only // used for FL9_3 pointsprite rendering emulation. class Buffer11::EmulatedIndexedStorage : public Buffer11::BufferStorage { public: EmulatedIndexedStorage(Renderer11 *renderer); ~EmulatedIndexedStorage() override; bool isCPUAccessible(GLbitfield access) const override { return true; } bool isGPUAccessible() const override { return false; } angle::Result getBuffer(const gl::Context *context, SourceIndexData *indexInfo, const TranslatedAttribute &attribute, GLint startVertex, const d3d11::Buffer **bufferOut); angle::Result copyFromStorage(const gl::Context *context, BufferStorage *source, size_t sourceOffset, size_t size, size_t destOffset, CopyResult *resultOut) override; angle::Result resize(const gl::Context *context, size_t size, bool preserveData) override; angle::Result map(const gl::Context *context, size_t offset, size_t length, GLbitfield access, uint8_t **mapPointerOut) override; void unmap() override; private: d3d11::Buffer mBuffer; // contains expanded data for use by D3D angle::MemoryBuffer mMemoryBuffer; // original data (not expanded) angle::MemoryBuffer mIndicesMemoryBuffer; // indices data }; // Pack storage represents internal storage for pack buffers. We implement pack buffers // as CPU memory, tied to a staging texture, for asynchronous texture readback. class Buffer11::PackStorage : public Buffer11::BufferStorage { public: explicit PackStorage(Renderer11 *renderer); ~PackStorage() override; bool isCPUAccessible(GLbitfield access) const override { return true; } bool isGPUAccessible() const override { return false; } angle::Result copyFromStorage(const gl::Context *context, BufferStorage *source, size_t sourceOffset, size_t size, size_t destOffset, CopyResult *resultOut) override; angle::Result resize(const gl::Context *context, size_t size, bool preserveData) override; angle::Result map(const gl::Context *context, size_t offset, size_t length, GLbitfield access, uint8_t **mapPointerOut) override; void unmap() override; angle::Result packPixels(const gl::Context *context, const gl::FramebufferAttachment &readAttachment, const PackPixelsParams ¶ms); private: angle::Result flushQueuedPackCommand(const gl::Context *context); TextureHelper11 mStagingTexture; angle::MemoryBuffer mMemoryBuffer; std::unique_ptr mQueuedPackCommand; PackPixelsParams mPackParams; bool mDataModified; }; // System memory storage stores a CPU memory buffer with our buffer data. // For dynamic data, it's much faster to update the CPU memory buffer than // it is to update a D3D staging buffer and read it back later. class Buffer11::SystemMemoryStorage : public Buffer11::BufferStorage { public: explicit SystemMemoryStorage(Renderer11 *renderer); ~SystemMemoryStorage() override {} bool isCPUAccessible(GLbitfield access) const override { return true; } bool isGPUAccessible() const override { return false; } angle::Result copyFromStorage(const gl::Context *context, BufferStorage *source, size_t sourceOffset, size_t size, size_t destOffset, CopyResult *resultOut) override; angle::Result resize(const gl::Context *context, size_t size, bool preserveData) override; angle::Result map(const gl::Context *context, size_t offset, size_t length, GLbitfield access, uint8_t **mapPointerOut) override; void unmap() override; angle::MemoryBuffer *getSystemCopy() { return &mSystemCopy; } protected: angle::MemoryBuffer mSystemCopy; }; Buffer11::Buffer11(const gl::BufferState &state, Renderer11 *renderer) : BufferD3D(state, renderer), mRenderer(renderer), mSize(0), mMappedStorage(nullptr), mBufferStorages({}), mLatestBufferStorage(nullptr), mDeallocThresholds({}), mIdleness({}), mConstantBufferStorageAdditionalSize(0), mMaxConstantBufferLruCount(0), mStructuredBufferStorageAdditionalSize(0), mMaxStructuredBufferLruCount(0) {} Buffer11::~Buffer11() { for (BufferStorage *&storage : mBufferStorages) { SafeDelete(storage); } for (auto &p : mConstantBufferRangeStoragesCache) { SafeDelete(p.second.storage); } for (auto &p : mStructuredBufferRangeStoragesCache) { SafeDelete(p.second.storage); } mRenderer->onBufferDelete(this); } angle::Result Buffer11::setData(const gl::Context *context, gl::BufferBinding target, const void *data, size_t size, gl::BufferUsage usage) { updateD3DBufferUsage(context, usage); return setSubData(context, target, data, size, 0); } angle::Result Buffer11::getData(const gl::Context *context, const uint8_t **outData) { if (mSize == 0) { // TODO(http://anglebug.com/2840): This ensures that we don't crash or assert in robust // buffer access behavior mode if there are buffers without any data. However, technically // it should still be possible to draw, with fetches from this buffer returning zero. return angle::Result::Stop; } SystemMemoryStorage *systemMemoryStorage = nullptr; ANGLE_TRY(getBufferStorage(context, BUFFER_USAGE_SYSTEM_MEMORY, &systemMemoryStorage)); ASSERT(systemMemoryStorage->getSize() >= mSize); *outData = systemMemoryStorage->getSystemCopy()->data(); return angle::Result::Continue; } angle::Result Buffer11::setSubData(const gl::Context *context, gl::BufferBinding target, const void *data, size_t size, size_t offset) { size_t requiredSize = size + offset; if (data && size > 0) { // Use system memory storage for dynamic buffers. // Try using a constant storage for constant buffers BufferStorage *writeBuffer = nullptr; if (target == gl::BufferBinding::Uniform) { // If we are a very large uniform buffer, keep system memory storage around so that we // aren't forced to read back from a constant buffer. We also check the workaround for // Intel - this requires us to use system memory so we don't end up having to copy from // a constant buffer to a staging buffer. // TODO(jmadill): Use Context caps. if (offset == 0 && size >= mSize && size <= static_cast(mRenderer->getNativeCaps().maxUniformBlockSize) && !mRenderer->getFeatures().useSystemMemoryForConstantBuffers.enabled) { BufferStorage *latestStorage = nullptr; ANGLE_TRY(getLatestBufferStorage(context, &latestStorage)); if (latestStorage && (latestStorage->getUsage() == BUFFER_USAGE_STRUCTURED)) { ANGLE_TRY(getBufferStorage(context, BUFFER_USAGE_STRUCTURED, &writeBuffer)); } else { ANGLE_TRY(getBufferStorage(context, BUFFER_USAGE_UNIFORM, &writeBuffer)); } } else { ANGLE_TRY(getBufferStorage(context, BUFFER_USAGE_SYSTEM_MEMORY, &writeBuffer)); } } else if (supportsDirectBinding()) { ANGLE_TRY(getStagingStorage(context, &writeBuffer)); } else { ANGLE_TRY(getBufferStorage(context, BUFFER_USAGE_SYSTEM_MEMORY, &writeBuffer)); } ASSERT(writeBuffer); // Explicitly resize the staging buffer, preserving data if the new data will not // completely fill the buffer if (writeBuffer->getSize() < requiredSize) { bool preserveData = (offset > 0); ANGLE_TRY(writeBuffer->resize(context, requiredSize, preserveData)); } ANGLE_TRY(writeBuffer->setData(context, static_cast(data), offset, size)); onStorageUpdate(writeBuffer); } mSize = std::max(mSize, requiredSize); invalidateStaticData(context); return angle::Result::Continue; } angle::Result Buffer11::copySubData(const gl::Context *context, BufferImpl *source, GLintptr sourceOffset, GLintptr destOffset, GLsizeiptr size) { Buffer11 *sourceBuffer = GetAs(source); ASSERT(sourceBuffer != nullptr); BufferStorage *copyDest = nullptr; ANGLE_TRY(getLatestBufferStorage(context, ©Dest)); if (!copyDest) { ANGLE_TRY(getStagingStorage(context, ©Dest)); } BufferStorage *copySource = nullptr; ANGLE_TRY(sourceBuffer->getLatestBufferStorage(context, ©Source)); if (!copySource) { ANGLE_TRY(sourceBuffer->getStagingStorage(context, ©Source)); } ASSERT(copySource && copyDest); // A staging buffer is needed if there is no cpu-cpu or gpu-gpu copy path avaiable. if (!copyDest->isGPUAccessible() && !copySource->isCPUAccessible(GL_MAP_READ_BIT)) { ANGLE_TRY(sourceBuffer->getStagingStorage(context, ©Source)); } else if (!copySource->isGPUAccessible() && !copyDest->isCPUAccessible(GL_MAP_WRITE_BIT)) { ANGLE_TRY(getStagingStorage(context, ©Dest)); } // D3D11 does not allow overlapped copies until 11.1, and only if the // device supports D3D11_FEATURE_DATA_D3D11_OPTIONS::CopyWithOverlap // Get around this via a different source buffer if (copySource == copyDest) { if (copySource->getUsage() == BUFFER_USAGE_STAGING) { ANGLE_TRY( getBufferStorage(context, BUFFER_USAGE_VERTEX_OR_TRANSFORM_FEEDBACK, ©Source)); } else { ANGLE_TRY(getStagingStorage(context, ©Source)); } } CopyResult copyResult = CopyResult::NOT_RECREATED; ANGLE_TRY(copyDest->copyFromStorage(context, copySource, sourceOffset, size, destOffset, ©Result)); onStorageUpdate(copyDest); mSize = std::max(mSize, destOffset + size); invalidateStaticData(context); return angle::Result::Continue; } angle::Result Buffer11::map(const gl::Context *context, GLenum access, void **mapPtr) { // GL_OES_mapbuffer uses an enum instead of a bitfield for it's access, convert to a bitfield // and call mapRange. ASSERT(access == GL_WRITE_ONLY_OES); return mapRange(context, 0, mSize, GL_MAP_WRITE_BIT, mapPtr); } angle::Result Buffer11::mapRange(const gl::Context *context, size_t offset, size_t length, GLbitfield access, void **mapPtr) { ASSERT(!mMappedStorage); BufferStorage *latestStorage = nullptr; ANGLE_TRY(getLatestBufferStorage(context, &latestStorage)); if (latestStorage && (latestStorage->getUsage() == BUFFER_USAGE_PIXEL_PACK || latestStorage->getUsage() == BUFFER_USAGE_STAGING)) { // Latest storage is mappable. mMappedStorage = latestStorage; } else { // Fall back to using the staging buffer if the latest storage does not exist or is not // CPU-accessible. ANGLE_TRY(getStagingStorage(context, &mMappedStorage)); } Context11 *context11 = GetImplAs(context); ANGLE_CHECK_GL_ALLOC(context11, mMappedStorage); if ((access & GL_MAP_WRITE_BIT) > 0) { // Update the data revision immediately, since the data might be changed at any time onStorageUpdate(mMappedStorage); invalidateStaticData(context); } uint8_t *mappedBuffer = nullptr; ANGLE_TRY(mMappedStorage->map(context, offset, length, access, &mappedBuffer)); ASSERT(mappedBuffer); *mapPtr = static_cast(mappedBuffer); return angle::Result::Continue; } angle::Result Buffer11::unmap(const gl::Context *context, GLboolean *result) { ASSERT(mMappedStorage); mMappedStorage->unmap(); mMappedStorage = nullptr; // TODO: detect if we had corruption. if so, return false. *result = GL_TRUE; return angle::Result::Continue; } angle::Result Buffer11::markTransformFeedbackUsage(const gl::Context *context) { ANGLE_TRY(markBufferUsage(context, BUFFER_USAGE_VERTEX_OR_TRANSFORM_FEEDBACK)); return angle::Result::Continue; } void Buffer11::updateDeallocThreshold(BufferUsage usage) { // The following strategy was tuned on the Oort online benchmark (http://oortonline.gl/) // as well as a custom microbenchmark (IndexConversionPerfTest.Run/index_range_d3d11) // First readback: 8 unmodified uses before we free buffer memory. // After that, double the threshold each time until we reach the max. if (mDeallocThresholds[usage] == 0) { mDeallocThresholds[usage] = 8; } else if (mDeallocThresholds[usage] < std::numeric_limits::max() / 2u) { mDeallocThresholds[usage] *= 2u; } else { mDeallocThresholds[usage] = std::numeric_limits::max(); } } // Free the storage if we decide it isn't being used very often. angle::Result Buffer11::checkForDeallocation(const gl::Context *context, BufferUsage usage) { mIdleness[usage]++; BufferStorage *&storage = mBufferStorages[usage]; if (storage != nullptr && mIdleness[usage] > mDeallocThresholds[usage]) { BufferStorage *latestStorage = nullptr; ANGLE_TRY(getLatestBufferStorage(context, &latestStorage)); if (latestStorage != storage) { SafeDelete(storage); } } return angle::Result::Continue; } // Keep system memory when we are using it for the canonical version of data. bool Buffer11::canDeallocateSystemMemory() const { // Must keep system memory on Intel. if (mRenderer->getFeatures().useSystemMemoryForConstantBuffers.enabled) { return false; } return (!mBufferStorages[BUFFER_USAGE_UNIFORM] || mSize <= static_cast(mRenderer->getNativeCaps().maxUniformBlockSize)); } void Buffer11::markBufferUsage(BufferUsage usage) { mIdleness[usage] = 0; } angle::Result Buffer11::markBufferUsage(const gl::Context *context, BufferUsage usage) { BufferStorage *bufferStorage = nullptr; ANGLE_TRY(getBufferStorage(context, usage, &bufferStorage)); if (bufferStorage) { onStorageUpdate(bufferStorage); } invalidateStaticData(context); return angle::Result::Continue; } angle::Result Buffer11::garbageCollection(const gl::Context *context, BufferUsage currentUsage) { if (currentUsage != BUFFER_USAGE_SYSTEM_MEMORY && canDeallocateSystemMemory()) { ANGLE_TRY(checkForDeallocation(context, BUFFER_USAGE_SYSTEM_MEMORY)); } if (currentUsage != BUFFER_USAGE_STAGING) { ANGLE_TRY(checkForDeallocation(context, BUFFER_USAGE_STAGING)); } return angle::Result::Continue; } angle::Result Buffer11::getBuffer(const gl::Context *context, BufferUsage usage, ID3D11Buffer **bufferOut) { NativeStorage *storage = nullptr; ANGLE_TRY(getBufferStorage(context, usage, &storage)); *bufferOut = storage->getBuffer().get(); return angle::Result::Continue; } angle::Result Buffer11::getEmulatedIndexedBuffer(const gl::Context *context, SourceIndexData *indexInfo, const TranslatedAttribute &attribute, GLint startVertex, ID3D11Buffer **bufferOut) { ASSERT(indexInfo); EmulatedIndexedStorage *emulatedStorage = nullptr; ANGLE_TRY(getBufferStorage(context, BUFFER_USAGE_EMULATED_INDEXED_VERTEX, &emulatedStorage)); const d3d11::Buffer *nativeBuffer = nullptr; ANGLE_TRY( emulatedStorage->getBuffer(context, indexInfo, attribute, startVertex, &nativeBuffer)); *bufferOut = nativeBuffer->get(); return angle::Result::Continue; } angle::Result Buffer11::getConstantBufferRange(const gl::Context *context, GLintptr offset, GLsizeiptr size, const d3d11::Buffer **bufferOut, UINT *firstConstantOut, UINT *numConstantsOut) { NativeStorage *bufferStorage = nullptr; if ((offset == 0 && size < static_cast(mRenderer->getNativeCaps().maxUniformBlockSize)) || mRenderer->getRenderer11DeviceCaps().supportsConstantBufferOffsets) { ANGLE_TRY(getBufferStorage(context, BUFFER_USAGE_UNIFORM, &bufferStorage)); CalculateConstantBufferParams(offset, size, firstConstantOut, numConstantsOut); } else { ANGLE_TRY(getConstantBufferRangeStorage(context, offset, size, &bufferStorage)); *firstConstantOut = 0; *numConstantsOut = 0; } *bufferOut = &bufferStorage->getBuffer(); return angle::Result::Continue; } angle::Result Buffer11::markRawBufferUsage(const gl::Context *context) { ANGLE_TRY(markBufferUsage(context, BUFFER_USAGE_RAW_UAV)); return angle::Result::Continue; } angle::Result Buffer11::getRawUAVRange(const gl::Context *context, GLintptr offset, GLsizeiptr size, d3d11::UnorderedAccessView **uavOut) { NativeStorage *nativeStorage = nullptr; ANGLE_TRY(getBufferStorage(context, BUFFER_USAGE_RAW_UAV, &nativeStorage)); return nativeStorage->getRawUAV(context, static_cast(offset), static_cast(size), uavOut); } angle::Result Buffer11::getSRV(const gl::Context *context, DXGI_FORMAT srvFormat, const d3d11::ShaderResourceView **srvOut) { NativeStorage *nativeStorage = nullptr; ANGLE_TRY(getBufferStorage(context, BUFFER_USAGE_PIXEL_UNPACK, &nativeStorage)); return nativeStorage->getSRVForFormat(context, srvFormat, srvOut); } angle::Result Buffer11::packPixels(const gl::Context *context, const gl::FramebufferAttachment &readAttachment, const PackPixelsParams ¶ms) { PackStorage *packStorage = nullptr; ANGLE_TRY(getBufferStorage(context, BUFFER_USAGE_PIXEL_PACK, &packStorage)); ASSERT(packStorage); ANGLE_TRY(packStorage->packPixels(context, readAttachment, params)); onStorageUpdate(packStorage); return angle::Result::Continue; } size_t Buffer11::getTotalCPUBufferMemoryBytes() const { size_t allocationSize = 0; BufferStorage *staging = mBufferStorages[BUFFER_USAGE_STAGING]; allocationSize += staging ? staging->getSize() : 0; BufferStorage *sysMem = mBufferStorages[BUFFER_USAGE_SYSTEM_MEMORY]; allocationSize += sysMem ? sysMem->getSize() : 0; return allocationSize; } template angle::Result Buffer11::getBufferStorage(const gl::Context *context, BufferUsage usage, StorageOutT **storageOut) { ASSERT(0 <= usage && usage < BUFFER_USAGE_COUNT); BufferStorage *&newStorage = mBufferStorages[usage]; if (!newStorage) { newStorage = allocateStorage(usage); } markBufferUsage(usage); // resize buffer if (newStorage->getSize() < mSize) { ANGLE_TRY(newStorage->resize(context, mSize, true)); } ASSERT(newStorage); ANGLE_TRY(updateBufferStorage(context, newStorage, 0, mSize)); ANGLE_TRY(garbageCollection(context, usage)); *storageOut = GetAs(newStorage); return angle::Result::Continue; } Buffer11::BufferStorage *Buffer11::allocateStorage(BufferUsage usage) { updateDeallocThreshold(usage); switch (usage) { case BUFFER_USAGE_PIXEL_PACK: return new PackStorage(mRenderer); case BUFFER_USAGE_SYSTEM_MEMORY: return new SystemMemoryStorage(mRenderer); case BUFFER_USAGE_EMULATED_INDEXED_VERTEX: return new EmulatedIndexedStorage(mRenderer); case BUFFER_USAGE_INDEX: case BUFFER_USAGE_VERTEX_OR_TRANSFORM_FEEDBACK: return new NativeStorage(mRenderer, usage, this); case BUFFER_USAGE_STRUCTURED: return new StructuredBufferStorage(mRenderer, usage, nullptr); default: return new NativeStorage(mRenderer, usage, nullptr); } } angle::Result Buffer11::getConstantBufferRangeStorage(const gl::Context *context, GLintptr offset, GLsizeiptr size, Buffer11::NativeStorage **storageOut) { BufferStorage *newStorage; { // Keep the cacheEntry in a limited scope because it may be invalidated later in the code if // we need to reclaim some space. BufferCacheEntry *cacheEntry = &mConstantBufferRangeStoragesCache[offset]; if (!cacheEntry->storage) { cacheEntry->storage = allocateStorage(BUFFER_USAGE_UNIFORM); cacheEntry->lruCount = ++mMaxConstantBufferLruCount; } cacheEntry->lruCount = ++mMaxConstantBufferLruCount; newStorage = cacheEntry->storage; } markBufferUsage(BUFFER_USAGE_UNIFORM); if (newStorage->getSize() < static_cast(size)) { size_t maximumAllowedAdditionalSize = 2 * getSize(); size_t sizeDelta = size - newStorage->getSize(); while (mConstantBufferStorageAdditionalSize + sizeDelta > maximumAllowedAdditionalSize) { auto iter = std::min_element( std::begin(mConstantBufferRangeStoragesCache), std::end(mConstantBufferRangeStoragesCache), [](const BufferCache::value_type &a, const BufferCache::value_type &b) { return a.second.lruCount < b.second.lruCount; }); ASSERT(iter->second.storage != newStorage); ASSERT(mConstantBufferStorageAdditionalSize >= iter->second.storage->getSize()); mConstantBufferStorageAdditionalSize -= iter->second.storage->getSize(); SafeDelete(iter->second.storage); mConstantBufferRangeStoragesCache.erase(iter); } ANGLE_TRY(newStorage->resize(context, size, false)); mConstantBufferStorageAdditionalSize += sizeDelta; // We don't copy the old data when resizing the constant buffer because the data may be // out-of-date therefore we reset the data revision and let updateBufferStorage() handle the // copy. newStorage->setDataRevision(0); } ANGLE_TRY(updateBufferStorage(context, newStorage, offset, size)); ANGLE_TRY(garbageCollection(context, BUFFER_USAGE_UNIFORM)); *storageOut = GetAs(newStorage); return angle::Result::Continue; } angle::Result Buffer11::getStructuredBufferRangeSRV(const gl::Context *context, unsigned int offset, unsigned int size, unsigned int structureByteStride, const d3d11::ShaderResourceView **srvOut) { BufferStorage *newStorage; { // Keep the cacheEntry in a limited scope because it may be invalidated later in the code if // we need to reclaim some space. StructuredBufferKey structuredBufferKey = StructuredBufferKey(offset, structureByteStride); BufferCacheEntry *cacheEntry = &mStructuredBufferRangeStoragesCache[structuredBufferKey]; if (!cacheEntry->storage) { cacheEntry->storage = allocateStorage(BUFFER_USAGE_STRUCTURED); cacheEntry->lruCount = ++mMaxStructuredBufferLruCount; } cacheEntry->lruCount = ++mMaxStructuredBufferLruCount; newStorage = cacheEntry->storage; } StructuredBufferStorage *structuredBufferStorage = GetAs(newStorage); markBufferUsage(BUFFER_USAGE_STRUCTURED); if (newStorage->getSize() < static_cast(size)) { size_t maximumAllowedAdditionalSize = 2 * getSize(); size_t sizeDelta = static_cast(size) - newStorage->getSize(); while (mStructuredBufferStorageAdditionalSize + sizeDelta > maximumAllowedAdditionalSize) { auto iter = std::min_element(std::begin(mStructuredBufferRangeStoragesCache), std::end(mStructuredBufferRangeStoragesCache), [](const StructuredBufferCache::value_type &a, const StructuredBufferCache::value_type &b) { return a.second.lruCount < b.second.lruCount; }); ASSERT(iter->second.storage != newStorage); ASSERT(mStructuredBufferStorageAdditionalSize >= iter->second.storage->getSize()); mStructuredBufferStorageAdditionalSize -= iter->second.storage->getSize(); SafeDelete(iter->second.storage); mStructuredBufferRangeStoragesCache.erase(iter); } ANGLE_TRY( structuredBufferStorage->resizeStructuredBuffer(context, size, structureByteStride)); mStructuredBufferStorageAdditionalSize += sizeDelta; // We don't copy the old data when resizing the structured buffer because the data may be // out-of-date therefore we reset the data revision and let updateBufferStorage() handle the // copy. newStorage->setDataRevision(0); } ANGLE_TRY(updateBufferStorage(context, newStorage, offset, static_cast(size))); ANGLE_TRY(garbageCollection(context, BUFFER_USAGE_STRUCTURED)); ANGLE_TRY(structuredBufferStorage->getStructuredBufferRangeSRV(context, offset, size, structureByteStride, srvOut)); return angle::Result::Continue; } angle::Result Buffer11::updateBufferStorage(const gl::Context *context, BufferStorage *storage, size_t sourceOffset, size_t storageSize) { BufferStorage *latestBuffer = nullptr; ANGLE_TRY(getLatestBufferStorage(context, &latestBuffer)); ASSERT(storage); if (!latestBuffer) { onStorageUpdate(storage); return angle::Result::Continue; } if (latestBuffer->getDataRevision() <= storage->getDataRevision()) { return angle::Result::Continue; } // Copy through a staging buffer if we're copying from or to a non-staging, mappable // buffer storage. This is because we can't map a GPU buffer, and copy CPU // data directly. If we're already using a staging buffer we're fine. if (latestBuffer->getUsage() != BUFFER_USAGE_STAGING && storage->getUsage() != BUFFER_USAGE_STAGING && (!latestBuffer->isCPUAccessible(GL_MAP_READ_BIT) || !storage->isCPUAccessible(GL_MAP_WRITE_BIT))) { NativeStorage *stagingBuffer = nullptr; ANGLE_TRY(getStagingStorage(context, &stagingBuffer)); CopyResult copyResult = CopyResult::NOT_RECREATED; ANGLE_TRY(stagingBuffer->copyFromStorage(context, latestBuffer, 0, latestBuffer->getSize(), 0, ©Result)); onCopyStorage(stagingBuffer, latestBuffer); latestBuffer = stagingBuffer; } CopyResult copyResult = CopyResult::NOT_RECREATED; ANGLE_TRY( storage->copyFromStorage(context, latestBuffer, sourceOffset, storageSize, 0, ©Result)); // If the D3D buffer has been recreated, we should update our serial. if (copyResult == CopyResult::RECREATED) { updateSerial(); } onCopyStorage(storage, latestBuffer); return angle::Result::Continue; } angle::Result Buffer11::getLatestBufferStorage(const gl::Context *context, Buffer11::BufferStorage **storageOut) const { // resize buffer if (mLatestBufferStorage && mLatestBufferStorage->getSize() < mSize) { ANGLE_TRY(mLatestBufferStorage->resize(context, mSize, true)); } *storageOut = mLatestBufferStorage; return angle::Result::Continue; } template angle::Result Buffer11::getStagingStorage(const gl::Context *context, StorageOutT **storageOut) { return getBufferStorage(context, BUFFER_USAGE_STAGING, storageOut); } size_t Buffer11::getSize() const { return mSize; } bool Buffer11::supportsDirectBinding() const { // Do not support direct buffers for dynamic data. The streaming buffer // offers better performance for data which changes every frame. return (mUsage == D3DBufferUsage::STATIC); } void Buffer11::initializeStaticData(const gl::Context *context) { BufferD3D::initializeStaticData(context); onStateChange(angle::SubjectMessage::SubjectChanged); } void Buffer11::invalidateStaticData(const gl::Context *context) { BufferD3D::invalidateStaticData(context); onStateChange(angle::SubjectMessage::SubjectChanged); } void Buffer11::onCopyStorage(BufferStorage *dest, BufferStorage *source) { ASSERT(source && mLatestBufferStorage); dest->setDataRevision(source->getDataRevision()); // Only update the latest buffer storage if our usage index is lower. See comment in header. if (dest->getUsage() < mLatestBufferStorage->getUsage()) { mLatestBufferStorage = dest; } } void Buffer11::onStorageUpdate(BufferStorage *updatedStorage) { updatedStorage->setDataRevision(updatedStorage->getDataRevision() + 1); mLatestBufferStorage = updatedStorage; } // Buffer11::BufferStorage implementation Buffer11::BufferStorage::BufferStorage(Renderer11 *renderer, BufferUsage usage) : mRenderer(renderer), mRevision(0), mUsage(usage), mBufferSize(0) {} angle::Result Buffer11::BufferStorage::setData(const gl::Context *context, const uint8_t *data, size_t offset, size_t size) { ASSERT(isCPUAccessible(GL_MAP_WRITE_BIT)); // Uniform storage can have a different internal size than the buffer size. Ensure we don't // overflow. size_t mapSize = std::min(size, mBufferSize - offset); uint8_t *writePointer = nullptr; ANGLE_TRY(map(context, offset, mapSize, GL_MAP_WRITE_BIT, &writePointer)); memcpy(writePointer, data, mapSize); unmap(); return angle::Result::Continue; } // Buffer11::NativeStorage implementation Buffer11::NativeStorage::NativeStorage(Renderer11 *renderer, BufferUsage usage, const angle::Subject *onStorageChanged) : BufferStorage(renderer, usage), mBuffer(), mOnStorageChanged(onStorageChanged) {} Buffer11::NativeStorage::~NativeStorage() { clearSRVs(); clearUAVs(); } bool Buffer11::NativeStorage::isCPUAccessible(GLbitfield access) const { if ((access & GL_MAP_READ_BIT) != 0) { // Read is more exclusive than write mappability. return (mUsage == BUFFER_USAGE_STAGING); } ASSERT((access & GL_MAP_WRITE_BIT) != 0); return (mUsage == BUFFER_USAGE_STAGING || mUsage == BUFFER_USAGE_UNIFORM || mUsage == BUFFER_USAGE_STRUCTURED); } // Returns true if it recreates the direct buffer angle::Result Buffer11::NativeStorage::copyFromStorage(const gl::Context *context, BufferStorage *source, size_t sourceOffset, size_t size, size_t destOffset, CopyResult *resultOut) { size_t requiredSize = destOffset + size; // (Re)initialize D3D buffer if needed bool preserveData = (destOffset > 0); if (!mBuffer.valid() || mBufferSize < requiredSize) { ANGLE_TRY(resize(context, requiredSize, preserveData)); *resultOut = CopyResult::RECREATED; } else { *resultOut = CopyResult::NOT_RECREATED; } size_t clampedSize = size; if (mUsage == BUFFER_USAGE_UNIFORM) { clampedSize = std::min(clampedSize, mBufferSize - destOffset); } if (clampedSize == 0) { return angle::Result::Continue; } if (source->getUsage() == BUFFER_USAGE_PIXEL_PACK || source->getUsage() == BUFFER_USAGE_SYSTEM_MEMORY) { ASSERT(source->isCPUAccessible(GL_MAP_READ_BIT) && isCPUAccessible(GL_MAP_WRITE_BIT)); // Uniform buffers must be mapped with write/discard. ASSERT(!(preserveData && mUsage == BUFFER_USAGE_UNIFORM)); uint8_t *sourcePointer = nullptr; ANGLE_TRY(source->map(context, sourceOffset, clampedSize, GL_MAP_READ_BIT, &sourcePointer)); auto err = setData(context, sourcePointer, destOffset, clampedSize); source->unmap(); ANGLE_TRY(err); } else { D3D11_BOX srcBox; srcBox.left = static_cast(sourceOffset); srcBox.right = static_cast(sourceOffset + clampedSize); srcBox.top = 0; srcBox.bottom = 1; srcBox.front = 0; srcBox.back = 1; const d3d11::Buffer *sourceBuffer = &GetAs(source)->getBuffer(); ID3D11DeviceContext *deviceContext = mRenderer->getDeviceContext(); deviceContext->CopySubresourceRegion(mBuffer.get(), 0, static_cast(destOffset), 0, 0, sourceBuffer->get(), 0, &srcBox); } return angle::Result::Continue; } angle::Result Buffer11::NativeStorage::resize(const gl::Context *context, size_t size, bool preserveData) { if (size == 0) { mBuffer.reset(); mBufferSize = 0; return angle::Result::Continue; } D3D11_BUFFER_DESC bufferDesc; FillBufferDesc(&bufferDesc, mRenderer, mUsage, static_cast(size)); d3d11::Buffer newBuffer; ANGLE_TRY( mRenderer->allocateResource(SafeGetImplAs(context), bufferDesc, &newBuffer)); newBuffer.setDebugName("Buffer11::NativeStorage"); if (mBuffer.valid() && preserveData) { // We don't call resize if the buffer is big enough already. ASSERT(mBufferSize <= size); D3D11_BOX srcBox; srcBox.left = 0; srcBox.right = static_cast(mBufferSize); srcBox.top = 0; srcBox.bottom = 1; srcBox.front = 0; srcBox.back = 1; ID3D11DeviceContext *deviceContext = mRenderer->getDeviceContext(); deviceContext->CopySubresourceRegion(newBuffer.get(), 0, 0, 0, 0, mBuffer.get(), 0, &srcBox); } // No longer need the old buffer mBuffer = std::move(newBuffer); mBufferSize = bufferDesc.ByteWidth; // Free the SRVs. clearSRVs(); // Free the UAVs. clearUAVs(); // Notify that the storage has changed. if (mOnStorageChanged) { mOnStorageChanged->onStateChange(angle::SubjectMessage::SubjectChanged); } return angle::Result::Continue; } // static void Buffer11::NativeStorage::FillBufferDesc(D3D11_BUFFER_DESC *bufferDesc, Renderer11 *renderer, BufferUsage usage, unsigned int bufferSize) { bufferDesc->ByteWidth = bufferSize; bufferDesc->MiscFlags = 0; bufferDesc->StructureByteStride = 0; switch (usage) { case BUFFER_USAGE_STAGING: bufferDesc->Usage = D3D11_USAGE_STAGING; bufferDesc->BindFlags = 0; bufferDesc->CPUAccessFlags = D3D11_CPU_ACCESS_READ | D3D11_CPU_ACCESS_WRITE; break; case BUFFER_USAGE_VERTEX_OR_TRANSFORM_FEEDBACK: bufferDesc->Usage = D3D11_USAGE_DEFAULT; bufferDesc->BindFlags = D3D11_BIND_VERTEX_BUFFER; if (renderer->isES3Capable()) { bufferDesc->BindFlags |= D3D11_BIND_STREAM_OUTPUT; } bufferDesc->CPUAccessFlags = 0; break; case BUFFER_USAGE_INDEX: bufferDesc->Usage = D3D11_USAGE_DEFAULT; bufferDesc->BindFlags = D3D11_BIND_INDEX_BUFFER; bufferDesc->CPUAccessFlags = 0; break; case BUFFER_USAGE_INDIRECT: bufferDesc->MiscFlags = D3D11_RESOURCE_MISC_DRAWINDIRECT_ARGS; bufferDesc->Usage = D3D11_USAGE_DEFAULT; bufferDesc->BindFlags = 0; bufferDesc->CPUAccessFlags = 0; break; case BUFFER_USAGE_PIXEL_UNPACK: bufferDesc->Usage = D3D11_USAGE_DEFAULT; bufferDesc->BindFlags = D3D11_BIND_SHADER_RESOURCE; bufferDesc->CPUAccessFlags = 0; break; case BUFFER_USAGE_UNIFORM: bufferDesc->Usage = D3D11_USAGE_DYNAMIC; bufferDesc->BindFlags = D3D11_BIND_CONSTANT_BUFFER; bufferDesc->CPUAccessFlags = D3D11_CPU_ACCESS_WRITE; // Constant buffers must be of a limited size, and aligned to 16 byte boundaries // For our purposes we ignore any buffer data past the maximum constant buffer size bufferDesc->ByteWidth = roundUp(bufferDesc->ByteWidth, 16u); // Note: it seems that D3D11 allows larger buffers on some platforms, but not all. // (Windows 10 seems to allow larger constant buffers, but not Windows 7) if (!renderer->getRenderer11DeviceCaps().supportsConstantBufferOffsets) { bufferDesc->ByteWidth = std::min( bufferDesc->ByteWidth, static_cast(renderer->getNativeCaps().maxUniformBlockSize)); } break; case BUFFER_USAGE_RAW_UAV: bufferDesc->MiscFlags = D3D11_RESOURCE_MISC_BUFFER_ALLOW_RAW_VIEWS; bufferDesc->BindFlags = D3D11_BIND_UNORDERED_ACCESS; bufferDesc->Usage = D3D11_USAGE_DEFAULT; bufferDesc->CPUAccessFlags = 0; break; default: UNREACHABLE(); } } angle::Result Buffer11::NativeStorage::map(const gl::Context *context, size_t offset, size_t length, GLbitfield access, uint8_t **mapPointerOut) { ASSERT(isCPUAccessible(access)); D3D11_MAPPED_SUBRESOURCE mappedResource; D3D11_MAP d3dMapType = gl_d3d11::GetD3DMapTypeFromBits(mUsage, access); UINT d3dMapFlag = ((access & GL_MAP_UNSYNCHRONIZED_BIT) != 0 ? D3D11_MAP_FLAG_DO_NOT_WAIT : 0); ANGLE_TRY( mRenderer->mapResource(context, mBuffer.get(), 0, d3dMapType, d3dMapFlag, &mappedResource)); ASSERT(mappedResource.pData); *mapPointerOut = static_cast(mappedResource.pData) + offset; return angle::Result::Continue; } void Buffer11::NativeStorage::unmap() { ASSERT(isCPUAccessible(GL_MAP_WRITE_BIT) || isCPUAccessible(GL_MAP_READ_BIT)); ID3D11DeviceContext *context = mRenderer->getDeviceContext(); context->Unmap(mBuffer.get(), 0); } angle::Result Buffer11::NativeStorage::getSRVForFormat(const gl::Context *context, DXGI_FORMAT srvFormat, const d3d11::ShaderResourceView **srvOut) { auto bufferSRVIt = mBufferResourceViews.find(srvFormat); if (bufferSRVIt != mBufferResourceViews.end()) { *srvOut = &bufferSRVIt->second; return angle::Result::Continue; } const d3d11::DXGIFormatSize &dxgiFormatInfo = d3d11::GetDXGIFormatSizeInfo(srvFormat); D3D11_SHADER_RESOURCE_VIEW_DESC bufferSRVDesc; bufferSRVDesc.Buffer.ElementOffset = 0; bufferSRVDesc.Buffer.ElementWidth = static_cast(mBufferSize) / dxgiFormatInfo.pixelBytes; bufferSRVDesc.ViewDimension = D3D11_SRV_DIMENSION_BUFFER; bufferSRVDesc.Format = srvFormat; ANGLE_TRY(mRenderer->allocateResource(GetImplAs(context), bufferSRVDesc, mBuffer.get(), &mBufferResourceViews[srvFormat])); *srvOut = &mBufferResourceViews[srvFormat]; return angle::Result::Continue; } angle::Result Buffer11::NativeStorage::getRawUAV(const gl::Context *context, unsigned int offset, unsigned int size, d3d11::UnorderedAccessView **uavOut) { ASSERT(offset + size <= mBufferSize); auto bufferRawUAV = mBufferRawUAVs.find({offset, size}); if (bufferRawUAV != mBufferRawUAVs.end()) { *uavOut = &bufferRawUAV->second; return angle::Result::Continue; } D3D11_UNORDERED_ACCESS_VIEW_DESC bufferUAVDesc; // DXGI_FORMAT_R32_TYPELESS uses 4 bytes per element constexpr int kBytesToElement = 4; bufferUAVDesc.Buffer.FirstElement = offset / kBytesToElement; bufferUAVDesc.Buffer.NumElements = size / kBytesToElement; bufferUAVDesc.Buffer.Flags = D3D11_BUFFER_UAV_FLAG_RAW; bufferUAVDesc.Format = DXGI_FORMAT_R32_TYPELESS; // Format must be DXGI_FORMAT_R32_TYPELESS, // when creating Raw Unordered Access View bufferUAVDesc.ViewDimension = D3D11_UAV_DIMENSION_BUFFER; ANGLE_TRY(mRenderer->allocateResource(GetImplAs(context), bufferUAVDesc, mBuffer.get(), &mBufferRawUAVs[{offset, size}])); *uavOut = &mBufferRawUAVs[{offset, size}]; return angle::Result::Continue; } void Buffer11::NativeStorage::clearSRVs() { mBufferResourceViews.clear(); } void Buffer11::NativeStorage::clearUAVs() { mBufferRawUAVs.clear(); } Buffer11::StructuredBufferStorage::StructuredBufferStorage(Renderer11 *renderer, BufferUsage usage, const angle::Subject *onStorageChanged) : NativeStorage(renderer, usage, onStorageChanged), mStructuredBufferResourceView() {} Buffer11::StructuredBufferStorage::~StructuredBufferStorage() { mStructuredBufferResourceView.reset(); } angle::Result Buffer11::StructuredBufferStorage::resizeStructuredBuffer( const gl::Context *context, unsigned int size, unsigned int structureByteStride) { if (size == 0) { mBuffer.reset(); mBufferSize = 0; return angle::Result::Continue; } D3D11_BUFFER_DESC bufferDesc; bufferDesc.ByteWidth = size; bufferDesc.MiscFlags = D3D11_RESOURCE_MISC_BUFFER_STRUCTURED; bufferDesc.StructureByteStride = structureByteStride; bufferDesc.Usage = D3D11_USAGE_DYNAMIC; bufferDesc.BindFlags = D3D11_BIND_SHADER_RESOURCE; bufferDesc.CPUAccessFlags = D3D11_CPU_ACCESS_WRITE; d3d11::Buffer newBuffer; ANGLE_TRY( mRenderer->allocateResource(SafeGetImplAs(context), bufferDesc, &newBuffer)); newBuffer.setDebugName("Buffer11::StructuredBufferStorage"); // No longer need the old buffer mBuffer = std::move(newBuffer); mBufferSize = static_cast(bufferDesc.ByteWidth); mStructuredBufferResourceView.reset(); // Notify that the storage has changed. if (mOnStorageChanged) { mOnStorageChanged->onStateChange(angle::SubjectMessage::SubjectChanged); } return angle::Result::Continue; } angle::Result Buffer11::StructuredBufferStorage::getStructuredBufferRangeSRV( const gl::Context *context, unsigned int offset, unsigned int size, unsigned int structureByteStride, const d3d11::ShaderResourceView **srvOut) { if (mStructuredBufferResourceView.valid()) { *srvOut = &mStructuredBufferResourceView; return angle::Result::Continue; } D3D11_SHADER_RESOURCE_VIEW_DESC bufferSRVDesc = {}; bufferSRVDesc.BufferEx.NumElements = structureByteStride == 0u ? 1 : size / structureByteStride; bufferSRVDesc.BufferEx.FirstElement = 0; bufferSRVDesc.BufferEx.Flags = 0; bufferSRVDesc.ViewDimension = D3D11_SRV_DIMENSION_BUFFEREX; bufferSRVDesc.Format = DXGI_FORMAT_UNKNOWN; ANGLE_TRY(mRenderer->allocateResource(GetImplAs(context), bufferSRVDesc, mBuffer.get(), &mStructuredBufferResourceView)); *srvOut = &mStructuredBufferResourceView; return angle::Result::Continue; } // Buffer11::EmulatedIndexStorage implementation Buffer11::EmulatedIndexedStorage::EmulatedIndexedStorage(Renderer11 *renderer) : BufferStorage(renderer, BUFFER_USAGE_EMULATED_INDEXED_VERTEX), mBuffer() {} Buffer11::EmulatedIndexedStorage::~EmulatedIndexedStorage() {} angle::Result Buffer11::EmulatedIndexedStorage::getBuffer(const gl::Context *context, SourceIndexData *indexInfo, const TranslatedAttribute &attribute, GLint startVertex, const d3d11::Buffer **bufferOut) { Context11 *context11 = GetImplAs(context); // If a change in the indices applied from the last draw call is detected, then the emulated // indexed buffer needs to be invalidated. After invalidation, the change detected flag should // be cleared to avoid unnecessary recreation of the buffer. if (!mBuffer.valid() || indexInfo->srcIndicesChanged) { mBuffer.reset(); // Copy the source index data. This ensures that the lifetime of the indices pointer // stays with this storage until the next time we invalidate. size_t indicesDataSize = 0; switch (indexInfo->srcIndexType) { case gl::DrawElementsType::UnsignedInt: indicesDataSize = sizeof(GLuint) * indexInfo->srcCount; break; case gl::DrawElementsType::UnsignedShort: indicesDataSize = sizeof(GLushort) * indexInfo->srcCount; break; case gl::DrawElementsType::UnsignedByte: indicesDataSize = sizeof(GLubyte) * indexInfo->srcCount; break; default: indicesDataSize = sizeof(GLushort) * indexInfo->srcCount; break; } ANGLE_CHECK_GL_ALLOC(context11, mIndicesMemoryBuffer.resize(indicesDataSize)); memcpy(mIndicesMemoryBuffer.data(), indexInfo->srcIndices, indicesDataSize); indexInfo->srcIndicesChanged = false; } if (!mBuffer.valid()) { unsigned int offset = 0; ANGLE_TRY(attribute.computeOffset(context, startVertex, &offset)); // Expand the memory storage upon request and cache the results. unsigned int expandedDataSize = static_cast((indexInfo->srcCount * attribute.stride) + offset); angle::MemoryBuffer expandedData; ANGLE_CHECK_GL_ALLOC(context11, expandedData.resize(expandedDataSize)); // Clear the contents of the allocated buffer ZeroMemory(expandedData.data(), expandedDataSize); uint8_t *curr = expandedData.data(); const uint8_t *ptr = static_cast(indexInfo->srcIndices); // Ensure that we start in the correct place for the emulated data copy operation to // maintain offset behaviors. curr += offset; ReadIndexValueFunction readIndexValue = ReadIndexValueFromIndices; switch (indexInfo->srcIndexType) { case gl::DrawElementsType::UnsignedInt: readIndexValue = ReadIndexValueFromIndices; break; case gl::DrawElementsType::UnsignedShort: readIndexValue = ReadIndexValueFromIndices; break; case gl::DrawElementsType::UnsignedByte: readIndexValue = ReadIndexValueFromIndices; break; default: UNREACHABLE(); return angle::Result::Stop; } // Iterate over the cached index data and copy entries indicated into the emulated buffer. for (GLuint i = 0; i < indexInfo->srcCount; i++) { GLuint idx = readIndexValue(ptr, i); memcpy(curr, mMemoryBuffer.data() + (attribute.stride * idx), attribute.stride); curr += attribute.stride; } // Finally, initialize the emulated indexed native storage object with the newly copied data // and free the temporary buffers used. D3D11_BUFFER_DESC bufferDesc; bufferDesc.ByteWidth = expandedDataSize; bufferDesc.MiscFlags = 0; bufferDesc.StructureByteStride = 0; bufferDesc.Usage = D3D11_USAGE_DEFAULT; bufferDesc.BindFlags = D3D11_BIND_VERTEX_BUFFER; bufferDesc.CPUAccessFlags = 0; D3D11_SUBRESOURCE_DATA subResourceData = {expandedData.data(), 0, 0}; ANGLE_TRY(mRenderer->allocateResource(GetImplAs(context), bufferDesc, &subResourceData, &mBuffer)); mBuffer.setDebugName("Buffer11::EmulatedIndexedStorage"); } *bufferOut = &mBuffer; return angle::Result::Continue; } angle::Result Buffer11::EmulatedIndexedStorage::copyFromStorage(const gl::Context *context, BufferStorage *source, size_t sourceOffset, size_t size, size_t destOffset, CopyResult *resultOut) { ASSERT(source->isCPUAccessible(GL_MAP_READ_BIT)); uint8_t *sourceData = nullptr; ANGLE_TRY(source->map(context, sourceOffset, size, GL_MAP_READ_BIT, &sourceData)); ASSERT(destOffset + size <= mMemoryBuffer.size()); memcpy(mMemoryBuffer.data() + destOffset, sourceData, size); source->unmap(); *resultOut = CopyResult::RECREATED; return angle::Result::Continue; } angle::Result Buffer11::EmulatedIndexedStorage::resize(const gl::Context *context, size_t size, bool preserveData) { if (mMemoryBuffer.size() < size) { Context11 *context11 = GetImplAs(context); ANGLE_CHECK_GL_ALLOC(context11, mMemoryBuffer.resize(size)); mBufferSize = size; } return angle::Result::Continue; } angle::Result Buffer11::EmulatedIndexedStorage::map(const gl::Context *context, size_t offset, size_t length, GLbitfield access, uint8_t **mapPointerOut) { ASSERT(!mMemoryBuffer.empty() && offset + length <= mMemoryBuffer.size()); *mapPointerOut = mMemoryBuffer.data() + offset; return angle::Result::Continue; } void Buffer11::EmulatedIndexedStorage::unmap() { // No-op } // Buffer11::PackStorage implementation Buffer11::PackStorage::PackStorage(Renderer11 *renderer) : BufferStorage(renderer, BUFFER_USAGE_PIXEL_PACK), mStagingTexture(), mDataModified(false) {} Buffer11::PackStorage::~PackStorage() {} angle::Result Buffer11::PackStorage::copyFromStorage(const gl::Context *context, BufferStorage *source, size_t sourceOffset, size_t size, size_t destOffset, CopyResult *resultOut) { ANGLE_TRY(flushQueuedPackCommand(context)); // For all use cases of pack buffers, we must copy through a readable buffer. ASSERT(source->isCPUAccessible(GL_MAP_READ_BIT)); uint8_t *sourceData = nullptr; ANGLE_TRY(source->map(context, sourceOffset, size, GL_MAP_READ_BIT, &sourceData)); ASSERT(destOffset + size <= mMemoryBuffer.size()); memcpy(mMemoryBuffer.data() + destOffset, sourceData, size); source->unmap(); *resultOut = CopyResult::NOT_RECREATED; return angle::Result::Continue; } angle::Result Buffer11::PackStorage::resize(const gl::Context *context, size_t size, bool preserveData) { if (size != mBufferSize) { Context11 *context11 = GetImplAs(context); ANGLE_CHECK_GL_ALLOC(context11, mMemoryBuffer.resize(size)); mBufferSize = size; } return angle::Result::Continue; } angle::Result Buffer11::PackStorage::map(const gl::Context *context, size_t offset, size_t length, GLbitfield access, uint8_t **mapPointerOut) { ASSERT(offset + length <= getSize()); // TODO: fast path // We might be able to optimize out one or more memcpy calls by detecting when // and if D3D packs the staging texture memory identically to how we would fill // the pack buffer according to the current pack state. ANGLE_TRY(flushQueuedPackCommand(context)); mDataModified = (mDataModified || (access & GL_MAP_WRITE_BIT) != 0); *mapPointerOut = mMemoryBuffer.data() + offset; return angle::Result::Continue; } void Buffer11::PackStorage::unmap() { // No-op } angle::Result Buffer11::PackStorage::packPixels(const gl::Context *context, const gl::FramebufferAttachment &readAttachment, const PackPixelsParams ¶ms) { ANGLE_TRY(flushQueuedPackCommand(context)); RenderTarget11 *renderTarget = nullptr; ANGLE_TRY(readAttachment.getRenderTarget(context, 0, &renderTarget)); const TextureHelper11 &srcTexture = renderTarget->getTexture(); ASSERT(srcTexture.valid()); unsigned int srcSubresource = renderTarget->getSubresourceIndex(); mQueuedPackCommand.reset(new PackPixelsParams(params)); gl::Extents srcTextureSize(params.area.width, params.area.height, 1); if (!mStagingTexture.get() || mStagingTexture.getFormat() != srcTexture.getFormat() || mStagingTexture.getExtents() != srcTextureSize) { ANGLE_TRY(mRenderer->createStagingTexture(context, srcTexture.getTextureType(), srcTexture.getFormatSet(), srcTextureSize, StagingAccess::READ, &mStagingTexture)); } // ReadPixels from multisampled FBOs isn't supported in current GL ASSERT(srcTexture.getSampleCount() <= 1); ID3D11DeviceContext *immediateContext = mRenderer->getDeviceContext(); D3D11_BOX srcBox; srcBox.left = params.area.x; srcBox.right = params.area.x + params.area.width; srcBox.top = params.area.y; srcBox.bottom = params.area.y + params.area.height; // Select the correct layer from a 3D attachment srcBox.front = 0; if (mStagingTexture.is3D()) { srcBox.front = static_cast(readAttachment.layer()); } srcBox.back = srcBox.front + 1; // Asynchronous copy immediateContext->CopySubresourceRegion(mStagingTexture.get(), 0, 0, 0, 0, srcTexture.get(), srcSubresource, &srcBox); return angle::Result::Continue; } angle::Result Buffer11::PackStorage::flushQueuedPackCommand(const gl::Context *context) { ASSERT(mMemoryBuffer.size() > 0); if (mQueuedPackCommand) { ANGLE_TRY(mRenderer->packPixels(context, mStagingTexture, *mQueuedPackCommand, mMemoryBuffer.data())); mQueuedPackCommand.reset(nullptr); } return angle::Result::Continue; } // Buffer11::SystemMemoryStorage implementation Buffer11::SystemMemoryStorage::SystemMemoryStorage(Renderer11 *renderer) : Buffer11::BufferStorage(renderer, BUFFER_USAGE_SYSTEM_MEMORY) {} angle::Result Buffer11::SystemMemoryStorage::copyFromStorage(const gl::Context *context, BufferStorage *source, size_t sourceOffset, size_t size, size_t destOffset, CopyResult *resultOut) { ASSERT(source->isCPUAccessible(GL_MAP_READ_BIT)); uint8_t *sourceData = nullptr; ANGLE_TRY(source->map(context, sourceOffset, size, GL_MAP_READ_BIT, &sourceData)); ASSERT(destOffset + size <= mSystemCopy.size()); memcpy(mSystemCopy.data() + destOffset, sourceData, size); source->unmap(); *resultOut = CopyResult::RECREATED; return angle::Result::Continue; } angle::Result Buffer11::SystemMemoryStorage::resize(const gl::Context *context, size_t size, bool preserveData) { if (mSystemCopy.size() < size) { Context11 *context11 = GetImplAs(context); ANGLE_CHECK_GL_ALLOC(context11, mSystemCopy.resize(size)); mBufferSize = size; } return angle::Result::Continue; } angle::Result Buffer11::SystemMemoryStorage::map(const gl::Context *context, size_t offset, size_t length, GLbitfield access, uint8_t **mapPointerOut) { ASSERT(!mSystemCopy.empty() && offset + length <= mSystemCopy.size()); *mapPointerOut = mSystemCopy.data() + offset; return angle::Result::Continue; } void Buffer11::SystemMemoryStorage::unmap() { // No-op } } // namespace rx ================================================ FILE: LEVEL_1/exercise_1/README.md ================================================ # Exercise 1 ## CVE-2020-6542 I choose **CVE-2020-6542**, and I sugget you don't search any report about it to prevents get too much info like patch. ### Details > Google Chrome WebGL Buffer11::getBufferStorage Code Execution Vulnerability > > Google Chrome is a cross-platform web browser developed by Google. It supports many features, including WebGL (Web Graphics Library), a JavaScript API for rendering interactive 2-D and 3-D graphics. > > In some specific cases after binding a zero size buffer we could end up trying to use a buffer storage that was no longer valid. Fix this by ensuring we don't flush dirty bits when we have an early exit due to a zero size buffer. ---------

For more info click me!

Chromium crashes inside the `Buffer11::getBufferStorage` function. This is because newStorage element points to previously freed memory, leading to a use-after-free vulnerability.

**You'd better read some doc about ANGLE to understand the source code** -------- ### Version Google Chrome 84.0.4147.89 Google Chrome 85.0.4169.0 (Developer Build) (64-bit) we can analysis the source file [online](https://chromium.googlesource.com/angle/angle/+/034a8b3f3c5c8e7e1629b8ac88cadb72ea68cf23/src/libANGLE/renderer/d3d/d3d11/VertexArray11.cpp#246) ### Related code May be you need fetch the source code ``` git clone https://chromium.googlesource.com/angle/angle cd angle git reset --hard 50a2725742948702720232ba46be3c1f03822ada ``` ```c++ angle::Result VertexArray11::updateDirtyAttribs(const gl::Context *context, const gl::AttributesMask &activeDirtyAttribs) { const auto &glState = context->getState(); const auto &attribs = mState.getVertexAttributes(); const auto &bindings = mState.getVertexBindings(); for (size_t dirtyAttribIndex : activeDirtyAttribs) { mAttribsToTranslate.reset(dirtyAttribIndex); auto *translatedAttrib = &mTranslatedAttribs[dirtyAttribIndex]; const auto ¤tValue = glState.getVertexAttribCurrentValue(dirtyAttribIndex); // Record basic attrib info translatedAttrib->attribute = &attribs[dirtyAttribIndex]; translatedAttrib->binding = &bindings[translatedAttrib->attribute->bindingIndex]; translatedAttrib->currentValueType = currentValue.Type; translatedAttrib->divisor = translatedAttrib->binding->getDivisor() * mAppliedNumViewsToDivisor; switch (mAttributeStorageTypes[dirtyAttribIndex]) { case VertexStorageType::DIRECT: VertexDataManager::StoreDirectAttrib(context, translatedAttrib); break; case VertexStorageType::STATIC: { // can early exit ANGLE_TRY(VertexDataManager::StoreStaticAttrib(context, translatedAttrib)); break; } case VertexStorageType::CURRENT_VALUE: // Current value attribs are managed by the StateManager11. break; default: UNREACHABLE(); break; } } return angle::Result::Continue; } ========================================================= template BitSetT &BitSetT::reset(ParamT pos) { ASSERT(mBits == (mBits & Mask(N))); mBits &= ~Bit(pos); return *this; } ========================================================= #define ANGLE_TRY(EXPR) ANGLE_TRY_TEMPLATE(EXPR, ANGLE_RETURN) #define ANGLE_TRY_TEMPLATE(EXPR, FUNC) \ do \ { \ auto ANGLE_LOCAL_VAR = EXPR; \ if (ANGLE_UNLIKELY(IsError(ANGLE_LOCAL_VAR))) \ { \ FUNC(ANGLE_LOCAL_VAR); \ } \ } while (0) ========================================================= inline bool IsError(angle::Result result) { return result == angle::Result::Stop; } ``` ```c++ angle::Result VertexDataManager::StoreStaticAttrib(const gl::Context *context, TranslatedAttribute *translated) { ASSERT(translated->attribute && translated->binding); const auto &attrib = *translated->attribute; const auto &binding = *translated->binding; gl::Buffer *buffer = binding.getBuffer().get(); ASSERT(buffer && attrib.enabled && !DirectStoragePossible(context, attrib, binding)); BufferD3D *bufferD3D = GetImplAs(buffer); // Compute source data pointer const uint8_t *sourceData = nullptr; const int offset = static_cast(ComputeVertexAttributeOffset(attrib, binding)); ANGLE_TRY(bufferD3D->getData(context, &sourceData)); if (sourceData) { sourceData += offset; } [ ... ] ``` ```c++ angle::Result Buffer11::getData(const gl::Context *context, const uint8_t **outData) { if (mSize == 0) { // TODO(http://anglebug.com/2840): This ensures that we don't crash or assert in robust // buffer access behavior mode if there are buffers without any data. However, technically // it should still be possible to draw, with fetches from this buffer returning zero. return angle::Result::Stop; } SystemMemoryStorage *systemMemoryStorage = nullptr; ANGLE_TRY(getBufferStorage(context, BUFFER_USAGE_SYSTEM_MEMORY, &systemMemoryStorage)); ASSERT(systemMemoryStorage->getSize() >= mSize); *outData = systemMemoryStorage->getSystemCopy()->data(); return angle::Result::Continue; } ``` ```c++ template angle::Result Buffer11::getBufferStorage(const gl::Context *context, BufferUsage usage, StorageOutT **storageOut) { ASSERT(0 <= usage && usage < BUFFER_USAGE_COUNT); BufferStorage *&newStorage = mBufferStorages[usage]; if (!newStorage) { newStorage = allocateStorage(usage); } markBufferUsage(usage); // resize buffer if (newStorage->getSize() < mSize) { ANGLE_TRY(newStorage->resize(context, mSize, true)); } ASSERT(newStorage); ANGLE_TRY(updateBufferStorage(context, newStorage, 0, mSize)); ANGLE_TRY(garbageCollection(context, usage)); *storageOut = GetAs(newStorage); return angle::Result::Continue; } ``` ### Do it Do this exercise by yourself, If you find my answer have something wrong, please correct it. ---------

My answer

The answer I write is incomplete, the following answer doesn't mention the reletion between patch and uaf -_-. Recently I have no time to debug PoC to get the truely answer. So I hope you can correct this. patch: ```diff diff --git a/src/libANGLE/renderer/d3d/d3d11/VertexArray11.cpp b/src/libANGLE/renderer/d3d/d3d11/VertexArray11.cpp index 6bb0bf8..a5f8b6a 100644 --- a/src/libANGLE/renderer/d3d/d3d11/VertexArray11.cpp +++ b/src/libANGLE/renderer/d3d/d3d11/VertexArray11.cpp @@ -253,8 +253,6 @@ for (size_t dirtyAttribIndex : activeDirtyAttribs) { - mAttribsToTranslate.reset(dirtyAttribIndex); - auto *translatedAttrib = &mTranslatedAttribs[dirtyAttribIndex]; const auto ¤tValue = glState.getVertexAttribCurrentValue(dirtyAttribIndex); @@ -282,6 +280,9 @@ UNREACHABLE(); break; } + + // Make sure we reset the dirty bit after the switch because STATIC can early exit. + mAttribsToTranslate.reset(dirtyAttribIndex); } return angle::Result::Continue; ``` doc about [dirty bits](https://chromium.googlesource.com/angle/angle/+/50a2725742948702720232ba46be3c1f03822ada/doc/DirtyBits.md) ```c++ angle::Result Buffer11::getData(const gl::Context *context, const uint8_t **outData) { if (mSize == 0) { return angle::Result::Stop; [1] } SystemMemoryStorage *systemMemoryStorage = nullptr; // call getBufferStorage ANGLE_TRY(getBufferStorage(context, BUFFER_USAGE_SYSTEM_MEMORY, &systemMemoryStorage)); } ``` incomplete answer: [1] `Buffer11::getData` can return `angle::Result::Stop` if `mSize == 0` ```c++ angle::Result VertexDataManager::StoreStaticAttrib(const gl::Context *context, TranslatedAttribute *translated) { BufferD3D *bufferD3D = GetImplAs(buffer); // Compute source data pointer const uint8_t *sourceData = nullptr; const int offset = static_cast(ComputeVertexAttributeOffset(attrib, binding)); ANGLE_TRY(bufferD3D->getData(context, &sourceData)); [2] if (sourceData) { sourceData += offset; } [ ... ] ========================================================== Buffer11::~Buffer11() { for (BufferStorage *&storage : mBufferStorages) { SafeDelete(storage); } [ ... ] ``` [2] call `Buffer11::getData` in `ANGLE_TRY`, because `mSize == 0` it can return `Stop` then exit early. Finally call `Buffer11::~Buffer11()`, it can free `mBufferStorages`. One possible situation (maybe wrong) is we can get the raw buffer early because the "early exit", and the `Buffer11::~Buffer11()` have not been trigger. I can call `getBufferStorage` in other path during `~Buffer11()` before `mBufferStorages[usage]` was set to null. ```c++ template angle::Result Buffer11::getBufferStorage(const gl::Context *context, BufferUsage usage, StorageOutT **storageOut) { ASSERT(0 <= usage && usage < BUFFER_USAGE_COUNT); BufferStorage *&newStorage = mBufferStorages[usage]; [3] already freed if (!newStorage) { newStorage = allocateStorage(usage); } markBufferUsage(usage); // resize buffer if (newStorage->getSize() < mSize) [4] trigger uaf { ANGLE_TRY(newStorage->resize(context, mSize, true)); } } ``` In other path call `getBufferStorage` will trigger uaf, like ```c++ syncVertexBuffersAndInputLayout -> applyVertexBuffers -> getBuffer -> getBufferStorage ``` I get this call tree by this [report](https://talosintelligence.com/vulnerability_reports/TALOS-2020-1127) If you are instread of how to construct the Poc, you can get help form [this](https://bugs.chromium.org/p/chromium/issues/attachmentText?aid=457249).

-------- ================================================ FILE: LEVEL_1/exercise_1/poc.html ================================================ POC ================================================ FILE: LEVEL_1/exercise_2/README.md ================================================ # Exercise 2 ## CVE-2020-6463 I sugget you don't search any report about it to prevents get too much info like patch. This time we do it by code audit, and download source code. ### Details > When a new texture is bound, the texture binding state is updated before > updating the active texture cache. With this ordering, it is possible to delete > the currently bound texture when the binding changes and then use-after-free it > when updating the active texture cache. > > The bug reason in angle/src/libANGLE/State.cpp ---------

For more info click me! But you'd better not do this

https://bugs.chromium.org/p/chromium/issues/detail?id=1065186

-------- ### Set environment We download the ANGLE ```sh git clone https://chromium.googlesource.com/angle/angle ``` Then checkout the branch, we set the commit hash ```sh cd angle git reset --hard b83b0f5e9f63261d3d95a75b74ad758509d7a349 # we get it by issue page ``` ### Related code we can analysis the source file [online](https://chromium.googlesource.com/angle/angle/+/e514b0cb7e6b8956ea0c93ceca01b63d5deb621d/src/libANGLE/State.cpp#1171) or offline. ```c++ void State::setSamplerTexture(const Context *context, TextureType type, Texture *texture) { mSamplerTextures[type][mActiveSampler].set(context, texture); if (mProgram && mProgram->getActiveSamplersMask()[mActiveSampler] && IsTextureCompatibleWithSampler(type, mProgram->getActiveSamplerTypes()[mActiveSampler])) { updateActiveTexture(context, mActiveSampler, texture); } mDirtyBits.set(DIRTY_BIT_TEXTURE_BINDINGS); } ================================================================= ANGLE_INLINE void State::updateActiveTexture(const Context *context, size_t textureIndex, Texture *texture) { const Sampler *sampler = mSamplers[textureIndex].get(); mCompleteTextureBindings[textureIndex].bind(texture); if (!texture) { mActiveTexturesCache.reset(textureIndex); mDirtyBits.set(DIRTY_BIT_TEXTURE_BINDINGS); return; } updateActiveTextureState(context, textureIndex, sampler, texture); } ``` ```cpp using TextureBindingMap = angle::PackedEnumMap; ======================================================= TextureBindingMap mSamplerTextures; ``` ```c++ void set(const ContextType *context, ObjectType *newObject) { // addRef first in case newObject == mObject and this is the last reference to it. if (newObject != nullptr) { reinterpret_cast *>(newObject)->addRef(); } // Store the old pointer in a temporary so we can set the pointer before calling release. // Otherwise the object could still be referenced when its destructor is called. ObjectType *oldObject = mObject; mObject = newObject; if (oldObject != nullptr) { reinterpret_cast *>(oldObject)->release(context); } } ``` ### Do it Do this exercise by yourself, If you find my answer have something wrong, please correct it. ---------

My answer

By reading detail, we can know `the texture binding state is updated before updating the active texture cache`. ```c++ void State::setSamplerTexture(const Context *context, TextureType type, Texture *texture) { mSamplerTextures[type][mActiveSampler].set(context, texture); [1] if (mProgram && mProgram->getActiveSamplersMask()[mActiveSampler] && IsTextureCompatibleWithSampler(type, mProgram->getActiveSamplerTypes()[mActiveSampler])) { updateActiveTexture(context, mActiveSampler, texture); [2] } mDirtyBits.set(DIRTY_BIT_TEXTURE_BINDINGS); } ``` [1] means update the binding state, and [2] means update the active texture cache. What can it delete currently bound texture? ```c++ void set(const ContextType *context, ObjectType *newObject) { // addRef first in case newObject == mObject and this is the last reference to it. if (newObject != nullptr) { reinterpret_cast *>(newObject)->addRef(); } // Store the old pointer in a temporary so we can set the pointer before calling release. // Otherwise the object could still be referenced when its destructor is called. ObjectType *oldObject = mObject; mObject = newObject; if (oldObject != nullptr) { reinterpret_cast *>(oldObject)->release(context); [3] } } ``` There is release in set func, and the Triggering condition is `oldObject != nullptr` we can easily get this by set same `texture` twice. If we call `State::setSamplerTexture` twice with same `texture`, it can trigger uaf at `updateActiveTexture` in the second call.

-------- ================================================ FILE: LEVEL_1/exercise_2/VertexArray11.cpp ================================================ // // Copyright 2016 The ANGLE Project Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. // // VertexArray11: // Implementation of rx::VertexArray11. // #include "libANGLE/renderer/d3d/d3d11/VertexArray11.h" #include "common/bitset_utils.h" #include "libANGLE/Context.h" #include "libANGLE/renderer/d3d/IndexBuffer.h" #include "libANGLE/renderer/d3d/d3d11/Buffer11.h" #include "libANGLE/renderer/d3d/d3d11/Context11.h" using namespace angle; namespace rx { VertexArray11::VertexArray11(const gl::VertexArrayState &data) : VertexArrayImpl(data), mAttributeStorageTypes(data.getMaxAttribs(), VertexStorageType::CURRENT_VALUE), mTranslatedAttribs(data.getMaxAttribs()), mAppliedNumViewsToDivisor(1), mCurrentElementArrayStorage(IndexStorageType::Invalid), mCachedDestinationIndexType(gl::DrawElementsType::InvalidEnum) {} VertexArray11::~VertexArray11() {} void VertexArray11::destroy(const gl::Context *context) {} // As VertexAttribPointer can modify both attribute and binding, we should also set other attributes // that are also using this binding dirty. #define ANGLE_VERTEX_DIRTY_ATTRIB_FUNC(INDEX) \ case gl::VertexArray::DIRTY_BIT_ATTRIB_0 + INDEX: \ if ((*attribBits)[INDEX][gl::VertexArray::DirtyAttribBitType::DIRTY_ATTRIB_POINTER]) \ { \ attributesToUpdate |= mState.getBindingToAttributesMask(INDEX); \ } \ else \ { \ attributesToUpdate.set(INDEX); \ } \ invalidateVertexBuffer = true; \ (*attribBits)[INDEX].reset(); \ break; #define ANGLE_VERTEX_DIRTY_BINDING_FUNC(INDEX) \ case gl::VertexArray::DIRTY_BIT_BINDING_0 + INDEX: \ attributesToUpdate |= mState.getBindingToAttributesMask(INDEX); \ invalidateVertexBuffer = true; \ (*bindingBits)[INDEX].reset(); \ break; #define ANGLE_VERTEX_DIRTY_BUFFER_DATA_FUNC(INDEX) \ case gl::VertexArray::DIRTY_BIT_BUFFER_DATA_0 + INDEX: \ if (mAttributeStorageTypes[INDEX] == VertexStorageType::STATIC) \ { \ invalidateVertexBuffer = true; \ mAttribsToTranslate.set(INDEX); \ } \ break; angle::Result VertexArray11::syncState(const gl::Context *context, const gl::VertexArray::DirtyBits &dirtyBits, gl::VertexArray::DirtyAttribBitsArray *attribBits, gl::VertexArray::DirtyBindingBitsArray *bindingBits) { ASSERT(dirtyBits.any()); Renderer11 *renderer = GetImplAs(context)->getRenderer(); StateManager11 *stateManager = renderer->getStateManager(); // Generate a state serial. This serial is used in the program class to validate the cached // input layout, and skip recomputation in the fast path. mCurrentStateSerial = renderer->generateSerial(); bool invalidateVertexBuffer = false; gl::AttributesMask attributesToUpdate; // Make sure we trigger re-translation for static index or vertex data. for (size_t dirtyBit : dirtyBits) { switch (dirtyBit) { case gl::VertexArray::DIRTY_BIT_ELEMENT_ARRAY_BUFFER: case gl::VertexArray::DIRTY_BIT_ELEMENT_ARRAY_BUFFER_DATA: { mLastDrawElementsType.reset(); mLastDrawElementsIndices.reset(); mLastPrimitiveRestartEnabled.reset(); mCachedIndexInfo.reset(); break; } ANGLE_VERTEX_INDEX_CASES(ANGLE_VERTEX_DIRTY_ATTRIB_FUNC) ANGLE_VERTEX_INDEX_CASES(ANGLE_VERTEX_DIRTY_BINDING_FUNC) ANGLE_VERTEX_INDEX_CASES(ANGLE_VERTEX_DIRTY_BUFFER_DATA_FUNC) default: UNREACHABLE(); break; } } for (size_t attribIndex : attributesToUpdate) { updateVertexAttribStorage(context, stateManager, attribIndex); } if (invalidateVertexBuffer) { // TODO(jmadill): Individual attribute invalidation. stateManager->invalidateVertexBuffer(); } return angle::Result::Continue; } angle::Result VertexArray11::syncStateForDraw(const gl::Context *context, GLint firstVertex, GLsizei vertexOrIndexCount, gl::DrawElementsType indexTypeOrInvalid, const void *indices, GLsizei instances, GLint baseVertex, GLuint baseInstance) { Renderer11 *renderer = GetImplAs(context)->getRenderer(); StateManager11 *stateManager = renderer->getStateManager(); const gl::State &glState = context->getState(); const gl::Program *program = glState.getProgram(); ASSERT(program); const gl::ProgramExecutable &executable = program->getExecutable(); mAppliedNumViewsToDivisor = (program->usesMultiview() ? program->getNumViews() : 1); if (mAttribsToTranslate.any()) { const gl::AttributesMask &activeLocations = executable.getActiveAttribLocationsMask(); gl::AttributesMask activeDirtyAttribs = (mAttribsToTranslate & activeLocations); if (activeDirtyAttribs.any()) { ANGLE_TRY(updateDirtyAttribs(context, activeDirtyAttribs)); stateManager->invalidateInputLayout(); } } if (mDynamicAttribsMask.any()) { const gl::AttributesMask &activeLocations = executable.getActiveAttribLocationsMask(); gl::AttributesMask activeDynamicAttribs = (mDynamicAttribsMask & activeLocations); if (activeDynamicAttribs.any()) { ANGLE_TRY(updateDynamicAttribs(context, stateManager->getVertexDataManager(), firstVertex, vertexOrIndexCount, indexTypeOrInvalid, indices, instances, baseVertex, baseInstance, activeDynamicAttribs)); stateManager->invalidateInputLayout(); } } if (indexTypeOrInvalid != gl::DrawElementsType::InvalidEnum) { bool restartEnabled = context->getState().isPrimitiveRestartEnabled(); if (!mLastDrawElementsType.valid() || mLastDrawElementsType.value() != indexTypeOrInvalid || mLastDrawElementsIndices.value() != indices || mLastPrimitiveRestartEnabled.value() != restartEnabled) { mLastDrawElementsType = indexTypeOrInvalid; mLastDrawElementsIndices = indices; mLastPrimitiveRestartEnabled = restartEnabled; ANGLE_TRY(updateElementArrayStorage(context, vertexOrIndexCount, indexTypeOrInvalid, indices, restartEnabled)); stateManager->invalidateIndexBuffer(); } else if (mCurrentElementArrayStorage == IndexStorageType::Dynamic) { stateManager->invalidateIndexBuffer(); } } return angle::Result::Continue; } angle::Result VertexArray11::updateElementArrayStorage(const gl::Context *context, GLsizei indexCount, gl::DrawElementsType indexType, const void *indices, bool restartEnabled) { bool usePrimitiveRestartWorkaround = UsePrimitiveRestartWorkaround(restartEnabled, indexType); ANGLE_TRY(GetIndexTranslationDestType(context, indexCount, indexType, indices, usePrimitiveRestartWorkaround, &mCachedDestinationIndexType)); unsigned int offset = static_cast(reinterpret_cast(indices)); mCurrentElementArrayStorage = ClassifyIndexStorage(context->getState(), mState.getElementArrayBuffer(), indexType, mCachedDestinationIndexType, offset); return angle::Result::Continue; } void VertexArray11::updateVertexAttribStorage(const gl::Context *context, StateManager11 *stateManager, size_t attribIndex) { const gl::VertexAttribute &attrib = mState.getVertexAttribute(attribIndex); const gl::VertexBinding &binding = mState.getBindingFromAttribIndex(attribIndex); VertexStorageType newStorageType = ClassifyAttributeStorage(context, attrib, binding); // Note: having an unchanged storage type doesn't mean the attribute is clean. mAttribsToTranslate.set(attribIndex, newStorageType != VertexStorageType::DYNAMIC); if (mAttributeStorageTypes[attribIndex] == newStorageType) return; mAttributeStorageTypes[attribIndex] = newStorageType; mDynamicAttribsMask.set(attribIndex, newStorageType == VertexStorageType::DYNAMIC); if (newStorageType == VertexStorageType::CURRENT_VALUE) { stateManager->invalidateCurrentValueAttrib(attribIndex); } } bool VertexArray11::hasActiveDynamicAttrib(const gl::Context *context) { const auto &activeLocations = context->getState().getProgramExecutable()->getActiveAttribLocationsMask(); gl::AttributesMask activeDynamicAttribs = (mDynamicAttribsMask & activeLocations); return activeDynamicAttribs.any(); } angle::Result VertexArray11::updateDirtyAttribs(const gl::Context *context, const gl::AttributesMask &activeDirtyAttribs) { const auto &glState = context->getState(); const auto &attribs = mState.getVertexAttributes(); const auto &bindings = mState.getVertexBindings(); for (size_t dirtyAttribIndex : activeDirtyAttribs) { mAttribsToTranslate.reset(dirtyAttribIndex); auto *translatedAttrib = &mTranslatedAttribs[dirtyAttribIndex]; const auto ¤tValue = glState.getVertexAttribCurrentValue(dirtyAttribIndex); // Record basic attrib info translatedAttrib->attribute = &attribs[dirtyAttribIndex]; translatedAttrib->binding = &bindings[translatedAttrib->attribute->bindingIndex]; translatedAttrib->currentValueType = currentValue.Type; translatedAttrib->divisor = translatedAttrib->binding->getDivisor() * mAppliedNumViewsToDivisor; switch (mAttributeStorageTypes[dirtyAttribIndex]) { case VertexStorageType::DIRECT: VertexDataManager::StoreDirectAttrib(context, translatedAttrib); break; case VertexStorageType::STATIC: { ANGLE_TRY(VertexDataManager::StoreStaticAttrib(context, translatedAttrib)); break; } case VertexStorageType::CURRENT_VALUE: // Current value attribs are managed by the StateManager11. break; default: UNREACHABLE(); break; } } return angle::Result::Continue; } angle::Result VertexArray11::updateDynamicAttribs(const gl::Context *context, VertexDataManager *vertexDataManager, GLint firstVertex, GLsizei vertexOrIndexCount, gl::DrawElementsType indexTypeOrInvalid, const void *indices, GLsizei instances, GLint baseVertex, GLuint baseInstance, const gl::AttributesMask &activeDynamicAttribs) { const auto &glState = context->getState(); const auto &attribs = mState.getVertexAttributes(); const auto &bindings = mState.getVertexBindings(); GLint startVertex; size_t vertexCount; ANGLE_TRY(GetVertexRangeInfo(context, firstVertex, vertexOrIndexCount, indexTypeOrInvalid, indices, baseVertex, &startVertex, &vertexCount)); for (size_t dynamicAttribIndex : activeDynamicAttribs) { auto *dynamicAttrib = &mTranslatedAttribs[dynamicAttribIndex]; const auto ¤tValue = glState.getVertexAttribCurrentValue(dynamicAttribIndex); // Record basic attrib info dynamicAttrib->attribute = &attribs[dynamicAttribIndex]; dynamicAttrib->binding = &bindings[dynamicAttrib->attribute->bindingIndex]; dynamicAttrib->currentValueType = currentValue.Type; dynamicAttrib->divisor = dynamicAttrib->binding->getDivisor() * mAppliedNumViewsToDivisor; } ANGLE_TRY(vertexDataManager->storeDynamicAttribs(context, &mTranslatedAttribs, activeDynamicAttribs, startVertex, vertexCount, instances, baseInstance)); VertexDataManager::PromoteDynamicAttribs(context, mTranslatedAttribs, activeDynamicAttribs, vertexCount); return angle::Result::Continue; } const std::vector &VertexArray11::getTranslatedAttribs() const { return mTranslatedAttribs; } void VertexArray11::markAllAttributeDivisorsForAdjustment(int numViews) { if (mAppliedNumViewsToDivisor != numViews) { mAppliedNumViewsToDivisor = numViews; mAttribsToTranslate.set(); // mDynamicAttribsMask may have already been set (updateVertexAttribStorage // We don't want to override DYNAMIC attribs as they will be handled separately. mAttribsToTranslate = mAttribsToTranslate ^ mDynamicAttribsMask; } } const TranslatedIndexData &VertexArray11::getCachedIndexInfo() const { ASSERT(mCachedIndexInfo.valid()); return mCachedIndexInfo.value(); } void VertexArray11::updateCachedIndexInfo(const TranslatedIndexData &indexInfo) { mCachedIndexInfo = indexInfo; } bool VertexArray11::isCachedIndexInfoValid() const { return mCachedIndexInfo.valid(); } gl::DrawElementsType VertexArray11::getCachedDestinationIndexType() const { return mCachedDestinationIndexType; } } // namespace rx ================================================ FILE: LEVEL_1/exercise_3/IndexDataManager.cpp ================================================ // // Copyright 2002 The ANGLE Project Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. // // IndexDataManager.cpp: Defines the IndexDataManager, a class that // runs the Buffer translation process for index buffers. #include "libANGLE/renderer/d3d/IndexDataManager.h" #include "common/utilities.h" #include "libANGLE/Buffer.h" #include "libANGLE/Context.h" #include "libANGLE/VertexArray.h" #include "libANGLE/formatutils.h" #include "libANGLE/renderer/d3d/BufferD3D.h" #include "libANGLE/renderer/d3d/ContextD3D.h" #include "libANGLE/renderer/d3d/IndexBuffer.h" namespace rx { namespace { template void ConvertIndexArray(const void *input, gl::DrawElementsType sourceType, void *output, gl::DrawElementsType destinationType, GLsizei count, bool usePrimitiveRestartFixedIndex) { const InputT *in = static_cast(input); DestT *out = static_cast(output); if (usePrimitiveRestartFixedIndex) { InputT srcRestartIndex = static_cast(gl::GetPrimitiveRestartIndex(sourceType)); DestT destRestartIndex = static_cast(gl::GetPrimitiveRestartIndex(destinationType)); for (GLsizei i = 0; i < count; i++) { out[i] = (in[i] == srcRestartIndex ? destRestartIndex : static_cast(in[i])); } } else { for (GLsizei i = 0; i < count; i++) { out[i] = static_cast(in[i]); } } } void ConvertIndices(gl::DrawElementsType sourceType, gl::DrawElementsType destinationType, const void *input, GLsizei count, void *output, bool usePrimitiveRestartFixedIndex) { if (sourceType == destinationType) { const GLuint dstTypeSize = gl::GetDrawElementsTypeSize(destinationType); memcpy(output, input, count * dstTypeSize); return; } if (sourceType == gl::DrawElementsType::UnsignedByte) { ASSERT(destinationType == gl::DrawElementsType::UnsignedShort); ConvertIndexArray(input, sourceType, output, destinationType, count, usePrimitiveRestartFixedIndex); } else if (sourceType == gl::DrawElementsType::UnsignedShort) { ASSERT(destinationType == gl::DrawElementsType::UnsignedInt); ConvertIndexArray(input, sourceType, output, destinationType, count, usePrimitiveRestartFixedIndex); } else UNREACHABLE(); } angle::Result StreamInIndexBuffer(const gl::Context *context, IndexBufferInterface *buffer, const void *data, unsigned int count, gl::DrawElementsType srcType, gl::DrawElementsType dstType, bool usePrimitiveRestartFixedIndex, unsigned int *offset) { const GLuint dstTypeBytesShift = gl::GetDrawElementsTypeShift(dstType); bool check = (count > (std::numeric_limits::max() >> dstTypeBytesShift)); ANGLE_CHECK(GetImplAs(context), !check, "Reserving indices exceeds the maximum buffer size.", GL_OUT_OF_MEMORY); unsigned int bufferSizeRequired = count << dstTypeBytesShift; ANGLE_TRY(buffer->reserveBufferSpace(context, bufferSizeRequired, dstType)); void *output = nullptr; ANGLE_TRY(buffer->mapBuffer(context, bufferSizeRequired, &output, offset)); ConvertIndices(srcType, dstType, data, count, output, usePrimitiveRestartFixedIndex); ANGLE_TRY(buffer->unmapBuffer(context)); return angle::Result::Continue; } } // anonymous namespace // IndexDataManager implementation. IndexDataManager::IndexDataManager(BufferFactoryD3D *factory) : mFactory(factory), mStreamingBufferShort(), mStreamingBufferInt() {} IndexDataManager::~IndexDataManager() {} void IndexDataManager::deinitialize() { mStreamingBufferShort.reset(); mStreamingBufferInt.reset(); } // This function translates a GL-style indices into DX-style indices, with their description // returned in translated. // GL can specify vertex data in immediate mode (pointer to CPU array of indices), which is not // possible in DX and requires streaming (Case 1). If the GL indices are specified with a buffer // (Case 2), in a format supported by DX (subcase a) then all is good. // When we have a buffer with an unsupported format (subcase b) then we need to do some translation: // we will start by falling back to streaming, and after a while will start using a static // translated copy of the index buffer. angle::Result IndexDataManager::prepareIndexData(const gl::Context *context, gl::DrawElementsType srcType, gl::DrawElementsType dstType, GLsizei count, gl::Buffer *glBuffer, const void *indices, TranslatedIndexData *translated) { GLuint srcTypeBytes = gl::GetDrawElementsTypeSize(srcType); GLuint srcTypeShift = gl::GetDrawElementsTypeShift(srcType); GLuint dstTypeShift = gl::GetDrawElementsTypeShift(dstType); BufferD3D *buffer = glBuffer ? GetImplAs(glBuffer) : nullptr; translated->indexType = dstType; translated->srcIndexData.srcBuffer = buffer; translated->srcIndexData.srcIndices = indices; translated->srcIndexData.srcIndexType = srcType; translated->srcIndexData.srcCount = count; // Context can be nullptr in perf tests. bool primitiveRestartFixedIndexEnabled = context ? context->getState().isPrimitiveRestartEnabled() : false; // Case 1: the indices are passed by pointer, which forces the streaming of index data if (glBuffer == nullptr) { translated->storage = nullptr; return streamIndexData(context, indices, count, srcType, dstType, primitiveRestartFixedIndexEnabled, translated); } // Case 2: the indices are already in a buffer unsigned int offset = static_cast(reinterpret_cast(indices)); ASSERT(srcTypeBytes * static_cast(count) + offset <= buffer->getSize()); bool offsetAligned = IsOffsetAligned(srcType, offset); // Case 2a: the buffer can be used directly if (offsetAligned && buffer->supportsDirectBinding() && dstType == srcType) { translated->storage = buffer; translated->indexBuffer = nullptr; translated->serial = buffer->getSerial(); translated->startIndex = (offset >> srcTypeShift); translated->startOffset = offset; return angle::Result::Continue; } translated->storage = nullptr; // Case 2b: use a static translated copy or fall back to streaming StaticIndexBufferInterface *staticBuffer = buffer->getStaticIndexBuffer(); bool staticBufferInitialized = staticBuffer && staticBuffer->getBufferSize() != 0; bool staticBufferUsable = staticBuffer && offsetAligned && staticBuffer->getIndexType() == dstType; if (staticBufferInitialized && !staticBufferUsable) { buffer->invalidateStaticData(context); staticBuffer = nullptr; } if (staticBuffer == nullptr || !offsetAligned) { const uint8_t *bufferData = nullptr; ANGLE_TRY(buffer->getData(context, &bufferData)); ASSERT(bufferData != nullptr); ANGLE_TRY(streamIndexData(context, bufferData + offset, count, srcType, dstType, primitiveRestartFixedIndexEnabled, translated)); buffer->promoteStaticUsage(context, count << srcTypeShift); } else { if (!staticBufferInitialized) { const uint8_t *bufferData = nullptr; ANGLE_TRY(buffer->getData(context, &bufferData)); ASSERT(bufferData != nullptr); unsigned int convertCount = static_cast(buffer->getSize()) >> srcTypeShift; ANGLE_TRY(StreamInIndexBuffer(context, staticBuffer, bufferData, convertCount, srcType, dstType, primitiveRestartFixedIndexEnabled, nullptr)); } ASSERT(offsetAligned && staticBuffer->getIndexType() == dstType); translated->indexBuffer = staticBuffer->getIndexBuffer(); translated->serial = staticBuffer->getSerial(); translated->startIndex = (offset >> srcTypeShift); translated->startOffset = (offset >> srcTypeShift) << dstTypeShift; } return angle::Result::Continue; } angle::Result IndexDataManager::streamIndexData(const gl::Context *context, const void *data, unsigned int count, gl::DrawElementsType srcType, gl::DrawElementsType dstType, bool usePrimitiveRestartFixedIndex, TranslatedIndexData *translated) { const GLuint dstTypeShift = gl::GetDrawElementsTypeShift(dstType); IndexBufferInterface *indexBuffer = nullptr; ANGLE_TRY(getStreamingIndexBuffer(context, dstType, &indexBuffer)); ASSERT(indexBuffer != nullptr); unsigned int offset; ANGLE_TRY(StreamInIndexBuffer(context, indexBuffer, data, count, srcType, dstType, usePrimitiveRestartFixedIndex, &offset)); translated->indexBuffer = indexBuffer->getIndexBuffer(); translated->serial = indexBuffer->getSerial(); translated->startIndex = (offset >> dstTypeShift); translated->startOffset = offset; return angle::Result::Continue; } angle::Result IndexDataManager::getStreamingIndexBuffer(const gl::Context *context, gl::DrawElementsType destinationIndexType, IndexBufferInterface **outBuffer) { ASSERT(outBuffer); ASSERT(destinationIndexType == gl::DrawElementsType::UnsignedShort || destinationIndexType == gl::DrawElementsType::UnsignedInt); auto &streamingBuffer = (destinationIndexType == gl::DrawElementsType::UnsignedInt) ? mStreamingBufferInt : mStreamingBufferShort; if (!streamingBuffer) { StreamingBuffer newBuffer(new StreamingIndexBufferInterface(mFactory)); ANGLE_TRY(newBuffer->reserveBufferSpace(context, INITIAL_INDEX_BUFFER_SIZE, destinationIndexType)); streamingBuffer = std::move(newBuffer); } *outBuffer = streamingBuffer.get(); return angle::Result::Continue; } angle::Result GetIndexTranslationDestType(const gl::Context *context, GLsizei indexCount, gl::DrawElementsType indexType, const void *indices, bool usePrimitiveRestartWorkaround, gl::DrawElementsType *destTypeOut) { // Avoid D3D11's primitive restart index value // see http://msdn.microsoft.com/en-us/library/windows/desktop/bb205124(v=vs.85).aspx if (usePrimitiveRestartWorkaround) { // Conservatively assume we need to translate the indices for draw indirect. // This is a bit of a trick. We assume the count for an indirect draw is zero. if (indexCount == 0) { *destTypeOut = gl::DrawElementsType::UnsignedInt; return angle::Result::Continue; } gl::IndexRange indexRange; ANGLE_TRY(context->getState().getVertexArray()->getIndexRange( context, indexType, indexCount, indices, &indexRange)); if (indexRange.end == gl::GetPrimitiveRestartIndex(indexType)) { *destTypeOut = gl::DrawElementsType::UnsignedInt; return angle::Result::Continue; } } *destTypeOut = (indexType == gl::DrawElementsType::UnsignedInt) ? gl::DrawElementsType::UnsignedInt : gl::DrawElementsType::UnsignedShort; return angle::Result::Continue; } } // namespace rx ================================================ FILE: LEVEL_1/exercise_3/README.md ================================================ # Exercise 3 ## CVE-2020-16005 I sugget you don't search any report about it to prevents get too much info like patch. This time we do it by code audit ### Details > When the WebGL2RenderingContext.drawRangeElements() API is processed in the ANGLE library, IndexDataManager::prepareIndexData is called internally. In prepareIndexData, if glBuffer is a null pointer, the second argument of streamIndexData becomes indices. This value is the last parameter(offset) of the drawRangeElements, a 4-byte integer which can be arbitrarily set. ---------

For more info click me! But you'd better not do this

https://bugs.chromium.org/p/chromium/issues/detail?id=1139398

-------- ### Set environment We download the ANGLE ```sh git clone https://chromium.googlesource.com/angle/angle ``` Then checkout the branch, we set the commit hash ```sh cd angle git reset --hard 6e1259375f2d6f579fe7430442a9657e00d15656 # we get it by issue page ``` Download depot_tools and ninja ```sh git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git echo 'export PATH=$PATH:"/path/to/depot_tools"' >> ~/.bashrc # or zshrc git clone https://github.com/ninja-build/ninja.git cd ninja && ./configure.py --bootstrap && cd .. echo 'export PATH=$PATH:"/path/to/ninja"' >> ~/.bashrc ``` Sync all standalone dependencies ```sh # open new terminal to update env cd src/third_party/angle python scripts/bootstrap.py # download depot_tools in advance gclient sync ``` Generate ANGLE standalone build files and build ```sh gn gen out/Debug # download ninja in advance ninja -j 10 -k1 -C out/Debug ``` more detile in [offical](https://chromium.googlesource.com/angle/angle/+/HEAD/doc/BuildingAngleForChromiumDevelopment.md) ### Related code we can analysis the source file [online](https://chromium.googlesource.com/angle/angle/+/6e1259375f2d6f579fe7430442a9657e00d15656/src/libANGLE/renderer/d3d/IndexDataManager.cpp#135) or offline. ```c++ // This function translates a GL-style indices into DX-style indices, with their description // returned in translated. // GL can specify vertex data in immediate mode (pointer to CPU array of indices), which is not // possible in DX and requires streaming (Case 1). If the GL indices are specified with a buffer // (Case 2), in a format supported by DX (subcase a) then all is good. // When we have a buffer with an unsupported format (subcase b) then we need to do some translation: // we will start by falling back to streaming, and after a while will start using a static // translated copy of the index buffer. angle::Result IndexDataManager::prepareIndexData(const gl::Context *context, gl::DrawElementsType srcType, gl::DrawElementsType dstType, GLsizei count, gl::Buffer *glBuffer, const void *indices, TranslatedIndexData *translated) { GLuint srcTypeBytes = gl::GetDrawElementsTypeSize(srcType); GLuint srcTypeShift = gl::GetDrawElementsTypeShift(srcType); GLuint dstTypeShift = gl::GetDrawElementsTypeShift(dstType); BufferD3D *buffer = glBuffer ? GetImplAs(glBuffer) : nullptr; translated->indexType = dstType; translated->srcIndexData.srcBuffer = buffer; translated->srcIndexData.srcIndices = indices; translated->srcIndexData.srcIndexType = srcType; translated->srcIndexData.srcCount = count; // Context can be nullptr in perf tests. bool primitiveRestartFixedIndexEnabled = context ? context->getState().isPrimitiveRestartEnabled() : false; // Case 1: the indices are passed by pointer, which forces the streaming of index data if (glBuffer == nullptr) { translated->storage = nullptr; return streamIndexData(context, indices, count, srcType, dstType, //call streamIndexData primitiveRestartFixedIndexEnabled, translated); } // Case 2: the indices are already in a buffer unsigned int offset = static_cast(reinterpret_cast(indices)); ASSERT(srcTypeBytes * static_cast(count) + offset <= buffer->getSize()); bool offsetAligned = IsOffsetAligned(srcType, offset); [ ... ] ============================================================================== angle::Result IndexDataManager::streamIndexData(const gl::Context *context, const void *data, unsigned int count, gl::DrawElementsType srcType, gl::DrawElementsType dstType, bool usePrimitiveRestartFixedIndex, TranslatedIndexData *translated) { const GLuint dstTypeShift = gl::GetDrawElementsTypeShift(dstType); IndexBufferInterface *indexBuffer = nullptr; ANGLE_TRY(getStreamingIndexBuffer(context, dstType, &indexBuffer)); ASSERT(indexBuffer != nullptr); unsigned int offset; ANGLE_TRY(StreamInIndexBuffer(context, indexBuffer, data, count, srcType, dstType, // call StreamInIndexBuffer usePrimitiveRestartFixedIndex, &offset)); translated->indexBuffer = indexBuffer->getIndexBuffer(); translated->serial = indexBuffer->getSerial(); translated->startIndex = (offset >> dstTypeShift); translated->startOffset = offset; return angle::Result::Continue; } =================================================================================== angle::Result StreamInIndexBuffer(const gl::Context *context, IndexBufferInterface *buffer, const void *data, unsigned int count, gl::DrawElementsType srcType, gl::DrawElementsType dstType, bool usePrimitiveRestartFixedIndex, unsigned int *offset) { const GLuint dstTypeBytesShift = gl::GetDrawElementsTypeShift(dstType); bool check = (count > (std::numeric_limits::max() >> dstTypeBytesShift)); ANGLE_CHECK(GetImplAs(context), !check, "Reserving indices exceeds the maximum buffer size.", GL_OUT_OF_MEMORY); unsigned int bufferSizeRequired = count << dstTypeBytesShift; ANGLE_TRY(buffer->reserveBufferSpace(context, bufferSizeRequired, dstType)); void *output = nullptr; ANGLE_TRY(buffer->mapBuffer(context, bufferSizeRequired, &output, offset)); ConvertIndices(srcType, dstType, data, count, output, usePrimitiveRestartFixedIndex); // call ANGLE_TRY(buffer->unmapBuffer(context)); return angle::Result::Continue; } ============================================================================================ void ConvertIndices(gl::DrawElementsType sourceType, gl::DrawElementsType destinationType, const void *input, GLsizei count, void *output, bool usePrimitiveRestartFixedIndex) { if (sourceType == destinationType) { const GLuint dstTypeSize = gl::GetDrawElementsTypeSize(destinationType); memcpy(output, input, count * dstTypeSize); return; } if (sourceType == gl::DrawElementsType::UnsignedByte) { ASSERT(destinationType == gl::DrawElementsType::UnsignedShort); ConvertIndexArray(input, sourceType, output, destinationType, count, usePrimitiveRestartFixedIndex); } else if (sourceType == gl::DrawElementsType::UnsignedShort) { ASSERT(destinationType == gl::DrawElementsType::UnsignedInt); ConvertIndexArray(input, sourceType, output, destinationType, count, usePrimitiveRestartFixedIndex); } else UNREACHABLE(); } ``` ```c++ angle::Result drawRangeElements(const gl::Context *context, gl::PrimitiveMode mode, GLuint start, GLuint end, GLsizei count, gl::DrawElementsType type, const void *indices) override; ``` ### Do it Do this exercise by yourself, If you find my answer have something wrong, please correct it. ---------

My answer

You can get info about [WebGL2RenderingContext.drawRangeElements()](https://developer.mozilla.org/en-US/docs/Web/API/WebGL2RenderingContext/drawRangeElements) to know how to construct Poc. Notice that if we call `drawRangeElements()` with a invalide parameter, the bug can be trigger. It is the easiest challenge of the three. ```c++ angle::Result IndexDataManager::prepareIndexData(const gl::Context *context, gl::DrawElementsType srcType, gl::DrawElementsType dstType, GLsizei count, gl::Buffer *glBuffer, const void *indices, TranslatedIndexData *translated) { // Case 1: the indices are passed by pointer, which forces the streaming of index data if (glBuffer == nullptr) [1] { translated->storage = nullptr; return streamIndexData(context, indices, count, srcType, dstType, [2] primitiveRestartFixedIndexEnabled, translated); } ``` if `glBuffer == nullptr`, `indices` can be second parameter of `streamIndexData`. ```c++ angle::Result IndexDataManager::streamIndexData(const gl::Context *context, const void *data, <---------- unsigned int count, gl::DrawElementsType srcType, gl::DrawElementsType dstType, bool usePrimitiveRestartFixedIndex, TranslatedIndexData *translated) { unsigned int offset; ANGLE_TRY(StreamInIndexBuffer(context, indexBuffer, data, count, srcType, dstType, [3] indices as third parameter usePrimitiveRestartFixedIndex, &offset)); return angle::Result::Continue; } ================================================================================= angle::Result StreamInIndexBuffer(const gl::Context *context, IndexBufferInterface *buffer, const void *data, <--------------- unsigned int count, gl::DrawElementsType srcType, gl::DrawElementsType dstType, bool usePrimitiveRestartFixedIndex, unsigned int *offset) { ConvertIndices(srcType, dstType, data, count, output, usePrimitiveRestartFixedIndex); [4] indices as third parameter ANGLE_TRY(buffer->unmapBuffer(context)); return angle::Result::Continue; } ======================================================================================== void ConvertIndices(gl::DrawElementsType sourceType, gl::DrawElementsType destinationType, const void *input, <------------------ GLsizei count, void *output, bool usePrimitiveRestartFixedIndex) { if (sourceType == destinationType) { const GLuint dstTypeSize = gl::GetDrawElementsTypeSize(destinationType); memcpy(output, input, count * dstTypeSize); [5] call memcpy and we can control input as any value return; } // other type of sourceType, but they all have assignment operation [ .... ] } ``` This time I encourage you to try construct Poc, you just need call `gl.drawRangeElements(mode, start, end, count, type, offset);` and fill the last parameter named `offset` with a invalid value like `0xdeadbeef`. But there is a lot of pre-work before this, you need to search some info to reach. And test it on the angle your build ago.

-------- ================================================ FILE: LEVEL_1/exercise_3/poc.html ================================================

================================================ FILE: LEVEL_1/exercise_4/README.md ================================================ # Exercise 4 ## CVE-2021-21204 I sugget you don't search any report about it to prevents get too much info like patch. This time we do it by code audit ### Details > What is happening is that the BlinkScrollbarPartAnimation instance passed to BlinkScrollbarPartAnimationTimer is released while the BlinkScrollbarPartAnimationTimer::TimerFired method runs as part of BlinkScrollbarPartAnimation::setCurrentProgress call, during the execution of ScrollbarPainter::setKnobAlpha which ends up calling BlinkScrollbarPainterDelegate::setUpAlphaAnimation through a chain of observers. BlinkScrollbarPainterDelegate::setUpAlphaAnimation releases the BlinkScrollbarPartAnimation instance which gets deallocated. BlinkScrollbarPartAnimation::setCurrentProgress continues execution after ScrollbarPainter::setKnobAlpha returns, but the _scrollbarPointer is overwritten with garbage and when SetNeedsPaintInvalidation is called the crash happens. You'd better read [these](https://www.chromium.org/blink) to have a preliminary understanding of Blink and make sure you know a little about `Objective-C` ---------

For more info click me! But you'd better not do this

https://bugs.chromium.org/p/chromium/issues/detail?id=1189926

-------- ### Set environment Because the hash we get from issue page is related to chromium, we need download the chromium source code and blink is one part of it. I upload the main file and you can try to fetch chromium. The hash [`6c3c857b90ef63822c8e598bdb7aea604ba1688c`](https://github.com/chromium/chromium/tree/6c3c857b90ef63822c8e598bdb7aea604ba1688c/third_party/blink) ### Related code we can analysis the source file [online](https://source.chromium.org/chromium/chromium/src/+/6c3c857b90ef63822c8e598bdb7aea604ba1688c:third_party/blink/renderer/core/scroll/mac_scrollbar_animator_impl.mm#414) or offline. ```objective-c class BlinkScrollbarPartAnimationTimer { public: BlinkScrollbarPartAnimationTimer( BlinkScrollbarPartAnimation* animation, CFTimeInterval duration, scoped_refptr task_runner) : timer_(std::move(task_runner), this, &BlinkScrollbarPartAnimationTimer::TimerFired), start_time_(0.0), duration_(duration), animation_(animation), timing_function_(CubicBezierTimingFunction::Preset( CubicBezierTimingFunction::EaseType::EASE_IN_OUT)) {} private: void TimerFired(TimerBase*) { double current_time = base::Time::Now().ToDoubleT(); double delta = current_time - start_time_; if (delta >= duration_) timer_.Stop(); // This is a speculative fix for crbug.com/1183276. if (!animation_) return; double fraction = delta / duration_; fraction = clampTo(fraction, 0.0, 1.0); double progress = timing_function_->Evaluate(fraction); [animation_ setCurrentProgress:progress]; } TaskRunnerTimer timer_; double start_time_; // In seconds. double duration_; // In seconds. BlinkScrollbarPartAnimation* animation_; // Weak, owns this. scoped_refptr timing_function_; }; ``` ```objective-c - (void)setCurrentProgress:(NSAnimationProgress)progress { DCHECK(_scrollbar); CGFloat currentValue; if (_startValue > _endValue) currentValue = 1 - progress; else currentValue = progress; blink::ScrollbarPart invalidParts = blink::kNoPart; switch (_featureToAnimate) { case ThumbAlpha: [_scrollbarPainter setKnobAlpha:currentValue]; // call ScrollbarPainter::setKnobAlpha break; case TrackAlpha: [_scrollbarPainter setTrackAlpha:currentValue]; invalidParts = static_cast(~blink::kThumbPart); break; case UIStateTransition: [_scrollbarPainter setUiStateTransitionProgress:currentValue]; invalidParts = blink::kAllParts; break; case ExpansionTransition: [_scrollbarPainter setExpansionTransitionProgress:currentValue]; invalidParts = blink::kThumbPart; break; } _scrollbar->SetNeedsPaintInvalidation(invalidParts); } ============================================================================ - (void)scrollerImp:(id)scrollerImp animateKnobAlphaTo:(CGFloat)newKnobAlpha duration:(NSTimeInterval)duration { if (!_scrollbar) return; DCHECK_EQ(scrollerImp, ScrollbarPainterForScrollbar(*_scrollbar)); ScrollbarPainter scrollerPainter = (ScrollbarPainter)scrollerImp; [self setUpAlphaAnimation:_knobAlphaAnimation // call BlinkScrollbarPainterDelegate::setUpAlphaAnimation scrollerPainter:scrollerPainter part:blink::kThumbPart animateAlphaTo:newKnobAlpha duration:duration]; } ============================================================================ - (void)setUpAlphaAnimation: (base::scoped_nsobject&) scrollbarPartAnimation scrollerPainter:(ScrollbarPainter)scrollerPainter part:(blink::ScrollbarPart)part animateAlphaTo:(CGFloat)newAlpha duration:(NSTimeInterval)duration { blink::MacScrollbarAnimator* scrollbar_animator = _scrollbar->GetScrollableArea()->GetMacScrollbarAnimator(); DCHECK(scrollbar_animator); // If the user has scrolled the page, then the scrollbars must be animated // here. // This overrides the early returns. bool mustAnimate = [self scrollAnimator].HaveScrolledSincePageLoad(); if (scrollbar_animator->ScrollbarPaintTimerIsActive() && !mustAnimate) return; if (_scrollbar->GetScrollableArea()->ShouldSuspendScrollAnimations() && !mustAnimate) { scrollbar_animator->StartScrollbarPaintTimer(); return; } // At this point, we are definitely going to animate now, so stop the timer. scrollbar_animator->StopScrollbarPaintTimer(); // If we are currently animating, stop if (scrollbarPartAnimation) { [scrollbarPartAnimation invalidate]; scrollbarPartAnimation.reset(); } scrollbarPartAnimation.reset([[BlinkScrollbarPartAnimation alloc] initWithScrollbar:_scrollbar featureToAnimate:part == blink::kThumbPart ? ThumbAlpha : TrackAlpha animateFrom:part == blink::kThumbPart ? [scrollerPainter knobAlpha] : [scrollerPainter trackAlpha] animateTo:newAlpha duration:duration taskRunner:_taskRunner]); [scrollbarPartAnimation startAnimation]; } ``` ### Do it Do this exercise by yourself, If you find my answer have something wrong, please correct it. ---------

My answer

We can start from `TimerFired` func ```objective-c class BlinkScrollbarPartAnimationTimer [ ... ] void TimerFired(TimerBase*) { double current_time = base::Time::Now().ToDoubleT(); double delta = current_time - start_time_; if (delta >= duration_) timer_.Stop(); // This is a speculative fix for crbug.com/1183276. if (!animation_) return; double fraction = delta / duration_; fraction = clampTo(fraction, 0.0, 1.0); double progress = timing_function_->Evaluate(fraction); [animation_ setCurrentProgress:progress]; [1] call setCurrentProgress. Notice `animation_` } private: BlinkScrollbarPartAnimation* animation_; [2] weak, own this ``` [2] `BlinkScrollbarPartAnimationTimer` own the instance of `BlinkScrollbarPartAnimation` which assignmented by constructor. This make a chance to trigger uaf. ```objective-c - (void)setCurrentProgress:(NSAnimationProgress)progress { DCHECK(_scrollbar); CGFloat currentValue; blink::ScrollbarPart invalidParts = blink::kNoPart; switch (_featureToAnimate) { case ThumbAlpha: [_scrollbarPainter setKnobAlpha:currentValue]; [3] call ScrollbarPainter::setKnobAlpha break; case TrackAlpha: [_scrollbarPainter setTrackAlpha:currentValue]; invalidParts = static_cast(~blink::kThumbPart); break; } _scrollbar->SetNeedsPaintInvalidation(invalidParts); } ``` `setCurrentProgress` can call `setKnobAlpha` ```objective-c - (void)scrollerImp:(id)scrollerImp animateKnobAlphaTo:(CGFloat)newKnobAlpha duration:(NSTimeInterval)duration { if (!_scrollbar) return; DCHECK_EQ(scrollerImp, ScrollbarPainterForScrollbar(*_scrollbar)); ScrollbarPainter scrollerPainter = (ScrollbarPainter)scrollerImp; [self setUpAlphaAnimation:_knobAlphaAnimation [4] call BlinkScrollbarPainterDelegate::setUpAlphaAnimation scrollerPainter:scrollerPainter part:blink::kThumbPart animateAlphaTo:newKnobAlpha duration:duration]; } ``` ```objective-c - (void)setUpAlphaAnimation: (base::scoped_nsobject&) scrollbarPartAnimation scrollerPainter:(ScrollbarPainter)scrollerPainter part:(blink::ScrollbarPart)part animateAlphaTo:(CGFloat)newAlpha duration:(NSTimeInterval)duration { blink::MacScrollbarAnimator* scrollbar_animator = _scrollbar->GetScrollableArea()->GetMacScrollbarAnimator(); DCHECK(scrollbar_animator); // If we are currently animating, stop if (scrollbarPartAnimation) { [5] [scrollbarPartAnimation invalidate]; scrollbarPartAnimation.reset(); } scrollbarPartAnimation.reset([[BlinkScrollbarPartAnimation alloc] [6] initWithScrollbar:_scrollbar featureToAnimate:part == blink::kThumbPart ? ThumbAlpha : TrackAlpha animateFrom:part == blink::kThumbPart ? [scrollerPainter knobAlpha] : [scrollerPainter trackAlpha] animateTo:newAlpha duration:duration taskRunner:_taskRunner]); [scrollbarPartAnimation startAnimation]; } ``` The `(base::scoped_nsobject&) scrollbarPartAnimation` can be release by `reset()` - About `scoped_nsobject`: >`scoped_nsobject<>` is patterned after std::unique_ptr<>, but maintains ownership of an NSObject subclass object. Style deviations here are solely for compatibility with std::unique_ptr<>'s interface, with which everyone is already familiar. >scoped_nsobject<> takes ownership of an object (in the constructor or in reset()) by taking over the caller's existing ownership claim. The caller must own the object it gives to scoped_nsobject<>, and relinquishes an ownership claim to that object. **scoped_nsobject<> does not call -retain, callers have to call this manually if appropriate.** - About `void base::scoped_nsprotocol< NST >::reset( NST object = nil )`: ```objective-c { // We intentionally do not check that object != object_ as the caller must // either already have an ownership claim over whatever it passes to this // method, or call it with the |RETAIN| policy which will have ensured that // the object is retained once more when reaching this point. [object_ release]; object_ = object; } ```

-------- ================================================ FILE: LEVEL_1/exercise_4/mac_scrollbar_animator_impl.mm ================================================ // Copyright 2021 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "third_party/blink/renderer/core/scroll/mac_scrollbar_animator_impl.h" #import #include "base/mac/scoped_nsobject.h" #include "third_party/blink/public/platform/platform.h" #include "third_party/blink/renderer/core/scroll/ns_scroller_imp_details.h" #include "third_party/blink/renderer/core/scroll/scroll_animator.h" #include "third_party/blink/renderer/core/scroll/scrollbar_theme_mac.h" #include "third_party/blink/renderer/platform/animation/timing_function.h" #include "third_party/blink/renderer/platform/mac/block_exceptions.h" #include "third_party/blink/renderer/platform/scheduler/public/thread_scheduler.h" namespace { bool SupportsUIStateTransitionProgress() { // FIXME: This is temporary until all platforms that support ScrollbarPainter // support this part of the API. static bool global_supports_ui_state_transition_progress = [NSClassFromString(@"NSScrollerImp") instancesRespondToSelector:@selector(mouseEnteredScroller)]; return global_supports_ui_state_transition_progress; } bool SupportsExpansionTransitionProgress() { static bool global_supports_expansion_transition_progress = [NSClassFromString(@"NSScrollerImp") instancesRespondToSelector:@selector(expansionTransitionProgress)]; return global_supports_expansion_transition_progress; } bool SupportsContentAreaScrolledInDirection() { static bool global_supports_content_area_scrolled_in_direction = [NSClassFromString(@"NSScrollerImpPair") instancesRespondToSelector:@selector (contentAreaScrolledInDirection:)]; return global_supports_content_area_scrolled_in_direction; } blink::ScrollbarThemeMac* MacOverlayScrollbarTheme( blink::ScrollbarTheme& scrollbar_theme) { return !scrollbar_theme.IsMockTheme() ? static_cast(&scrollbar_theme) : nil; } ScrollbarPainter ScrollbarPainterForScrollbar(blink::Scrollbar& scrollbar) { if (blink::ScrollbarThemeMac* scrollbar_theme = MacOverlayScrollbarTheme(scrollbar.GetTheme())) return scrollbar_theme->PainterForScrollbar(scrollbar); return nil; } } // namespace // This class is a delegator of ScrollbarPainterController to ScrollableArea // that has the scrollbars of a ScrollbarPainter. @interface BlinkScrollbarPainterControllerDelegate : NSObject { blink::ScrollableArea* _scrollableArea; } - (id)initWithScrollableArea:(blink::ScrollableArea*)scrollableArea; @end @implementation BlinkScrollbarPainterControllerDelegate - (id)initWithScrollableArea:(blink::ScrollableArea*)scrollableArea { self = [super init]; if (!self) return nil; _scrollableArea = scrollableArea; return self; } - (void)invalidate { _scrollableArea = 0; } - (NSRect)contentAreaRectForScrollerImpPair:(id)scrollerImpPair { if (!_scrollableArea) return NSZeroRect; blink::IntSize contentsSize = _scrollableArea->ContentsSize(); return NSMakeRect(0, 0, contentsSize.Width(), contentsSize.Height()); } - (BOOL)inLiveResizeForScrollerImpPair:(id)scrollerImpPair { return NO; } - (NSPoint)mouseLocationInContentAreaForScrollerImpPair:(id)scrollerImpPair { if (!_scrollableArea) return NSZeroPoint; return _scrollableArea->LastKnownMousePosition(); } - (NSPoint)scrollerImpPair:(id)scrollerImpPair convertContentPoint:(NSPoint)pointInContentArea toScrollerImp:(id)scrollerImp { if (!_scrollableArea || !scrollerImp) return NSZeroPoint; blink::Scrollbar* scrollbar = nil; if ([scrollerImp isHorizontal]) scrollbar = _scrollableArea->HorizontalScrollbar(); else scrollbar = _scrollableArea->VerticalScrollbar(); // It is possible to have a null scrollbar here since it is possible for this // delegate method to be called between the moment when a scrollbar has been // set to 0 and the moment when its destructor has been called. if (!scrollbar) return NSZeroPoint; DCHECK_EQ(scrollerImp, ScrollbarPainterForScrollbar(*scrollbar)); return scrollbar->ConvertFromContainingEmbeddedContentView( blink::IntPoint(pointInContentArea)); } - (void)scrollerImpPair:(id)scrollerImpPair setContentAreaNeedsDisplayInRect:(NSRect)rect { if (!_scrollableArea) return; if (!_scrollableArea->ScrollbarsCanBeActive()) return; _scrollableArea->ContentAreaWillPaint(); } - (void)scrollerImpPair:(id)scrollerImpPair updateScrollerStyleForNewRecommendedScrollerStyle: (NSScrollerStyle)newRecommendedScrollerStyle { // Chrome has a single process mode which is used for testing on Mac. In that // mode, WebKit runs on a thread in the // browser process. This notification is called by the OS on the main thread // in the browser process, and not on the // the WebKit thread. Better to not update the style than crash. // http://crbug.com/126514 if (!IsMainThread()) return; if (!_scrollableArea) return; [scrollerImpPair setScrollerStyle:newRecommendedScrollerStyle]; _scrollableArea->GetMacScrollbarAnimator()->UpdateScrollerStyle(); } @end enum FeatureToAnimate { ThumbAlpha, TrackAlpha, UIStateTransition, ExpansionTransition }; @class BlinkScrollbarPartAnimation; namespace blink { // This class is used to drive the animation timer for // BlinkScrollbarPartAnimation // objects. This is used instead of NSAnimation because CoreAnimation // establishes connections to the WindowServer, which should not be done in a // sandboxed renderer process. class BlinkScrollbarPartAnimationTimer { public: BlinkScrollbarPartAnimationTimer( BlinkScrollbarPartAnimation* animation, CFTimeInterval duration, scoped_refptr task_runner) : timer_(std::move(task_runner), this, &BlinkScrollbarPartAnimationTimer::TimerFired), start_time_(0.0), duration_(duration), animation_(animation), timing_function_(CubicBezierTimingFunction::Preset( CubicBezierTimingFunction::EaseType::EASE_IN_OUT)) {} ~BlinkScrollbarPartAnimationTimer() {} void Start() { start_time_ = base::Time::Now().ToDoubleT(); // Set the framerate of the animation. NSAnimation uses a default // framerate of 60 Hz, so use that here. timer_.StartRepeating(base::TimeDelta::FromSecondsD(1.0 / 60.0), FROM_HERE); } void Stop() { timer_.Stop(); } void SetDuration(CFTimeInterval duration) { duration_ = duration; } // This is a speculative fix for crbug.com/1183276. // In BlinkScrollbarPainterDelegate::setUpAlphaAnimation we are // deallocating BlinkScrollbarPartAnimation and create a new one. // The problem seems to be with BlinkScrollbarPartAnimation, passing a // pointer to itself to BlinkScrollbarPartAnimationTimer. // BlinkScrollbarPartAnimationTimer uses a TaskRunnerTimer to schedule // the animation to run 60 times second. // When we deallocate BlinkScrollbarPartAnimation, // BlinkScrollbarPartAnimationTimer fires again, I believe because it // uses PostTaskDelayed to schedule the next animation. // Ideally the timer won't fire again. void CancelAnimation() { animation_ = nullptr; } private: void TimerFired(TimerBase*) { double current_time = base::Time::Now().ToDoubleT(); double delta = current_time - start_time_; if (delta >= duration_) timer_.Stop(); // This is a speculative fix for crbug.com/1183276. if (!animation_) return; double fraction = delta / duration_; fraction = clampTo(fraction, 0.0, 1.0); double progress = timing_function_->Evaluate(fraction); [animation_ setCurrentProgress:progress]; } TaskRunnerTimer timer_; double start_time_; // In seconds. double duration_; // In seconds. BlinkScrollbarPartAnimation* animation_; // Weak, owns this. scoped_refptr timing_function_; }; } // namespace blink // This class handles the animation of a |_featureToAnimate| part of // |_scrollbar|. @interface BlinkScrollbarPartAnimation : NSObject { blink::Scrollbar* _scrollbar; std::unique_ptr _timer; base::scoped_nsobject _scrollbarPainter; FeatureToAnimate _featureToAnimate; CGFloat _startValue; CGFloat _endValue; } - (id)initWithScrollbar:(blink::Scrollbar*)scrollbar featureToAnimate:(FeatureToAnimate)featureToAnimate animateFrom:(CGFloat)startValue animateTo:(CGFloat)endValue duration:(NSTimeInterval)duration taskRunner:(scoped_refptr)taskRunner; @end @implementation BlinkScrollbarPartAnimation - (id)initWithScrollbar:(blink::Scrollbar*)scrollbar featureToAnimate:(FeatureToAnimate)featureToAnimate animateFrom:(CGFloat)startValue animateTo:(CGFloat)endValue duration:(NSTimeInterval)duration taskRunner: (scoped_refptr)taskRunner { self = [super init]; if (!self) return nil; _timer = std::make_unique( self, duration, std::move(taskRunner)); _scrollbar = scrollbar; _featureToAnimate = featureToAnimate; _startValue = startValue; _endValue = endValue; return self; } - (void)startAnimation { DCHECK(_scrollbar); _scrollbarPainter.reset(ScrollbarPainterForScrollbar(*_scrollbar), base::scoped_policy::RETAIN); _timer->Start(); } - (void)stopAnimation { _timer->Stop(); } - (void)setDuration:(CFTimeInterval)duration { _timer->SetDuration(duration); } - (void)setStartValue:(CGFloat)startValue { _startValue = startValue; } - (void)setEndValue:(CGFloat)endValue { _endValue = endValue; } - (void)setCurrentProgress:(NSAnimationProgress)progress { DCHECK(_scrollbar); CGFloat currentValue; if (_startValue > _endValue) currentValue = 1 - progress; else currentValue = progress; blink::ScrollbarPart invalidParts = blink::kNoPart; switch (_featureToAnimate) { case ThumbAlpha: [_scrollbarPainter setKnobAlpha:currentValue]; break; case TrackAlpha: [_scrollbarPainter setTrackAlpha:currentValue]; invalidParts = static_cast(~blink::kThumbPart); break; case UIStateTransition: [_scrollbarPainter setUiStateTransitionProgress:currentValue]; invalidParts = blink::kAllParts; break; case ExpansionTransition: [_scrollbarPainter setExpansionTransitionProgress:currentValue]; invalidParts = blink::kThumbPart; break; } _scrollbar->SetNeedsPaintInvalidation(invalidParts); } - (void)invalidate { BEGIN_BLOCK_OBJC_EXCEPTIONS; [self stopAnimation]; END_BLOCK_OBJC_EXCEPTIONS; _scrollbar = nullptr; _timer->CancelAnimation(); } @end // This class is a delegator of ScrollbarPainter to the 4 types of animation // it can run. The animations are run through BlinkScrollbarPartAnimation. @interface BlinkScrollbarPainterDelegate : NSObject { blink::Scrollbar* _scrollbar; scoped_refptr _taskRunner; base::scoped_nsobject _knobAlphaAnimation; base::scoped_nsobject _trackAlphaAnimation; base::scoped_nsobject _uiStateTransitionAnimation; base::scoped_nsobject _expansionTransitionAnimation; BOOL _hasExpandedSinceInvisible; } - (id)initWithScrollbar:(blink::Scrollbar*)scrollbar taskRunner:(scoped_refptr)taskRunner; - (void)updateVisibilityImmediately:(bool)show; - (void)cancelAnimations; @end @implementation BlinkScrollbarPainterDelegate - (id)initWithScrollbar:(blink::Scrollbar*)scrollbar taskRunner: (scoped_refptr)taskRunner { self = [super init]; if (!self) return nil; _scrollbar = scrollbar; _taskRunner = taskRunner; return self; } - (void)updateVisibilityImmediately:(bool)show { [self cancelAnimations]; [ScrollbarPainterForScrollbar(*_scrollbar) setKnobAlpha:(show ? 1.0 : 0.0)]; } - (void)cancelAnimations { BEGIN_BLOCK_OBJC_EXCEPTIONS; [_knobAlphaAnimation stopAnimation]; [_trackAlphaAnimation stopAnimation]; [_uiStateTransitionAnimation stopAnimation]; [_expansionTransitionAnimation stopAnimation]; END_BLOCK_OBJC_EXCEPTIONS; } - (blink::ScrollAnimator&)scrollAnimator { return static_cast( _scrollbar->GetScrollableArea()->GetScrollAnimator()); } - (NSRect)convertRectToBacking:(NSRect)aRect { return aRect; } - (NSRect)convertRectFromBacking:(NSRect)aRect { return aRect; } - (NSPoint)mouseLocationInScrollerForScrollerImp:(id)scrollerImp { if (!_scrollbar) return NSZeroPoint; DCHECK_EQ(scrollerImp, ScrollbarPainterForScrollbar(*_scrollbar)); return _scrollbar->ConvertFromContainingEmbeddedContentView( _scrollbar->GetScrollableArea()->LastKnownMousePosition()); } - (void)setUpAlphaAnimation: (base::scoped_nsobject&) scrollbarPartAnimation scrollerPainter:(ScrollbarPainter)scrollerPainter part:(blink::ScrollbarPart)part animateAlphaTo:(CGFloat)newAlpha duration:(NSTimeInterval)duration { blink::MacScrollbarAnimator* scrollbar_animator = _scrollbar->GetScrollableArea()->GetMacScrollbarAnimator(); DCHECK(scrollbar_animator); // If the user has scrolled the page, then the scrollbars must be animated // here. // This overrides the early returns. bool mustAnimate = [self scrollAnimator].HaveScrolledSincePageLoad(); if (scrollbar_animator->ScrollbarPaintTimerIsActive() && !mustAnimate) return; if (_scrollbar->GetScrollableArea()->ShouldSuspendScrollAnimations() && !mustAnimate) { scrollbar_animator->StartScrollbarPaintTimer(); return; } // At this point, we are definitely going to animate now, so stop the timer. scrollbar_animator->StopScrollbarPaintTimer(); // If we are currently animating, stop if (scrollbarPartAnimation) { [scrollbarPartAnimation invalidate]; scrollbarPartAnimation.reset(); } scrollbarPartAnimation.reset([[BlinkScrollbarPartAnimation alloc] initWithScrollbar:_scrollbar featureToAnimate:part == blink::kThumbPart ? ThumbAlpha : TrackAlpha animateFrom:part == blink::kThumbPart ? [scrollerPainter knobAlpha] : [scrollerPainter trackAlpha] animateTo:newAlpha duration:duration taskRunner:_taskRunner]); [scrollbarPartAnimation startAnimation]; } - (void)scrollerImp:(id)scrollerImp animateKnobAlphaTo:(CGFloat)newKnobAlpha duration:(NSTimeInterval)duration { if (!_scrollbar) return; DCHECK_EQ(scrollerImp, ScrollbarPainterForScrollbar(*_scrollbar)); ScrollbarPainter scrollerPainter = (ScrollbarPainter)scrollerImp; [self setUpAlphaAnimation:_knobAlphaAnimation scrollerPainter:scrollerPainter part:blink::kThumbPart animateAlphaTo:newKnobAlpha duration:duration]; } - (void)scrollerImp:(id)scrollerImp animateTrackAlphaTo:(CGFloat)newTrackAlpha duration:(NSTimeInterval)duration { if (!_scrollbar) return; DCHECK_EQ(scrollerImp, ScrollbarPainterForScrollbar(*_scrollbar)); ScrollbarPainter scrollerPainter = (ScrollbarPainter)scrollerImp; [self setUpAlphaAnimation:_trackAlphaAnimation scrollerPainter:scrollerPainter part:blink::kBackTrackPart animateAlphaTo:newTrackAlpha duration:duration]; } - (void)scrollerImp:(id)scrollerImp animateUIStateTransitionWithDuration:(NSTimeInterval)duration { if (!_scrollbar) return; if (!SupportsUIStateTransitionProgress()) return; DCHECK_EQ(scrollerImp, ScrollbarPainterForScrollbar(*_scrollbar)); ScrollbarPainter scrollbarPainter = (ScrollbarPainter)scrollerImp; // UIStateTransition always animates to 1. In case an animation is in progress // this avoids a hard transition. [scrollbarPainter setUiStateTransitionProgress:1 - [scrollerImp uiStateTransitionProgress]]; if (!_uiStateTransitionAnimation) _uiStateTransitionAnimation.reset([[BlinkScrollbarPartAnimation alloc] initWithScrollbar:_scrollbar featureToAnimate:UIStateTransition animateFrom:[scrollbarPainter uiStateTransitionProgress] animateTo:1.0 duration:duration taskRunner:_taskRunner]); else { // If we don't need to initialize the animation, just reset the values in // case they have changed. [_uiStateTransitionAnimation setStartValue:[scrollbarPainter uiStateTransitionProgress]]; [_uiStateTransitionAnimation setEndValue:1.0]; [_uiStateTransitionAnimation setDuration:duration]; } [_uiStateTransitionAnimation startAnimation]; } - (void)scrollerImp:(id)scrollerImp animateExpansionTransitionWithDuration:(NSTimeInterval)duration { if (!_scrollbar) return; if (!SupportsExpansionTransitionProgress()) return; DCHECK_EQ(scrollerImp, ScrollbarPainterForScrollbar(*_scrollbar)); ScrollbarPainter scrollbarPainter = (ScrollbarPainter)scrollerImp; // ExpansionTransition always animates to 1. In case an animation is in // progress this avoids a hard transition. [scrollbarPainter setExpansionTransitionProgress:1 - [scrollerImp expansionTransitionProgress]]; if (!_expansionTransitionAnimation) { _expansionTransitionAnimation.reset([[BlinkScrollbarPartAnimation alloc] initWithScrollbar:_scrollbar featureToAnimate:ExpansionTransition animateFrom:[scrollbarPainter expansionTransitionProgress] animateTo:1.0 duration:duration taskRunner:_taskRunner]); } else { // If we don't need to initialize the animation, just reset the values in // case they have changed. [_expansionTransitionAnimation setStartValue:[scrollbarPainter uiStateTransitionProgress]]; [_expansionTransitionAnimation setEndValue:1.0]; [_expansionTransitionAnimation setDuration:duration]; } [_expansionTransitionAnimation startAnimation]; } - (void)scrollerImp:(id)scrollerImp overlayScrollerStateChangedTo:(NSUInteger)newOverlayScrollerState { // The names of these states are based on their observed behavior, and are not // based on documentation. enum { NSScrollerStateInvisible = 0, NSScrollerStateKnob = 1, NSScrollerStateExpanded = 2 }; // We do not receive notifications about the thumb un-expanding when the // scrollbar fades away. Ensure // that we re-paint the thumb the next time that we transition away from being // invisible, so that // the thumb doesn't stick in an expanded state. if (newOverlayScrollerState == NSScrollerStateExpanded) { _hasExpandedSinceInvisible = YES; } else if (newOverlayScrollerState != NSScrollerStateInvisible && _hasExpandedSinceInvisible) { _scrollbar->SetNeedsPaintInvalidation(blink::kThumbPart); _hasExpandedSinceInvisible = NO; } } - (void)invalidate { _scrollbar = 0; BEGIN_BLOCK_OBJC_EXCEPTIONS; [_knobAlphaAnimation invalidate]; [_trackAlphaAnimation invalidate]; [_uiStateTransitionAnimation invalidate]; [_expansionTransitionAnimation invalidate]; END_BLOCK_OBJC_EXCEPTIONS; } @end namespace blink { MacScrollbarAnimatorImpl::MacScrollbarAnimatorImpl( ScrollableArea* scrollable_area) : task_runner_(scrollable_area->GetCompositorTaskRunner()), scrollable_area_(scrollable_area) { scrollbar_painter_controller_delegate_.reset( [[BlinkScrollbarPainterControllerDelegate alloc] initWithScrollableArea:scrollable_area]); scrollbar_painter_controller_.reset( [[[NSClassFromString(@"NSScrollerImpPair") alloc] init] autorelease], base::scoped_policy::RETAIN); [scrollbar_painter_controller_ performSelector:@selector(setDelegate:) withObject:scrollbar_painter_controller_delegate_]; [scrollbar_painter_controller_ setScrollerStyle:ScrollbarThemeMac::RecommendedScrollerStyle()]; } void MacScrollbarAnimatorImpl::Dispose() { BEGIN_BLOCK_OBJC_EXCEPTIONS; ScrollbarPainter horizontal_scrollbar_painter = [scrollbar_painter_controller_ horizontalScrollerImp]; [horizontal_scrollbar_painter setDelegate:nil]; ScrollbarPainter vertical_scrollbar_painter = [scrollbar_painter_controller_ verticalScrollerImp]; [vertical_scrollbar_painter setDelegate:nil]; [scrollbar_painter_controller_delegate_ invalidate]; [scrollbar_painter_controller_ setDelegate:nil]; [horizontal_scrollbar_painter_delegate_ invalidate]; [vertical_scrollbar_painter_delegate_ invalidate]; END_BLOCK_OBJC_EXCEPTIONS; initial_scrollbar_paint_task_handle_.Cancel(); send_content_area_scrolled_task_handle_.Cancel(); } void MacScrollbarAnimatorImpl::ContentAreaWillPaint() const { if (!scrollable_area_->ScrollbarsCanBeActive()) return; [scrollbar_painter_controller_ contentAreaWillDraw]; } void MacScrollbarAnimatorImpl::MouseEnteredContentArea() const { if (!scrollable_area_->ScrollbarsCanBeActive()) return; [scrollbar_painter_controller_ mouseEnteredContentArea]; } void MacScrollbarAnimatorImpl::MouseExitedContentArea() const { if (!scrollable_area_->ScrollbarsCanBeActive()) return; [scrollbar_painter_controller_ mouseExitedContentArea]; } void MacScrollbarAnimatorImpl::MouseMovedInContentArea() const { if (!scrollable_area_->ScrollbarsCanBeActive()) return; [scrollbar_painter_controller_ mouseMovedInContentArea]; } void MacScrollbarAnimatorImpl::MouseEnteredScrollbar( Scrollbar& scrollbar) const { if (!scrollable_area_->ScrollbarsCanBeActive()) return; if (!SupportsUIStateTransitionProgress()) return; if (ScrollbarPainter painter = ScrollbarPainterForScrollbar(scrollbar)) [painter mouseEnteredScroller]; } void MacScrollbarAnimatorImpl::MouseExitedScrollbar( Scrollbar& scrollbar) const { if (!scrollable_area_->ScrollbarsCanBeActive()) return; if (!SupportsUIStateTransitionProgress()) return; if (ScrollbarPainter painter = ScrollbarPainterForScrollbar(scrollbar)) [painter mouseExitedScroller]; } void MacScrollbarAnimatorImpl::ContentsResized() const { if (!scrollable_area_->ScrollbarsCanBeActive()) return; [scrollbar_painter_controller_ contentAreaDidResize]; } void MacScrollbarAnimatorImpl::DidAddVerticalScrollbar(Scrollbar& scrollbar) { ScrollbarPainter painter = ScrollbarPainterForScrollbar(scrollbar); if (!painter) return; DCHECK(!vertical_scrollbar_painter_delegate_); vertical_scrollbar_painter_delegate_.reset( [[BlinkScrollbarPainterDelegate alloc] initWithScrollbar:&scrollbar taskRunner:task_runner_]); [painter setDelegate:vertical_scrollbar_painter_delegate_]; [scrollbar_painter_controller_ setVerticalScrollerImp:painter]; } void MacScrollbarAnimatorImpl::WillRemoveVerticalScrollbar( Scrollbar& scrollbar) { ScrollbarPainter painter = ScrollbarPainterForScrollbar(scrollbar); DCHECK_EQ([scrollbar_painter_controller_ verticalScrollerImp], painter); if (!painter) DCHECK(!vertical_scrollbar_painter_delegate_); [painter setDelegate:nil]; [vertical_scrollbar_painter_delegate_ invalidate]; vertical_scrollbar_painter_delegate_.reset(); [scrollbar_painter_controller_ setVerticalScrollerImp:nil]; } void MacScrollbarAnimatorImpl::DidAddHorizontalScrollbar(Scrollbar& scrollbar) { ScrollbarPainter painter = ScrollbarPainterForScrollbar(scrollbar); if (!painter) return; DCHECK(!horizontal_scrollbar_painter_delegate_); horizontal_scrollbar_painter_delegate_.reset( [[BlinkScrollbarPainterDelegate alloc] initWithScrollbar:&scrollbar taskRunner:task_runner_]); [painter setDelegate:horizontal_scrollbar_painter_delegate_]; [scrollbar_painter_controller_ setHorizontalScrollerImp:painter]; } void MacScrollbarAnimatorImpl::WillRemoveHorizontalScrollbar( Scrollbar& scrollbar) { ScrollbarPainter painter = ScrollbarPainterForScrollbar(scrollbar); DCHECK_EQ([scrollbar_painter_controller_ horizontalScrollerImp], painter); if (!painter) DCHECK(!horizontal_scrollbar_painter_delegate_); [painter setDelegate:nil]; [horizontal_scrollbar_painter_delegate_ invalidate]; horizontal_scrollbar_painter_delegate_.reset(); [scrollbar_painter_controller_ setHorizontalScrollerImp:nil]; } bool MacScrollbarAnimatorImpl::SetScrollbarsVisibleForTesting(bool show) { if (show) [scrollbar_painter_controller_ flashScrollers]; else [scrollbar_painter_controller_ hideOverlayScrollers]; [vertical_scrollbar_painter_delegate_ updateVisibilityImmediately:show]; [horizontal_scrollbar_painter_delegate_ updateVisibilityImmediately:show]; return true; } void MacScrollbarAnimatorImpl::UpdateScrollerStyle() { if (!scrollable_area_->ScrollbarsCanBeActive()) return; blink::ScrollbarThemeMac* mac_theme = MacOverlayScrollbarTheme(scrollable_area_->GetPageScrollbarTheme()); if (!mac_theme) return; NSScrollerStyle new_style = [scrollbar_painter_controller_ scrollerStyle]; if (Scrollbar* vertical_scrollbar = scrollable_area_->VerticalScrollbar()) { vertical_scrollbar->SetNeedsPaintInvalidation(kAllParts); ScrollbarPainter old_vertical_painter = [scrollbar_painter_controller_ verticalScrollerImp]; ScrollbarPainter new_vertical_painter = [NSClassFromString(@"NSScrollerImp") scrollerImpWithStyle:new_style controlSize:NSRegularControlSize horizontal:NO replacingScrollerImp:old_vertical_painter]; [old_vertical_painter setDelegate:nil]; [new_vertical_painter setDelegate:vertical_scrollbar_painter_delegate_]; [scrollbar_painter_controller_ setVerticalScrollerImp:new_vertical_painter]; mac_theme->SetNewPainterForScrollbar(*vertical_scrollbar, new_vertical_painter); // The different scrollbar styles have different thicknesses, so we must // re-set the frameRect to the new thickness, and the re-layout below will // ensure the offset and length are properly updated. int thickness = mac_theme->ScrollbarThickness(vertical_scrollbar->ScaleFromDIP()); vertical_scrollbar->SetFrameRect(IntRect(0, 0, thickness, thickness)); } if (Scrollbar* horizontal_scrollbar = scrollable_area_->HorizontalScrollbar()) { horizontal_scrollbar->SetNeedsPaintInvalidation(kAllParts); ScrollbarPainter old_horizontal_painter = [scrollbar_painter_controller_ horizontalScrollerImp]; ScrollbarPainter new_horizontal_painter = [NSClassFromString(@"NSScrollerImp") scrollerImpWithStyle:new_style controlSize:NSRegularControlSize horizontal:YES replacingScrollerImp:old_horizontal_painter]; [old_horizontal_painter setDelegate:nil]; [new_horizontal_painter setDelegate:horizontal_scrollbar_painter_delegate_]; [scrollbar_painter_controller_ setHorizontalScrollerImp:new_horizontal_painter]; mac_theme->SetNewPainterForScrollbar(*horizontal_scrollbar, new_horizontal_painter); // The different scrollbar styles have different thicknesses, so we must // re-set the // frameRect to the new thickness, and the re-layout below will ensure the // offset // and length are properly updated. int thickness = mac_theme->ScrollbarThickness(horizontal_scrollbar->ScaleFromDIP()); horizontal_scrollbar->SetFrameRect(IntRect(0, 0, thickness, thickness)); } } void MacScrollbarAnimatorImpl::StartScrollbarPaintTimer() { // Post a task with 1 ms delay to give a chance to run other immediate tasks // that may cancel this. initial_scrollbar_paint_task_handle_ = PostDelayedCancellableTask( *task_runner_, FROM_HERE, WTF::Bind(&MacScrollbarAnimatorImpl::InitialScrollbarPaintTask, WrapWeakPersistent(this)), base::TimeDelta::FromMilliseconds(1)); } bool MacScrollbarAnimatorImpl::ScrollbarPaintTimerIsActive() const { return initial_scrollbar_paint_task_handle_.IsActive(); } void MacScrollbarAnimatorImpl::StopScrollbarPaintTimer() { initial_scrollbar_paint_task_handle_.Cancel(); } void MacScrollbarAnimatorImpl::InitialScrollbarPaintTask() { // To force the scrollbars to flash, we have to call hide first. Otherwise, // the ScrollbarPainterController // might think that the scrollbars are already showing and bail early. [scrollbar_painter_controller_ hideOverlayScrollers]; [scrollbar_painter_controller_ flashScrollers]; } void MacScrollbarAnimatorImpl::DidChangeUserVisibleScrollOffset( const ScrollOffset& delta) { content_area_scrolled_timer_scroll_delta_ = delta; if (send_content_area_scrolled_task_handle_.IsActive()) return; send_content_area_scrolled_task_handle_ = PostCancellableTask( *task_runner_, FROM_HERE, WTF::Bind(&MacScrollbarAnimatorImpl::SendContentAreaScrolledTask, WrapWeakPersistent(this))); } void MacScrollbarAnimatorImpl::SendContentAreaScrolledTask() { if (SupportsContentAreaScrolledInDirection()) { [scrollbar_painter_controller_ contentAreaScrolledInDirection: NSMakePoint(content_area_scrolled_timer_scroll_delta_.Width(), content_area_scrolled_timer_scroll_delta_.Height())]; content_area_scrolled_timer_scroll_delta_ = ScrollOffset(); } else [scrollbar_painter_controller_ contentAreaScrolled]; } MacScrollbarAnimator* MacScrollbarAnimator::Create( ScrollableArea* scrollable_area) { return MakeGarbageCollected( const_cast(scrollable_area)); } } // namespace blink ================================================ FILE: LEVEL_1/exercise_5/README.md ================================================ # Exercise 5 ## CVE-2021-21203 I sugget you don't search any report about it to prevents get too much info like patch. This time we do it by code audit ### Details > Don't erase InterpolationTypes used by other documents > > A registered custom property in one document caused the entry for the > same custom property (unregistered) used in another document to be > deleted, which caused a use-after-free. > > Only store the CSSDefaultInterpolationType for unregistered custom > properties and never store registered properties in the map. They may > have different types in different documents when registered. You can read [this](https://chromium.googlesource.com/chromium/src/+/af77c20371d1418300cefbc5fa6779067b7792cf/third_party/blink/renderer/core/animation/#core_animation) to know what about `animation` ---------

For more info click me! But you'd better not do this

https://bugs.chromium.org/p/chromium/issues/detail?id=1192054

-------- ### Set environment Just like exercise_4, we need chromium. I recomend you do as [offical gudience](https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/linux/build_instructions.md). If you have installed `depot_tools` ago, you just need `fetch chromium`. When you finish the above ```sh git reset --hard 7e5707cc5f46b0155b9e42b121c8e2128c05f178 ``` ### Related code we can analysis the source file [online](https://chromium.googlesource.com/chromium/src/+/af77c20371d1418300cefbc5fa6779067b7792cf/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc) or offline. This time you need to analysis entire file [`third_party/blink/renderer/core/animation/css_interpolation_types_map.cc`](https://source.chromium.org/chromium/chromium/src/+/af77c20371d1418300cefbc5fa6779067b7792cf:third_party/blink/renderer/core/animation/css_interpolation_types_map.cc), this bug can be easily found if you read `Details` carefully ;) ### Do it Do this exercise by yourself, If you find my answer have something wrong, please correct it. ---------

My answer

`Details` has clearly told us the cause of the vulnerability. **A registered custom property in one document caused the entry for the same custom property (unregistered) used in another document to be deleted, which caused a use-after-free** This mean if we register a `custom property` and then the `entry` of the same `custom property` in another document which `unregistered` will be deleted by `erase`. ```c++ const InterpolationTypes& CSSInterpolationTypesMap::Get( const PropertyHandle& property) const { using ApplicableTypesMap = HashMap>; // TODO(iclelland): Combine these two hashmaps into a single map on // std::pair DEFINE_STATIC_LOCAL(ApplicableTypesMap, all_applicable_types_map, ()); DEFINE_STATIC_LOCAL(ApplicableTypesMap, composited_applicable_types_map, ()); ApplicableTypesMap& applicable_types_map = allow_all_animations_ ? all_applicable_types_map : composited_applicable_types_map; auto entry = applicable_types_map.find(property); [1] find entry (HashMap) bool found_entry = entry != applicable_types_map.end(); // Custom property interpolation types may change over time so don't trust the // applicableTypesMap without checking the registry. if (registry_ && property.IsCSSCustomProperty()) { const auto* registration = GetRegistration(registry_, property); [2] registr if (registration) { if (found_entry) { applicable_types_map.erase(entry); [3] delete entry } return registration->GetInterpolationTypes(); } } if (found_entry) { return *entry->value; } [ ... ] ============================================================================ static const PropertyRegistration* GetRegistration( const PropertyRegistry* registry, const PropertyHandle& property) { DCHECK(property.IsCSSCustomProperty()); if (!registry) { return nullptr; } return registry->Registration(property.CustomPropertyName()); } ```

-------- ================================================ FILE: LEVEL_1/exercise_5/css_interpolation_types_map.cc ================================================ // Copyright 2016 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "third_party/blink/renderer/core/animation/css_interpolation_types_map.h" #include #include #include "third_party/blink/public/mojom/feature_policy/feature_policy_feature.mojom-blink.h" #include "third_party/blink/renderer/core/animation/css_angle_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_aspect_ratio_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_basic_shape_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_border_image_length_box_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_clip_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_color_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_custom_length_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_custom_list_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_default_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_filter_list_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_font_size_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_font_stretch_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_font_variation_settings_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_font_weight_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_image_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_image_list_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_image_slice_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_length_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_length_list_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_length_pair_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_number_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_offset_rotate_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_paint_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_path_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_percentage_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_position_axis_list_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_position_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_ray_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_resolution_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_rotate_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_scale_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_shadow_list_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_size_list_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_text_indent_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_time_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_transform_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_transform_origin_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_translate_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_var_cycle_interpolation_type.h" #include "third_party/blink/renderer/core/animation/css_visibility_interpolation_type.h" #include "third_party/blink/renderer/core/css/css_property_names.h" #include "third_party/blink/renderer/core/css/css_syntax_definition.h" #include "third_party/blink/renderer/core/css/properties/css_property.h" #include "third_party/blink/renderer/core/css/property_registry.h" #include "third_party/blink/renderer/core/feature_policy/layout_animations_policy.h" #include "third_party/blink/renderer/core/frame/local_frame.h" namespace blink { CSSInterpolationTypesMap::CSSInterpolationTypesMap( const PropertyRegistry* registry, const Document& document) : registry_(registry) { allow_all_animations_ = document.GetExecutionContext()->IsFeatureEnabled( blink::mojom::blink::DocumentPolicyFeature::kLayoutAnimations); } static const PropertyRegistration* GetRegistration( const PropertyRegistry* registry, const PropertyHandle& property) { DCHECK(property.IsCSSCustomProperty()); if (!registry) { return nullptr; } return registry->Registration(property.CustomPropertyName()); } const InterpolationTypes& CSSInterpolationTypesMap::Get( const PropertyHandle& property) const { using ApplicableTypesMap = HashMap>; // TODO(iclelland): Combine these two hashmaps into a single map on // std::pair DEFINE_STATIC_LOCAL(ApplicableTypesMap, all_applicable_types_map, ()); DEFINE_STATIC_LOCAL(ApplicableTypesMap, composited_applicable_types_map, ()); ApplicableTypesMap& applicable_types_map = allow_all_animations_ ? all_applicable_types_map : composited_applicable_types_map; auto entry = applicable_types_map.find(property); bool found_entry = entry != applicable_types_map.end(); // Custom property interpolation types may change over time so don't trust the // applicableTypesMap without checking the registry. if (registry_ && property.IsCSSCustomProperty()) { const auto* registration = GetRegistration(registry_, property); if (registration) { if (found_entry) { applicable_types_map.erase(entry); } return registration->GetInterpolationTypes(); } } if (found_entry) { return *entry->value; } std::unique_ptr applicable_types = std::make_unique(); const CSSProperty& css_property = property.IsCSSProperty() ? property.GetCSSProperty() : property.PresentationAttribute(); // We treat presentation attributes identically to their CSS property // equivalents when interpolating. PropertyHandle used_property = property.IsCSSProperty() ? property : PropertyHandle(css_property); // TODO(crbug.com/838263): Support site-defined list of acceptable properties // through feature policy declarations. bool property_maybe_blocked_by_feature_policy = LayoutAnimationsPolicy::AffectedCSSProperties().Contains(&css_property); if (allow_all_animations_ || !property_maybe_blocked_by_feature_policy) { switch (css_property.PropertyID()) { case CSSPropertyID::kBaselineShift: case CSSPropertyID::kBorderBottomWidth: case CSSPropertyID::kBorderLeftWidth: case CSSPropertyID::kBorderRightWidth: case CSSPropertyID::kBorderTopWidth: case CSSPropertyID::kBottom: case CSSPropertyID::kCx: case CSSPropertyID::kCy: case CSSPropertyID::kFlexBasis: case CSSPropertyID::kHeight: case CSSPropertyID::kLeft: case CSSPropertyID::kLetterSpacing: case CSSPropertyID::kMarginBottom: case CSSPropertyID::kMarginLeft: case CSSPropertyID::kMarginRight: case CSSPropertyID::kMarginTop: case CSSPropertyID::kMaxHeight: case CSSPropertyID::kMaxWidth: case CSSPropertyID::kMinHeight: case CSSPropertyID::kMinWidth: case CSSPropertyID::kOffsetDistance: case CSSPropertyID::kOutlineOffset: case CSSPropertyID::kOutlineWidth: case CSSPropertyID::kPaddingBottom: case CSSPropertyID::kPaddingLeft: case CSSPropertyID::kPaddingRight: case CSSPropertyID::kPaddingTop: case CSSPropertyID::kPerspective: case CSSPropertyID::kR: case CSSPropertyID::kRight: case CSSPropertyID::kRx: case CSSPropertyID::kRy: case CSSPropertyID::kShapeMargin: case CSSPropertyID::kStrokeDashoffset: case CSSPropertyID::kStrokeWidth: case CSSPropertyID::kTextDecorationThickness: case CSSPropertyID::kTextUnderlineOffset: case CSSPropertyID::kTop: case CSSPropertyID::kVerticalAlign: case CSSPropertyID::kWebkitBorderHorizontalSpacing: case CSSPropertyID::kWebkitBorderVerticalSpacing: case CSSPropertyID::kColumnGap: case CSSPropertyID::kRowGap: case CSSPropertyID::kColumnRuleWidth: case CSSPropertyID::kColumnWidth: case CSSPropertyID::kWebkitPerspectiveOriginX: case CSSPropertyID::kWebkitPerspectiveOriginY: case CSSPropertyID::kWebkitTransformOriginX: case CSSPropertyID::kWebkitTransformOriginY: case CSSPropertyID::kWebkitTransformOriginZ: case CSSPropertyID::kWidth: case CSSPropertyID::kWordSpacing: case CSSPropertyID::kX: case CSSPropertyID::kY: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kAspectRatio: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kFlexGrow: case CSSPropertyID::kFlexShrink: case CSSPropertyID::kFillOpacity: case CSSPropertyID::kFloodOpacity: case CSSPropertyID::kFontSizeAdjust: case CSSPropertyID::kOpacity: case CSSPropertyID::kOrder: case CSSPropertyID::kOrphans: case CSSPropertyID::kShapeImageThreshold: case CSSPropertyID::kStopOpacity: case CSSPropertyID::kStrokeMiterlimit: case CSSPropertyID::kStrokeOpacity: case CSSPropertyID::kColumnCount: case CSSPropertyID::kTextSizeAdjust: case CSSPropertyID::kWidows: case CSSPropertyID::kZIndex: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kLineHeight: case CSSPropertyID::kTabSize: applicable_types->push_back( std::make_unique(used_property)); applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kBackgroundColor: case CSSPropertyID::kBorderBottomColor: case CSSPropertyID::kBorderLeftColor: case CSSPropertyID::kBorderRightColor: case CSSPropertyID::kBorderTopColor: case CSSPropertyID::kCaretColor: case CSSPropertyID::kColor: case CSSPropertyID::kFloodColor: case CSSPropertyID::kLightingColor: case CSSPropertyID::kOutlineColor: case CSSPropertyID::kStopColor: case CSSPropertyID::kTextDecorationColor: case CSSPropertyID::kColumnRuleColor: case CSSPropertyID::kWebkitTextStrokeColor: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kFill: case CSSPropertyID::kStroke: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kOffsetPath: applicable_types->push_back( std::make_unique(used_property)); FALLTHROUGH; case CSSPropertyID::kD: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kBoxShadow: case CSSPropertyID::kTextShadow: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kBorderImageSource: case CSSPropertyID::kListStyleImage: case CSSPropertyID::kWebkitMaskBoxImageSource: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kBackgroundImage: case CSSPropertyID::kWebkitMaskImage: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kStrokeDasharray: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kFontWeight: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kFontStretch: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kFontVariationSettings: applicable_types->push_back( std::make_unique( used_property)); break; case CSSPropertyID::kVisibility: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kClip: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kOffsetRotate: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kBackgroundPositionX: case CSSPropertyID::kBackgroundPositionY: case CSSPropertyID::kWebkitMaskPositionX: case CSSPropertyID::kWebkitMaskPositionY: applicable_types->push_back( std::make_unique( used_property)); break; case CSSPropertyID::kObjectPosition: case CSSPropertyID::kOffsetAnchor: case CSSPropertyID::kOffsetPosition: case CSSPropertyID::kPerspectiveOrigin: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kBorderBottomLeftRadius: case CSSPropertyID::kBorderBottomRightRadius: case CSSPropertyID::kBorderTopLeftRadius: case CSSPropertyID::kBorderTopRightRadius: case CSSPropertyID::kContainIntrinsicSize: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kTranslate: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kTransformOrigin: applicable_types->push_back( std::make_unique( used_property)); break; case CSSPropertyID::kBackgroundSize: case CSSPropertyID::kWebkitMaskSize: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kBorderImageOutset: case CSSPropertyID::kBorderImageWidth: case CSSPropertyID::kWebkitMaskBoxImageOutset: case CSSPropertyID::kWebkitMaskBoxImageWidth: applicable_types->push_back( std::make_unique( used_property)); break; case CSSPropertyID::kScale: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kFontSize: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kTextIndent: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kBorderImageSlice: case CSSPropertyID::kWebkitMaskBoxImageSlice: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kClipPath: applicable_types->push_back( std::make_unique(used_property)); applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kShapeOutside: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kRotate: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kBackdropFilter: case CSSPropertyID::kFilter: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kTransform: applicable_types->push_back( std::make_unique(used_property)); break; case CSSPropertyID::kVariable: DCHECK_EQ(GetRegistration(registry_, property), nullptr); break; default: DCHECK(!css_property.IsInterpolable()); break; } } applicable_types->push_back( std::make_unique(used_property)); auto add_result = applicable_types_map.insert(property, std::move(applicable_types)); return *add_result.stored_value->value; } size_t CSSInterpolationTypesMap::Version() const { return registry_ ? registry_->Version() : 0; } static std::unique_ptr CreateInterpolationTypeForCSSSyntax(CSSSyntaxType syntax, PropertyHandle property, const PropertyRegistration& registration) { switch (syntax) { case CSSSyntaxType::kAngle: return std::make_unique(property, ®istration); case CSSSyntaxType::kColor: return std::make_unique(property, ®istration); case CSSSyntaxType::kLength: return std::make_unique(property, ®istration); case CSSSyntaxType::kLengthPercentage: return std::make_unique(property, ®istration); case CSSSyntaxType::kPercentage: return std::make_unique(property, ®istration); case CSSSyntaxType::kNumber: return std::make_unique(property, ®istration); case CSSSyntaxType::kResolution: return std::make_unique(property, ®istration); case CSSSyntaxType::kTime: return std::make_unique(property, ®istration); case CSSSyntaxType::kImage: // TODO(andruud): Implement smooth interpolation for gradients. return nullptr; case CSSSyntaxType::kInteger: return std::make_unique(property, ®istration, true); case CSSSyntaxType::kTransformFunction: case CSSSyntaxType::kTransformList: // TODO(alancutter): Support smooth interpolation of these types. return nullptr; case CSSSyntaxType::kCustomIdent: case CSSSyntaxType::kIdent: case CSSSyntaxType::kTokenStream: case CSSSyntaxType::kUrl: // Smooth interpolation not supported for these types. return nullptr; default: NOTREACHED(); return nullptr; } } InterpolationTypes CSSInterpolationTypesMap::CreateInterpolationTypesForCSSSyntax( const AtomicString& property_name, const CSSSyntaxDefinition& definition, const PropertyRegistration& registration) { PropertyHandle property(property_name); InterpolationTypes result; // All custom properties may encounter var() dependency cycles. result.push_back( std::make_unique(property, registration)); for (const CSSSyntaxComponent& component : definition.Components()) { std::unique_ptr interpolation_type = CreateInterpolationTypeForCSSSyntax(component.GetType(), property, registration); if (!interpolation_type) continue; if (component.IsRepeatable()) { interpolation_type = std::make_unique( property, ®istration, std::move(interpolation_type), component.GetType(), component.GetRepeat()); } result.push_back(std::move(interpolation_type)); } result.push_back(std::make_unique(property)); return result; } } // namespace blink ================================================ FILE: LEVEL_1/exercise_5/poc.html ================================================ ================================================ FILE: LEVEL_1/exercise_6/README.md ================================================ # Exercise 6 ## CVE-2021-21188 I sugget you don't search any report about it to prevents get too much info like patch. This time we do it by code audit ### Details > Test for persistent execution context during Animatable::animate. > > Prior to the patch, the validity of the execution context was only > checked on entry to the method; however, the execution context can > be invalidated during the course of parsing keyframes or options. > The parsing of options is upstream of Animatable::animate and caught by > the existing check, but invalidation during keyframe parsing could fall > through triggering a crash. You can read [this](https://chromium.googlesource.com/chromium/src/+/af77c20371d1418300cefbc5fa6779067b7792cf/third_party/blink/renderer/core/animation/#core_animation) to know what about `animation` ---------

For more info click me! But you'd better not do this

https://bugs.chromium.org/p/chromium/issues/detail?id=1161739

-------- ### Set environment after you fetch chromium ```sh git reset --hard 710bae69e18a9b086795cf79d849bd7f6e9c97fa ``` ### Related code [`third_party/blink/renderer/core/animation/animatable.cc`](https://source.chromium.org/chromium/chromium/src/+/db032cf0a96b0e7e1007f181d8ce21e39617cee7:third_party/blink/renderer/core/animation/animatable.cc) and others ### Do it Do this exercise by yourself, If you find my answer have something wrong, please correct it. ---------

My answer

Let's start analysis the source code ``` c++ Animation* Animatable::animate( ScriptState* script_state, const ScriptValue& keyframes, const UnrestrictedDoubleOrKeyframeAnimationOptions& options, ExceptionState& exception_state) { if (!script_state->ContextIsValid()) return nullptr; Element* element = GetAnimationTarget(); if (!element->GetExecutionContext()) [1] call `GetExecutionContext` to check whether the validity of this ptr return nullptr; KeyframeEffect* effect = KeyframeEffect::Create(script_state, element, keyframes, [2] call create and element is the second parameter CoerceEffectOptions(options), exception_state); if (exception_state.HadException()) return nullptr; ReportFeaturePolicyViolationsIfNecessary(*element->GetExecutionContext(), *effect->Model()); if (!options.IsKeyframeAnimationOptions()) return element->GetDocument().Timeline().Play(effect); Animation* animation; const KeyframeAnimationOptions* options_dict = options.GetAsKeyframeAnimationOptions(); if (!options_dict->hasTimeline()) { animation = element->GetDocument().Timeline().Play(effect); } else if (AnimationTimeline* timeline = options_dict->timeline()) { animation = timeline->Play(effect); } else { animation = Animation::Create(element->GetExecutionContext(), effect, [3] If we delete `element` in [2], this trigger crash nullptr, exception_state); } [ ... ] ``` What happen in Create ```c++ KeyframeEffect* KeyframeEffect::Create( ScriptState* script_state, Element* element, const ScriptValue& keyframes, const UnrestrictedDoubleOrKeyframeEffectOptions& options, ExceptionState& exception_state) { Document* document = element ? &element->GetDocument() : nullptr; Timing timing = TimingInput::Convert(options, document, exception_state); if (exception_state.HadException()) return nullptr; EffectModel::CompositeOperation composite = EffectModel::kCompositeReplace; String pseudo = String(); // [ ... ] KeyframeEffectModelBase* model = EffectInput::Convert( [4] call Convert, and element is the first parameter element, keyframes, composite, script_state, exception_state); if (exception_state.HadException()) return nullptr; KeyframeEffect* effect = MakeGarbageCollected(element, model, timing); if (!pseudo.IsEmpty()) { effect->target_pseudo_ = pseudo; if (element) { element->GetDocument().UpdateStyleAndLayoutTreeForNode(element); effect->effect_target_ = element->GetPseudoElement( CSSSelector::ParsePseudoId(pseudo, element)); } } return effect; } ================================================================================ KeyframeEffectModelBase* EffectInput::Convert( Element* element, const ScriptValue& keyframes, EffectModel::CompositeOperation composite, ScriptState* script_state, ExceptionState& exception_state) { StringKeyframeVector parsed_keyframes = ParseKeyframesArgument(element, keyframes, script_state, exception_state); [5] call ParseKeyframesArgument and element is the first parameter if (exception_state.HadException()) return nullptr; [ ... ] ``` I wander what is Keyframe? Then I found [this](https://developer.mozilla.org/en-US/docs/Web/CSS/@keyframes) and [this](https://developer.mozilla.org/en-US/docs/Web/CSS/animation). Although I posted the animation link last time, I didn’t read it myself... But this time we must know what is animation and keyframe. > The animation property is specified as one or more single animations, separated by commas. I don't know what the word animation mean, so I don't know what it mean for chrome :/ Alright, you can know them detailed from the two link or you can search yourself. What can we do to delete this `element` during `ParseKeyframesArgument`? We can see its def and how animation be constructed. ```c++ StringKeyframeVector EffectInput::ParseKeyframesArgument( Element* element, const ScriptValue& keyframes, ScriptState* script_state, ExceptionState& exception_state) { // Per the spec, a null keyframes object maps to a valid but empty sequence. v8::Local keyframes_value = keyframes.V8Value(); if (keyframes_value->IsNullOrUndefined()) return {}; v8::Local keyframes_obj = keyframes_value.As(); // 3. Let method be the result of GetMethod(object, @@iterator). v8::Isolate* isolate = script_state->GetIsolate(); auto script_iterator = ScriptIterator::FromIterable(isolate, keyframes_obj, exception_state); if (exception_state.HadException()) return {}; // TODO(crbug.com/816934): Get spec to specify what parsing context to use. Document& document = element ? element->GetDocument() : *LocalDOMWindow::From(script_state)->document(); StringKeyframeVector parsed_keyframes; if (script_iterator.IsNull()) { parsed_keyframes = ConvertObjectForm(element, document, keyframes_obj, script_state, exception_state); } else { parsed_keyframes = ConvertArrayForm(element, document, std::move(script_iterator), [6] if keyframes is sorted by array, do convert script_state, exception_state); } [ ... ] ``` Parse the parameter of animatable (parse keyframes), If we transform an Array composed of keyframs, need call ConvertArrayForm for convert step. ```c++ StringKeyframeVector ConvertArrayForm(Element* element, Document& document, ScriptIterator iterator, ScriptState* script_state, ExceptionState& exception_state) { v8::Isolate* isolate = script_state->GetIsolate(); // This loop captures step 5 of the procedure to process a keyframes argument, // in the case where the argument is iterable. HeapVector> processed_base_keyframes; Vector>> processed_properties; ExecutionContext* execution_context = ExecutionContext::From(script_state); while (iterator.Next(execution_context, exception_state)) { if (exception_state.HadException()) return {}; // The value should already be non-empty, as guaranteed by the call to Next // and the exception_state check above. v8::Local keyframe = iterator.GetValue().ToLocalChecked(); BaseKeyframe* base_keyframe = NativeValueTraits::NativeValue( isolate, keyframe, exception_state); Vector> property_value_pairs; if (!keyframe->IsNullOrUndefined()) { AddPropertyValuePairsForKeyframe( [7] call AddPropertyValuePairsForKeyframe isolate, v8::Local::Cast(keyframe), element, document, property_value_pairs, exception_state); if (exception_state.HadException()) return {}; } [ ... ] =========================================================================== void AddPropertyValuePairsForKeyframe( v8::Isolate* isolate, v8::Local keyframe_obj, Element* element, const Document& document, Vector>& property_value_pairs, ExceptionState& exception_state) { Vector keyframe_properties = GetOwnPropertyNames(isolate, keyframe_obj, exception_state); // By spec, we are only allowed to access a given (property, value) pair // once. This is observable by the web client, so we take care to adhere // to that. v8::Local v8_value; if (!keyframe_obj ->Get(isolate->GetCurrentContext(), V8String(isolate, property)) [8] call get .ToLocal(&v8_value)) { exception_state.RethrowV8Exception(try_catch.Exception()); return; } } ``` We can delete this `element` in `getter`, these `element` and `document` is the target of `html`, if you can get if you have learned how js control DOM of html. We use `element.animate(keyframes, options);` to trigger, we can make a `arr` whose `getter` delete `element_1`. and do `element_2.animate(arr,{...})`, you can see detail at [Poc](./poc.html).

-------- ================================================ FILE: LEVEL_1/exercise_6/animatable.cc ================================================ // Copyright 2017 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "third_party/blink/renderer/core/animation/animatable.h" #include "third_party/blink/renderer/bindings/core/v8/unrestricted_double_or_keyframe_animation_options.h" #include "third_party/blink/renderer/bindings/core/v8/unrestricted_double_or_keyframe_effect_options.h" #include "third_party/blink/renderer/bindings/core/v8/v8_get_animations_options.h" #include "third_party/blink/renderer/core/animation/animation.h" #include "third_party/blink/renderer/core/animation/document_animations.h" #include "third_party/blink/renderer/core/animation/document_timeline.h" #include "third_party/blink/renderer/core/animation/effect_input.h" #include "third_party/blink/renderer/core/animation/effect_model.h" #include "third_party/blink/renderer/core/animation/keyframe_effect.h" #include "third_party/blink/renderer/core/animation/keyframe_effect_model.h" #include "third_party/blink/renderer/core/animation/timing.h" #include "third_party/blink/renderer/core/animation/timing_input.h" #include "third_party/blink/renderer/core/dom/document.h" #include "third_party/blink/renderer/core/dom/element.h" #include "third_party/blink/renderer/core/feature_policy/layout_animations_policy.h" #include "third_party/blink/renderer/platform/bindings/exception_state.h" #include "third_party/blink/renderer/platform/bindings/script_state.h" #include "third_party/blink/renderer/platform/heap/heap.h" namespace blink { namespace { // A helper method which is used to trigger a violation report for cases where // the |element.animate| API is used to animate a CSS property which is blocked // by the feature policy 'layout-animations'. void ReportFeaturePolicyViolationsIfNecessary( const ExecutionContext& context, const KeyframeEffectModelBase& effect) { for (const auto& property_handle : effect.Properties()) { if (!property_handle.IsCSSProperty()) continue; const auto& css_property = property_handle.GetCSSProperty(); if (LayoutAnimationsPolicy::AffectedCSSProperties().Contains( &css_property)) { LayoutAnimationsPolicy::ReportViolation(css_property, context); } } } UnrestrictedDoubleOrKeyframeEffectOptions CoerceEffectOptions( UnrestrictedDoubleOrKeyframeAnimationOptions options) { if (options.IsKeyframeAnimationOptions()) { return UnrestrictedDoubleOrKeyframeEffectOptions::FromKeyframeEffectOptions( options.GetAsKeyframeAnimationOptions()); } else { return UnrestrictedDoubleOrKeyframeEffectOptions::FromUnrestrictedDouble( options.GetAsUnrestrictedDouble()); } } } // namespace // https://drafts.csswg.org/web-animations/#dom-animatable-animate Animation* Animatable::animate( ScriptState* script_state, const ScriptValue& keyframes, const UnrestrictedDoubleOrKeyframeAnimationOptions& options, ExceptionState& exception_state) { if (!script_state->ContextIsValid()) return nullptr; Element* element = GetAnimationTarget(); if (!element->GetExecutionContext()) return nullptr; KeyframeEffect* effect = KeyframeEffect::Create(script_state, element, keyframes, CoerceEffectOptions(options), exception_state); if (exception_state.HadException()) return nullptr; ReportFeaturePolicyViolationsIfNecessary(*element->GetExecutionContext(), *effect->Model()); if (!options.IsKeyframeAnimationOptions()) return element->GetDocument().Timeline().Play(effect); Animation* animation; const KeyframeAnimationOptions* options_dict = options.GetAsKeyframeAnimationOptions(); if (!options_dict->hasTimeline()) { animation = element->GetDocument().Timeline().Play(effect); } else if (AnimationTimeline* timeline = options_dict->timeline()) { animation = timeline->Play(effect); } else { animation = Animation::Create(element->GetExecutionContext(), effect, nullptr, exception_state); } animation->setId(options_dict->id()); return animation; } Animation* Animatable::animate(ScriptState* script_state, const ScriptValue& keyframes, ExceptionState& exception_state) { if (!script_state->ContextIsValid()) return nullptr; Element* element = GetAnimationTarget(); if (!element->GetExecutionContext()) return nullptr; KeyframeEffect* effect = KeyframeEffect::Create(script_state, element, keyframes, exception_state); if (exception_state.HadException()) return nullptr; ReportFeaturePolicyViolationsIfNecessary(*element->GetExecutionContext(), *effect->Model()); return element->GetDocument().Timeline().Play(effect); } HeapVector> Animatable::getAnimations( GetAnimationsOptions* options) { bool use_subtree = options && options->subtree(); Element* element = GetAnimationTarget(); if (use_subtree) element->GetDocument().UpdateStyleAndLayoutTreeForSubtree(element); else element->GetDocument().UpdateStyleAndLayoutTreeForNode(element); HeapVector> animations; if (!use_subtree && !element->HasAnimations()) return animations; for (const auto& animation : element->GetDocument().GetDocumentAnimations().getAnimations( element->GetTreeScope())) { DCHECK(animation->effect()); // TODO(gtsteel) make this use the idl properties Element* target = To(animation->effect())->EffectTarget(); if (element == target || (use_subtree && element->contains(target))) { // DocumentAnimations::getAnimations should only give us animations that // are either current or in effect. DCHECK(animation->effect()->IsCurrent() || animation->effect()->IsInEffect()); animations.push_back(animation); } } return animations; } } // namespace blink ================================================ FILE: LEVEL_1/exercise_6/effect_input.cc ================================================ /* * Copyright (C) 2013 Google Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are * met: * * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following disclaimer * in the documentation and/or other materials provided with the * distribution. * * Neither the name of Google Inc. nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "third_party/blink/renderer/core/animation/effect_input.h" #include "third_party/blink/renderer/bindings/core/v8/array_value.h" #include "third_party/blink/renderer/bindings/core/v8/dictionary.h" #include "third_party/blink/renderer/bindings/core/v8/idl_types.h" #include "third_party/blink/renderer/bindings/core/v8/native_value_traits_impl.h" #include "third_party/blink/renderer/bindings/core/v8/script_iterator.h" #include "third_party/blink/renderer/bindings/core/v8/string_or_string_sequence.h" #include "third_party/blink/renderer/bindings/core/v8/v8_base_keyframe.h" #include "third_party/blink/renderer/bindings/core/v8/v8_base_property_indexed_keyframe.h" #include "third_party/blink/renderer/core/animation/animation_input_helpers.h" #include "third_party/blink/renderer/core/animation/compositor_animations.h" #include "third_party/blink/renderer/core/animation/css/css_animations.h" #include "third_party/blink/renderer/core/animation/keyframe_effect_model.h" #include "third_party/blink/renderer/core/animation/string_keyframe.h" #include "third_party/blink/renderer/core/css/css_style_sheet.h" #include "third_party/blink/renderer/core/dom/document.h" #include "third_party/blink/renderer/core/dom/element.h" #include "third_party/blink/renderer/core/dom/node_computed_style.h" #include "third_party/blink/renderer/core/frame/frame_console.h" #include "third_party/blink/renderer/core/frame/local_dom_window.h" #include "third_party/blink/renderer/core/frame/local_frame.h" #include "third_party/blink/renderer/core/inspector/console_message.h" #include "third_party/blink/renderer/platform/heap/heap.h" #include "third_party/blink/renderer/platform/wtf/hash_set.h" #include "third_party/blink/renderer/platform/wtf/text/ascii_ctype.h" #include "third_party/blink/renderer/platform/wtf/text/wtf_string.h" #include "v8/include/v8.h" namespace blink { namespace { // Converts the composite property of a BasePropertyIndexedKeyframe into a // vector of base::Optional enums. Vector> ParseCompositeProperty( const BasePropertyIndexedKeyframe* keyframe) { const CompositeOperationOrAutoOrCompositeOperationOrAutoSequence& composite = keyframe->composite(); if (composite.IsCompositeOperationOrAuto()) { return {EffectModel::StringToCompositeOperation( composite.GetAsCompositeOperationOrAuto())}; } Vector> result; for (const String& composite_operation_string : composite.GetAsCompositeOperationOrAutoSequence()) { result.push_back( EffectModel::StringToCompositeOperation(composite_operation_string)); } return result; } void SetKeyframeValue(Element* element, Document& document, StringKeyframe& keyframe, const String& property, const String& value, ExecutionContext* execution_context) { StyleSheetContents* style_sheet_contents = document.ElementSheet().Contents(); CSSPropertyID css_property = AnimationInputHelpers::KeyframeAttributeToCSSProperty(property, document); SecureContextMode secure_context_mode = document.GetExecutionContext() ? document.GetExecutionContext()->GetSecureContextMode() : SecureContextMode::kInsecureContext; if (css_property != CSSPropertyID::kInvalid) { MutableCSSPropertyValueSet::SetResult set_result = css_property == CSSPropertyID::kVariable ? keyframe.SetCSSPropertyValue(AtomicString(property), value, secure_context_mode, style_sheet_contents) : keyframe.SetCSSPropertyValue(css_property, value, secure_context_mode, style_sheet_contents); if (!set_result.did_parse && execution_context) { if (document.GetFrame()) { document.GetFrame()->Console().AddMessage( MakeGarbageCollected( mojom::ConsoleMessageSource::kJavaScript, mojom::ConsoleMessageLevel::kWarning, "Invalid keyframe value for property " + property + ": " + value)); } } return; } css_property = AnimationInputHelpers::KeyframeAttributeToPresentationAttribute(property, element); if (css_property != CSSPropertyID::kInvalid) { keyframe.SetPresentationAttributeValue(CSSProperty::Get(css_property), value, secure_context_mode, style_sheet_contents); return; } const QualifiedName* svg_attribute = AnimationInputHelpers::KeyframeAttributeToSVGAttribute(property, element); if (svg_attribute) keyframe.SetSVGAttributeValue(*svg_attribute, value); } bool ValidatePartialKeyframes(const StringKeyframeVector& keyframes) { // WebAnimationsAPIEnabled guards both additive animations and allowing // partial (implicit) keyframes. if (RuntimeEnabledFeatures::WebAnimationsAPIEnabled()) return true; // An implicit keyframe is inserted in the below cases. Note that the 'first' // keyframe is actually all keyframes with offset 0.0, and the 'last' keyframe // is actually all keyframes with offset 1.0. // // 1. A given property is present somewhere in the full set of keyframes, // but is either not present in the first keyframe (requiring an implicit // start value for that property) or last keyframe (requiring an implicit // end value for that property). // // 2. There is no first keyframe (requiring an implicit start keyframe), or // no last keyframe (requiring an implicit end keyframe). // // We only care about CSS properties here; animating SVG elements is protected // by a different runtime flag. Vector computed_offsets = KeyframeEffectModelBase::GetComputedOffsets(keyframes); PropertyHandleSet properties_with_offset_0; PropertyHandleSet properties_with_offset_1; for (wtf_size_t i = 0; i < keyframes.size(); i++) { for (const PropertyHandle& property : keyframes[i]->Properties()) { if (!property.IsCSSProperty()) continue; if (computed_offsets[i] == 0.0) { properties_with_offset_0.insert(property); } else { if (!properties_with_offset_0.Contains(property)) return false; if (computed_offsets[i] == 1.0) { properties_with_offset_1.insert(property); } } } } // At this point we have compared all keyframes with offset > 0 against the // properties contained in the first keyframe, and found that they match. Now // we just need to make sure that there aren't any properties in the first // keyframe that aren't in the last keyframe. return properties_with_offset_0.size() == properties_with_offset_1.size(); } // Ensures that a CompositeOperation is of an allowed value for a given // StringKeyframe and the current runtime flags. EffectModel::CompositeOperation ResolveCompositeOperationForKeyframe( EffectModel::CompositeOperation composite, StringKeyframe* keyframe) { bool additive_composite = composite == EffectModel::kCompositeAdd || composite == EffectModel::kCompositeAccumulate; if (!RuntimeEnabledFeatures::WebAnimationsAPIEnabled() && keyframe->HasCssProperty() && additive_composite) { return EffectModel::kCompositeReplace; } return composite; } bool IsAnimatableKeyframeAttribute(const String& property, Element* element, const Document& document) { CSSPropertyID css_property = AnimationInputHelpers::KeyframeAttributeToCSSProperty(property, document); if (css_property != CSSPropertyID::kInvalid) { return !CSSAnimations::IsAnimationAffectingProperty( CSSProperty::Get(css_property)); } css_property = AnimationInputHelpers::KeyframeAttributeToPresentationAttribute(property, element); if (css_property != CSSPropertyID::kInvalid) return true; return !!AnimationInputHelpers::KeyframeAttributeToSVGAttribute(property, element); } void AddPropertyValuePairsForKeyframe( v8::Isolate* isolate, v8::Local keyframe_obj, Element* element, const Document& document, Vector>& property_value_pairs, ExceptionState& exception_state) { Vector keyframe_properties = GetOwnPropertyNames(isolate, keyframe_obj, exception_state); if (exception_state.HadException()) return; // By spec, we must sort the properties in "ascending order by the Unicode // codepoints that define each property name." std::sort(keyframe_properties.begin(), keyframe_properties.end(), WTF::CodeUnitCompareLessThan); v8::TryCatch try_catch(isolate); for (const auto& property : keyframe_properties) { if (property == "offset" || property == "float" || property == "composite" || property == "easing") { continue; } // By spec, we are not allowed to access any non-animatable property. if (!IsAnimatableKeyframeAttribute(property, element, document)) continue; // By spec, we are only allowed to access a given (property, value) pair // once. This is observable by the web client, so we take care to adhere // to that. v8::Local v8_value; if (!keyframe_obj ->Get(isolate->GetCurrentContext(), V8String(isolate, property)) .ToLocal(&v8_value)) { exception_state.RethrowV8Exception(try_catch.Exception()); return; } if (v8_value->IsArray()) { // Since allow-lists is false, array values should be ignored. continue; } String string_value = NativeValueTraits::NativeValue( isolate, v8_value, exception_state); if (exception_state.HadException()) return; property_value_pairs.push_back(std::make_pair(property, string_value)); } } StringKeyframeVector ConvertArrayForm(Element* element, Document& document, ScriptIterator iterator, ScriptState* script_state, ExceptionState& exception_state) { v8::Isolate* isolate = script_state->GetIsolate(); // This loop captures step 5 of the procedure to process a keyframes argument, // in the case where the argument is iterable. HeapVector> processed_base_keyframes; Vector>> processed_properties; ExecutionContext* execution_context = ExecutionContext::From(script_state); while (iterator.Next(execution_context, exception_state)) { if (exception_state.HadException()) return {}; // The value should already be non-empty, as guaranteed by the call to Next // and the exception_state check above. getchar(); v8::Local keyframe = iterator.GetValue().ToLocalChecked(); if (!keyframe->IsObject() && !keyframe->IsNullOrUndefined()) { exception_state.ThrowTypeError( "Keyframes must be objects, or null or undefined"); return {}; } BaseKeyframe* base_keyframe = NativeValueTraits::NativeValue( isolate, keyframe, exception_state); Vector> property_value_pairs; if (exception_state.HadException()) return {}; if (!keyframe->IsNullOrUndefined()) { AddPropertyValuePairsForKeyframe( isolate, v8::Local::Cast(keyframe), element, document, property_value_pairs, exception_state); if (exception_state.HadException()) return {}; } processed_base_keyframes.push_back(base_keyframe); processed_properties.push_back(property_value_pairs); } // If the very first call to next() throws the above loop will never be // entered, so we have to catch that here. if (exception_state.HadException()) return {}; // 6. If processed keyframes is not loosely sorted by offset, throw a // TypeError and abort these steps. double previous_offset = -std::numeric_limits::infinity(); const wtf_size_t num_processed_keyframes = processed_base_keyframes.size(); for (wtf_size_t i = 0; i < num_processed_keyframes; ++i) { if (!processed_base_keyframes[i]->hasOffsetNonNull()) continue; double offset = processed_base_keyframes[i]->offsetNonNull(); if (offset < previous_offset) { exception_state.ThrowTypeError( "Offsets must be montonically non-decreasing."); return {}; } previous_offset = offset; } // 7. If there exist any keyframe in processed keyframes whose keyframe // offset is non-null and less than zero or greater than one, throw a // TypeError and abort these steps. for (wtf_size_t i = 0; i < num_processed_keyframes; ++i) { if (!processed_base_keyframes[i]->hasOffsetNonNull()) continue; double offset = processed_base_keyframes[i]->offsetNonNull(); if (offset < 0 || offset > 1) { exception_state.ThrowTypeError( "Offsets must be null or in the range [0,1]."); return {}; } } StringKeyframeVector keyframes; for (wtf_size_t i = 0; i < num_processed_keyframes; ++i) { // Now we create the actual Keyframe object. We start by assigning the // offset and composite values; conceptually these were actually added in // step 5 above but we didn't have a keyframe object then. const BaseKeyframe* base_keyframe = processed_base_keyframes[i]; auto* keyframe = MakeGarbageCollected(); if (base_keyframe->hasOffset()) { keyframe->SetOffset(base_keyframe->offset()); } // 8.1. For each property-value pair in frame, parse the property value // using the syntax specified for that property. for (const auto& pair : processed_properties[i]) { // TODO(crbug.com/777971): Make parsing of property values spec-compliant. SetKeyframeValue(element, document, *keyframe, pair.first, pair.second, execution_context); } base::Optional composite = EffectModel::StringToCompositeOperation(base_keyframe->composite()); if (composite) { keyframe->SetComposite( ResolveCompositeOperationForKeyframe(composite.value(), keyframe)); } // 8.2. Let the timing function of frame be the result of parsing the // “easing” property on frame using the CSS syntax defined for the easing // property of the AnimationEffectTimingReadOnly interface. // // If parsing the “easing” property fails, throw a TypeError and abort this // procedure. scoped_refptr timing_function = AnimationInputHelpers::ParseTimingFunction(base_keyframe->easing(), &document, exception_state); if (!timing_function) return {}; keyframe->SetEasing(timing_function); keyframes.push_back(keyframe); } DCHECK(!exception_state.HadException()); return keyframes; } // Extracts the values for a given property in the input keyframes. As per the // spec property values for the object-notation form have type (DOMString or // sequence). bool GetPropertyIndexedKeyframeValues(const v8::Local& keyframe, const String& property, ScriptState* script_state, ExceptionState& exception_state, Vector& result) { DCHECK(result.IsEmpty()); // By spec, we are only allowed to access a given (property, value) pair once. // This is observable by the web client, so we take care to adhere to that. v8::Local v8_value; v8::TryCatch try_catch(script_state->GetIsolate()); v8::Local context = script_state->GetContext(); v8::Isolate* isolate = script_state->GetIsolate(); if (!keyframe->Get(context, V8String(isolate, property)).ToLocal(&v8_value)) { exception_state.RethrowV8Exception(try_catch.Exception()); return {}; } StringOrStringSequence string_or_string_sequence; V8StringOrStringSequence::ToImpl( script_state->GetIsolate(), v8_value, string_or_string_sequence, UnionTypeConversionMode::kNotNullable, exception_state); if (exception_state.HadException()) return false; if (string_or_string_sequence.IsString()) result.push_back(string_or_string_sequence.GetAsString()); else result = string_or_string_sequence.GetAsStringSequence(); return true; } // Implements the procedure to "process a keyframes argument" from the // web-animations spec for an object form keyframes argument. // // See https://drafts.csswg.org/web-animations/#processing-a-keyframes-argument StringKeyframeVector ConvertObjectForm(Element* element, Document& document, const v8::Local& v8_keyframe, ScriptState* script_state, ExceptionState& exception_state) { // We implement much of this procedure out of order from the way the spec is // written, to avoid repeatedly going over the list of keyframes. // The web-observable behavior should be the same as the spec. // Extract the offset, easing, and composite as per step 1 of the 'procedure // to process a keyframe-like object'. BasePropertyIndexedKeyframe* property_indexed_keyframe = NativeValueTraits::NativeValue( script_state->GetIsolate(), v8_keyframe, exception_state); if (exception_state.HadException()) return {}; Vector> offsets; if (property_indexed_keyframe->offset().IsNull()) offsets.push_back(base::nullopt); else if (property_indexed_keyframe->offset().IsDouble()) offsets.push_back(property_indexed_keyframe->offset().GetAsDouble()); else offsets = property_indexed_keyframe->offset().GetAsDoubleOrNullSequence(); // The web-animations spec explicitly states that easings should be kept as // DOMStrings here and not parsed into timing functions until later. Vector easings; if (property_indexed_keyframe->easing().IsString()) easings.push_back(property_indexed_keyframe->easing().GetAsString()); else easings = property_indexed_keyframe->easing().GetAsStringSequence(); Vector> composite_operations = ParseCompositeProperty(property_indexed_keyframe); // Next extract all animatable properties from the input argument and iterate // through them, processing each as a list of values for that property. This // implements both steps 2-7 of the 'procedure to process a keyframe-like // object' and step 5.2 of the 'procedure to process a keyframes argument'. Vector keyframe_properties = GetOwnPropertyNames( script_state->GetIsolate(), v8_keyframe, exception_state); if (exception_state.HadException()) return {}; // Steps 5.2 - 5.4 state that the user agent is to: // // * Create sets of 'property keyframes' with no offset. // * Calculate computed offsets for each set of keyframes individually. // * Join the sets together and merge those with identical computed offsets. // // This is equivalent to just keeping a hashmap from computed offset to a // single keyframe, which simplifies the parsing logic. HeapHashMap> keyframes; // By spec, we must sort the properties in "ascending order by the Unicode // codepoints that define each property name." std::sort(keyframe_properties.begin(), keyframe_properties.end(), WTF::CodeUnitCompareLessThan); for (const auto& property : keyframe_properties) { if (property == "offset" || property == "float" || property == "composite" || property == "easing") { continue; } // By spec, we are not allowed to access any non-animatable property. if (!IsAnimatableKeyframeAttribute(property, element, document)) continue; Vector values; if (!GetPropertyIndexedKeyframeValues(v8_keyframe, property, script_state, exception_state, values)) { return {}; } // Now create a keyframe (or retrieve and augment an existing one) for each // value this property maps to. As explained above, this loop performs both // the initial creation and merging mentioned in the spec. wtf_size_t num_keyframes = values.size(); ExecutionContext* execution_context = ExecutionContext::From(script_state); for (wtf_size_t i = 0; i < num_keyframes; ++i) { // As all offsets are null for these 'property keyframes', the computed // offset is just the fractional position of each keyframe in the array. // // The only special case is that when there is only one keyframe the sole // computed offset is defined as 1. double computed_offset = (num_keyframes == 1) ? 1 : i / double(num_keyframes - 1); auto result = keyframes.insert(computed_offset, nullptr); if (result.is_new_entry) result.stored_value->value = MakeGarbageCollected(); SetKeyframeValue(element, document, *result.stored_value->value, property, values[i], execution_context); } } // 5.3 Sort processed keyframes by the computed keyframe offset of each // keyframe in increasing order. Vector keys; for (const auto& key : keyframes.Keys()) keys.push_back(key); std::sort(keys.begin(), keys.end()); // Steps 5.5 - 5.12 deal with assigning the user-specified offset, easing, and // composite properties to the keyframes. // // This loop also implements steps 6, 7, and 8 of the spec. Because nothing is // user-observable at this point, we can operate out of order. Note that this // may result in us throwing a different order of TypeErrors than other user // agents[1], but as all exceptions are TypeErrors this is not observable by // the web client. // // [1] E.g. if the offsets are [2, 0] we will throw due to the first offset // being > 1 before we throw due to the offsets not being loosely ordered. StringKeyframeVector results; double previous_offset = 0.0; for (wtf_size_t i = 0; i < keys.size(); i++) { auto* keyframe = keyframes.at(keys[i]); if (i < offsets.size()) { base::Optional offset = offsets[i]; // 6. If processed keyframes is not loosely sorted by offset, throw a // TypeError and abort these steps. if (offset.has_value()) { if (offset.value() < previous_offset) { exception_state.ThrowTypeError( "Offsets must be montonically non-decreasing."); return {}; } previous_offset = offset.value(); } // 7. If there exist any keyframe in processed keyframes whose keyframe // offset is non-null and less than zero or greater than one, throw a // TypeError and abort these steps. if (offset.has_value() && (offset.value() < 0 || offset.value() > 1)) { exception_state.ThrowTypeError( "Offsets must be null or in the range [0,1]."); return {}; } keyframe->SetOffset(offset); } // At this point in the code we have read all the properties we will read // from the input object, so it is safe to parse the easing strings. See the // note on step 8.2. if (!easings.IsEmpty()) { // 5.9 If easings has fewer items than property keyframes, repeat the // elements in easings successively starting from the beginning of the // list until easings has as many items as property keyframes. const String& easing = easings[i % easings.size()]; // 8.2 Let the timing function of frame be the result of parsing the // "easing" property on frame using the CSS syntax defined for the easing // property of the AnimationEffectTimingReadOnly interface. // // If parsing the “easing” property fails, throw a TypeError and abort // this procedure. scoped_refptr timing_function = AnimationInputHelpers::ParseTimingFunction(easing, &document, exception_state); if (!timing_function) return {}; keyframe->SetEasing(timing_function); } if (!composite_operations.IsEmpty()) { // 5.12.2 As with easings, if composite modes has fewer items than // property keyframes, repeat the elements in composite modes successively // starting from the beginning of the list until composite modes has as // many items as property keyframes. base::Optional composite = composite_operations[i % composite_operations.size()]; if (composite) { keyframe->SetComposite( ResolveCompositeOperationForKeyframe(composite.value(), keyframe)); } } results.push_back(keyframe); } // Step 8 of the spec is done above (or will be): parsing property values // according to syntax for the property (discarding with console warning on // fail) and parsing each easing property. // TODO(crbug.com/777971): Fix parsing of property values to adhere to spec. // 9. Parse each of the values in unused easings using the CSS syntax defined // for easing property of the AnimationEffectTimingReadOnly interface, and if // any of the values fail to parse, throw a TypeError and abort this // procedure. for (wtf_size_t i = results.size(); i < easings.size(); i++) { scoped_refptr timing_function = AnimationInputHelpers::ParseTimingFunction(easings[i], &document, exception_state); if (!timing_function) return {}; } DCHECK(!exception_state.HadException()); return results; } bool HasAdditiveCompositeCSSKeyframe( const KeyframeEffectModelBase::KeyframeGroupMap& keyframe_groups) { for (const auto& keyframe_group : keyframe_groups) { PropertyHandle property = keyframe_group.key; if (!property.IsCSSProperty()) continue; for (const auto& keyframe : keyframe_group.value->Keyframes()) { if (keyframe->Composite() == EffectModel::kCompositeAdd || keyframe->Composite() == EffectModel::kCompositeAccumulate) { return true; } } } return false; } } // namespace KeyframeEffectModelBase* EffectInput::Convert( Element* element, const ScriptValue& keyframes, EffectModel::CompositeOperation composite, ScriptState* script_state, ExceptionState& exception_state) { StringKeyframeVector parsed_keyframes = ParseKeyframesArgument(element, keyframes, script_state, exception_state); if (exception_state.HadException()) return nullptr; composite = ResolveCompositeOperation(composite, parsed_keyframes); auto* keyframe_effect_model = MakeGarbageCollected( parsed_keyframes, composite, LinearTimingFunction::Shared()); if (!RuntimeEnabledFeatures::WebAnimationsAPIEnabled()) { // This should be enforced by the parsing code. DCHECK(!HasAdditiveCompositeCSSKeyframe( keyframe_effect_model->GetPropertySpecificKeyframeGroups())); } DCHECK(!exception_state.HadException()); return keyframe_effect_model; } StringKeyframeVector EffectInput::ParseKeyframesArgument( Element* element, const ScriptValue& keyframes, ScriptState* script_state, ExceptionState& exception_state) { // Per the spec, a null keyframes object maps to a valid but empty sequence. v8::Local keyframes_value = keyframes.V8Value(); if (keyframes_value->IsNullOrUndefined()) return {}; v8::Local keyframes_obj = keyframes_value.As(); // 3. Let method be the result of GetMethod(object, @@iterator). v8::Isolate* isolate = script_state->GetIsolate(); auto script_iterator = ScriptIterator::FromIterable(isolate, keyframes_obj, exception_state); if (exception_state.HadException()) return {}; // TODO(crbug.com/816934): Get spec to specify what parsing context to use. Document& document = element ? element->GetDocument() : *LocalDOMWindow::From(script_state)->document(); // Map logical to physical properties. const ComputedStyle* style = element ? element->GetComputedStyle() : nullptr; TextDirection text_direction = style ? style->Direction() : TextDirection::kLtr; WritingMode writing_mode = style ? style->GetWritingMode() : WritingMode::kHorizontalTb; StringKeyframeVector parsed_keyframes; if (script_iterator.IsNull()) { parsed_keyframes = ConvertObjectForm(element, document, keyframes_obj, script_state, exception_state); } else { parsed_keyframes = ConvertArrayForm(element, document, std::move(script_iterator), script_state, exception_state); } for (wtf_size_t i = 0; i < parsed_keyframes.size(); i++) { StringKeyframe* keyframe = parsed_keyframes[i]; keyframe->SetLogicalPropertyResolutionContext(text_direction, writing_mode); } if (!ValidatePartialKeyframes(parsed_keyframes)) { exception_state.ThrowDOMException(DOMExceptionCode::kNotSupportedError, "Partial keyframes are not supported."); return {}; } return parsed_keyframes; } EffectModel::CompositeOperation EffectInput::ResolveCompositeOperation( EffectModel::CompositeOperation composite, const StringKeyframeVector& keyframes) { EffectModel::CompositeOperation result = composite; for (const Member& keyframe : keyframes) { // Replace is always supported, so we can early-exit if and when we have // that as our composite value. if (result == EffectModel::kCompositeReplace) break; result = ResolveCompositeOperationForKeyframe(result, keyframe); } return result; } } // namespace blink ================================================ FILE: LEVEL_1/exercise_6/keyframe_effect.cc ================================================ /* * Copyright (C) 2013 Google Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are * met: * * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following disclaimer * in the documentation and/or other materials provided with the * distribution. * * Neither the name of Google Inc. nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "third_party/blink/renderer/core/animation/keyframe_effect.h" #include "third_party/blink/renderer/bindings/core/v8/unrestricted_double_or_keyframe_effect_options.h" #include "third_party/blink/renderer/bindings/core/v8/v8_object_builder.h" #include "third_party/blink/renderer/core/animation/animation_input_helpers.h" #include "third_party/blink/renderer/core/animation/animation_utils.h" #include "third_party/blink/renderer/core/animation/compositor_animations.h" #include "third_party/blink/renderer/core/animation/css/compositor_keyframe_transform.h" #include "third_party/blink/renderer/core/animation/effect_input.h" #include "third_party/blink/renderer/core/animation/element_animations.h" #include "third_party/blink/renderer/core/animation/sampled_effect.h" #include "third_party/blink/renderer/core/animation/timing_input.h" #include "third_party/blink/renderer/core/css/properties/css_property_ref.h" #include "third_party/blink/renderer/core/css/resolver/style_resolver.h" #include "third_party/blink/renderer/core/dom/element.h" #include "third_party/blink/renderer/core/dom/node_computed_style.h" #include "third_party/blink/renderer/core/dom/pseudo_element.h" #include "third_party/blink/renderer/core/frame/web_feature.h" #include "third_party/blink/renderer/core/paint/paint_layer.h" #include "third_party/blink/renderer/core/style/computed_style.h" #include "third_party/blink/renderer/core/svg/svg_element.h" #include "third_party/blink/renderer/platform/animation/compositor_animation.h" #include "third_party/blink/renderer/platform/bindings/exception_state.h" #include "third_party/blink/renderer/platform/heap/heap.h" #include "third_party/blink/renderer/platform/runtime_enabled_features.h" namespace blink { namespace { // Verifies that a pseudo-element selector lexes and canonicalizes legacy forms bool ValidateAndCanonicalizePseudo(String& selector) { if (selector.IsNull()) { return true; } else if (selector.StartsWith("::")) { return true; } else if (selector == ":before") { selector = "::before"; return true; } else if (selector == ":after") { selector = "::after"; return true; } else if (selector == ":first-letter") { selector = "::first-letter"; return true; } else if (selector == ":first-line") { selector = "::first-line"; return true; } return false; } } // namespace KeyframeEffect* KeyframeEffect::Create( ScriptState* script_state, Element* element, const ScriptValue& keyframes, const UnrestrictedDoubleOrKeyframeEffectOptions& options, ExceptionState& exception_state) { Document* document = element ? &element->GetDocument() : nullptr; Timing timing = TimingInput::Convert(options, document, exception_state); if (exception_state.HadException()) return nullptr; EffectModel::CompositeOperation composite = EffectModel::kCompositeReplace; String pseudo = String(); if (options.IsKeyframeEffectOptions()) { auto* effect_options = options.GetAsKeyframeEffectOptions(); composite = EffectModel::StringToCompositeOperation(effect_options->composite()) .value(); if (RuntimeEnabledFeatures::WebAnimationsAPIEnabled() && !effect_options->pseudoElement().IsEmpty()) { pseudo = effect_options->pseudoElement(); if (!ValidateAndCanonicalizePseudo(pseudo)) { // TODO(gtsteel): update when // https://github.com/w3c/csswg-drafts/issues/4586 resolves exception_state.ThrowDOMException( DOMExceptionCode::kSyntaxError, "A valid pseudo-selector must be null or start with ::."); } } } KeyframeEffectModelBase* model = EffectInput::Convert( element, keyframes, composite, script_state, exception_state); if (exception_state.HadException()) return nullptr; KeyframeEffect* effect = MakeGarbageCollected(element, model, timing); if (!pseudo.IsEmpty()) { effect->target_pseudo_ = pseudo; if (element) { element->GetDocument().UpdateStyleAndLayoutTreeForNode(element); effect->effect_target_ = element->GetPseudoElement( CSSSelector::ParsePseudoId(pseudo, element)); } } return effect; } KeyframeEffect* KeyframeEffect::Create(ScriptState* script_state, Element* element, const ScriptValue& keyframes, ExceptionState& exception_state) { KeyframeEffectModelBase* model = EffectInput::Convert(element, keyframes, EffectModel::kCompositeReplace, script_state, exception_state); if (exception_state.HadException()) return nullptr; return MakeGarbageCollected(element, model, Timing()); } KeyframeEffect* KeyframeEffect::Create(ScriptState* script_state, KeyframeEffect* source, ExceptionState& exception_state) { Timing new_timing = source->SpecifiedTiming(); KeyframeEffectModelBase* model = source->Model()->Clone(); return MakeGarbageCollected(source->EffectTarget(), model, new_timing, source->GetPriority(), source->GetEventDelegate()); } KeyframeEffect::KeyframeEffect(Element* target, KeyframeEffectModelBase* model, const Timing& timing, Priority priority, EventDelegate* event_delegate) : AnimationEffect(timing, event_delegate), effect_target_(target), target_element_(target), target_pseudo_(), model_(model), sampled_effect_(nullptr), priority_(priority), ignore_css_keyframes_(false) { DCHECK(model_); // fix target for css animations and transitions if (target && target->IsPseudoElement()) { target_element_ = target->parentElement(); DCHECK(!target_element_->IsPseudoElement()); target_pseudo_ = target->tagName(); } CountAnimatedProperties(); } KeyframeEffect::~KeyframeEffect() = default; void KeyframeEffect::setTarget(Element* new_target) { DCHECK(!new_target || !new_target->IsPseudoElement()); target_element_ = new_target; RefreshTarget(); } const String& KeyframeEffect::pseudoElement() const { return target_pseudo_; } void KeyframeEffect::setPseudoElement(String pseudo, ExceptionState& exception_state) { if (ValidateAndCanonicalizePseudo(pseudo)) { target_pseudo_ = pseudo; } else { exception_state.ThrowDOMException( DOMExceptionCode::kSyntaxError, "A valid pseudo-selector must be null or start with ::."); } RefreshTarget(); } void KeyframeEffect::RefreshTarget() { Element* new_target; if (!target_element_) { new_target = nullptr; } else if (target_pseudo_.IsEmpty()) { new_target = target_element_; } else { target_element_->GetDocument().UpdateStyleAndLayoutTreeForNode( target_element_); PseudoId pseudoId = CSSSelector::ParsePseudoId(target_pseudo_, target_element_); new_target = target_element_->GetPseudoElement(pseudoId); } if (new_target != effect_target_) { DetachTarget(GetAnimation()); effect_target_ = new_target; AttachTarget(GetAnimation()); InvalidateAndNotifyOwner(); } } String KeyframeEffect::composite() const { return EffectModel::CompositeOperationToString(CompositeInternal()); } void KeyframeEffect::setComposite(String composite_string) { Model()->SetComposite( EffectModel::StringToCompositeOperation(composite_string).value()); ClearEffects(); InvalidateAndNotifyOwner(); } HeapVector KeyframeEffect::getKeyframes( ScriptState* script_state) { if (Animation* animation = GetAnimation()) animation->FlushPendingUpdates(); HeapVector computed_keyframes; if (!model_->HasFrames()) return computed_keyframes; // getKeyframes() returns a list of 'ComputedKeyframes'. A ComputedKeyframe // consists of the normal keyframe data combined with the computed offset for // the given keyframe. // // https://w3c.github.io/web-animations/#dom-keyframeeffectreadonly-getkeyframes KeyframeVector keyframes = ignore_css_keyframes_ ? model_->GetFrames() : model_->GetComputedKeyframes(EffectTarget()); Vector computed_offsets = KeyframeEffectModelBase::GetComputedOffsets(keyframes); computed_keyframes.ReserveInitialCapacity(keyframes.size()); ScriptState::Scope scope(script_state); for (wtf_size_t i = 0; i < keyframes.size(); i++) { V8ObjectBuilder object_builder(script_state); keyframes[i]->AddKeyframePropertiesToV8Object(object_builder, target()); object_builder.Add("computedOffset", computed_offsets[i]); computed_keyframes.push_back(object_builder.GetScriptValue()); } return computed_keyframes; } void KeyframeEffect::setKeyframes(ScriptState* script_state, const ScriptValue& keyframes, ExceptionState& exception_state) { StringKeyframeVector new_keyframes = EffectInput::ParseKeyframesArgument( target(), keyframes, script_state, exception_state); if (exception_state.HadException()) return; ignore_css_keyframes_ = true; if (auto* model = DynamicTo(Model())) SetModel(model->CloneAsEmptyStringKeyframeModel()); DCHECK(Model()->IsStringKeyframeEffectModel()); SetKeyframes(new_keyframes); } void KeyframeEffect::SetKeyframes(StringKeyframeVector keyframes) { Model()->SetComposite( EffectInput::ResolveCompositeOperation(Model()->Composite(), keyframes)); To(Model())->SetFrames(keyframes); // Changing the keyframes will invalidate any sampled effect, as well as // potentially affect the effect owner. ClearEffects(); InvalidateAndNotifyOwner(); CountAnimatedProperties(); } bool KeyframeEffect::Affects(const PropertyHandle& property) const { return model_->Affects(property); } bool KeyframeEffect::HasRevert() const { return model_->HasRevert(); } void KeyframeEffect::NotifySampledEffectRemovedFromEffectStack() { sampled_effect_ = nullptr; } CompositorAnimations::FailureReasons KeyframeEffect::CheckCanStartAnimationOnCompositor( const PaintArtifactCompositor* paint_artifact_compositor, double animation_playback_rate, PropertyHandleSet* unsupported_properties) const { CompositorAnimations::FailureReasons reasons = CompositorAnimations::kNoFailure; // There would be no reason to composite an effect that has no keyframes; it // has no visual result. if (model_->Properties().IsEmpty()) reasons |= CompositorAnimations::kInvalidAnimationOrEffect; // There would be no reason to composite an effect that has no target; it has // no visual result. if (!effect_target_) { reasons |= CompositorAnimations::kInvalidAnimationOrEffect; } else { if (effect_target_->GetComputedStyle() && effect_target_->GetComputedStyle()->HasOffset()) reasons |= CompositorAnimations::kTargetHasCSSOffset; // Do not put transforms on compositor if more than one of them are defined // in computed style because they need to be explicitly ordered if (HasMultipleTransformProperties()) reasons |= CompositorAnimations::kTargetHasMultipleTransformProperties; reasons |= CompositorAnimations::CheckCanStartAnimationOnCompositor( SpecifiedTiming(), *effect_target_, GetAnimation(), *Model(), paint_artifact_compositor, animation_playback_rate, unsupported_properties); } return reasons; } void KeyframeEffect::StartAnimationOnCompositor( int group, base::Optional start_time, base::TimeDelta time_offset, double animation_playback_rate, CompositorAnimation* compositor_animation) { DCHECK(!HasActiveAnimationsOnCompositor()); // TODO(petermayo): Maybe we should recheck that we can start on the // compositor if we have the compositable IDs somewhere. if (!compositor_animation) compositor_animation = GetAnimation()->GetCompositorAnimation(); DCHECK(compositor_animation); DCHECK(effect_target_); DCHECK(Model()); CompositorAnimations::StartAnimationOnCompositor( *effect_target_, group, start_time, time_offset, SpecifiedTiming(), GetAnimation(), *compositor_animation, *Model(), compositor_keyframe_model_ids_, animation_playback_rate); DCHECK(!compositor_keyframe_model_ids_.IsEmpty()); } bool KeyframeEffect::HasActiveAnimationsOnCompositor() const { return !compositor_keyframe_model_ids_.IsEmpty(); } bool KeyframeEffect::HasActiveAnimationsOnCompositor( const PropertyHandle& property) const { return HasActiveAnimationsOnCompositor() && Affects(property); } bool KeyframeEffect::CancelAnimationOnCompositor( CompositorAnimation* compositor_animation) { if (!HasActiveAnimationsOnCompositor()) return false; if (!effect_target_ || !effect_target_->GetLayoutObject()) return false; DCHECK(Model()); for (const auto& compositor_keyframe_model_id : compositor_keyframe_model_ids_) { CompositorAnimations::CancelAnimationOnCompositor( *effect_target_, compositor_animation, compositor_keyframe_model_id, *Model()); } compositor_keyframe_model_ids_.clear(); return true; } void KeyframeEffect::CancelIncompatibleAnimationsOnCompositor() { if (effect_target_ && GetAnimation() && model_->HasFrames()) { DCHECK(Model()); CompositorAnimations::CancelIncompatibleAnimationsOnCompositor( *effect_target_, *GetAnimation(), *Model()); } } void KeyframeEffect::PauseAnimationForTestingOnCompositor( base::TimeDelta pause_time) { DCHECK(HasActiveAnimationsOnCompositor()); if (!effect_target_ || !effect_target_->GetLayoutObject()) return; DCHECK(GetAnimation()); DCHECK(Model()); for (const auto& compositor_keyframe_model_id : compositor_keyframe_model_ids_) { CompositorAnimations::PauseAnimationForTestingOnCompositor( *effect_target_, *GetAnimation(), compositor_keyframe_model_id, pause_time, *Model()); } } void KeyframeEffect::AttachCompositedLayers() { DCHECK(effect_target_); DCHECK(GetAnimation()); CompositorAnimation* compositor_animation = GetAnimation()->GetCompositorAnimation(); // If this is a paint worklet element and it is animating custom property // only, it doesn't require an element id to run on the compositor thread. // However, our compositor animation system requires the element to be on the // property tree in order to keep ticking the animation. Therefore, we give a // very special element id for this animation so that the compositor animation // system recognize it. We do not use 0 as the element id because 0 is // kInvalidElementId. if (compositor_animation && !Model()->RequiresPropertyNode()) { compositor_animation->AttachNoElement(); return; } CompositorAnimations::AttachCompositedLayers(*effect_target_, compositor_animation); } bool KeyframeEffect::HasAnimation() const { return !!owner_; } bool KeyframeEffect::HasPlayingAnimation() const { return owner_ && owner_->Playing(); } void KeyframeEffect::Trace(Visitor* visitor) const { visitor->Trace(effect_target_); visitor->Trace(target_element_); visitor->Trace(model_); visitor->Trace(sampled_effect_); AnimationEffect::Trace(visitor); } namespace { static const size_t num_transform_properties = 4; const CSSProperty** TransformProperties() { static const CSSProperty* kTransformProperties[num_transform_properties] = { &GetCSSPropertyTransform(), &GetCSSPropertyScale(), &GetCSSPropertyRotate(), &GetCSSPropertyTranslate()}; return kTransformProperties; } } // namespace bool KeyframeEffect::UpdateBoxSizeAndCheckTransformAxisAlignment( const FloatSize& box_size) { static const auto** properties = TransformProperties(); bool preserves_axis_alignment = true; bool has_transform = false; TransformOperation::BoxSizeDependency size_dependencies = TransformOperation::kDependsNone; for (size_t i = 0; i < num_transform_properties; i++) { const auto* keyframes = Model()->GetPropertySpecificKeyframes(PropertyHandle(*properties[i])); if (!keyframes) continue; has_transform = true; for (const auto& keyframe : *keyframes) { const auto* value = keyframe->GetCompositorKeyframeValue(); if (!value) continue; const auto& transform_operations = To(value)->GetTransformOperations(); if (!transform_operations.PreservesAxisAlignment()) preserves_axis_alignment = false; size_dependencies = TransformOperation::CombineDependencies( size_dependencies, transform_operations.BoxSizeDependencies()); } } if (!has_transform) return true; if (HasAnimation()) { if (effect_target_size_) { if ((size_dependencies & TransformOperation::kDependsWidth) && (effect_target_size_->Width() != box_size.Width())) RestartRunningAnimationOnCompositor(); else if ((size_dependencies & TransformOperation::kDependsHeight) && (effect_target_size_->Height() != box_size.Height())) RestartRunningAnimationOnCompositor(); } } effect_target_size_ = box_size; return preserves_axis_alignment; } void KeyframeEffect::RestartRunningAnimationOnCompositor() { Animation* animation = GetAnimation(); if (!animation) return; // No need to to restart an animation that is in the process of starting up, // paused or idle. if (!animation->startTime()) return; animation->RestartAnimationOnCompositor(); } bool KeyframeEffect::IsIdentityOrTranslation() const { static const auto** properties = TransformProperties(); for (size_t i = 0; i < num_transform_properties; i++) { const auto* keyframes = Model()->GetPropertySpecificKeyframes(PropertyHandle(*properties[i])); if (!keyframes) continue; for (const auto& keyframe : *keyframes) { if (const auto* value = keyframe->GetCompositorKeyframeValue()) { if (!To(value) ->GetTransformOperations() .IsIdentityOrTranslation()) { return false; } } } } return true; } EffectModel::CompositeOperation KeyframeEffect::CompositeInternal() const { return model_->Composite(); } void KeyframeEffect::ApplyEffects() { DCHECK(IsInEffect()); if (!effect_target_ || !model_->HasFrames()) return; if (GetAnimation() && HasIncompatibleStyle()) { GetAnimation()->CancelAnimationOnCompositor(); } base::Optional iteration = CurrentIteration(); DCHECK(iteration); DCHECK_GE(iteration.value(), 0); bool changed = false; if (sampled_effect_) { changed = model_->Sample(clampTo(iteration.value(), 0), Progress().value(), SpecifiedTiming().IterationDuration(), sampled_effect_->MutableInterpolations()); } else { HeapVector> interpolations; model_->Sample(clampTo(iteration.value(), 0), Progress().value(), SpecifiedTiming().IterationDuration(), interpolations); if (!interpolations.IsEmpty()) { auto* sampled_effect = MakeGarbageCollected(this, owner_->SequenceNumber()); sampled_effect->MutableInterpolations().swap(interpolations); sampled_effect_ = sampled_effect; effect_target_->EnsureElementAnimations().GetEffectStack().Add( sampled_effect); changed = true; } else { return; } } if (changed) { effect_target_->SetNeedsAnimationStyleRecalc(); auto* svg_element = DynamicTo(effect_target_.Get()); if (RuntimeEnabledFeatures::WebAnimationsSVGEnabled() && svg_element) svg_element->SetWebAnimationsPending(); } } void KeyframeEffect::ClearEffects() { if (!sampled_effect_) return; sampled_effect_->Clear(); sampled_effect_ = nullptr; if (GetAnimation()) GetAnimation()->RestartAnimationOnCompositor(); if (!effect_target_->GetDocument().Lifecycle().InDetach()) effect_target_->SetNeedsAnimationStyleRecalc(); auto* svg_element = DynamicTo(effect_target_.Get()); if (RuntimeEnabledFeatures::WebAnimationsSVGEnabled() && svg_element) svg_element->ClearWebAnimatedAttributes(); Invalidate(); } void KeyframeEffect::UpdateChildrenAndEffects() const { if (!model_->HasFrames()) return; DCHECK(owner_); if (IsInEffect() && !owner_->EffectSuppressed() && !owner_->ReplaceStateRemoved()) const_cast(this)->ApplyEffects(); else const_cast(this)->ClearEffects(); } void KeyframeEffect::Attach(AnimationEffectOwner* owner) { AttachTarget(owner->GetAnimation()); AnimationEffect::Attach(owner); } void KeyframeEffect::Detach() { DetachTarget(GetAnimation()); AnimationEffect::Detach(); } void KeyframeEffect::AttachTarget(Animation* animation) { if (!effect_target_ || !animation) return; effect_target_->EnsureElementAnimations().Animations().insert(animation); effect_target_->SetNeedsAnimationStyleRecalc(); auto* svg_element = DynamicTo(effect_target_.Get()); if (RuntimeEnabledFeatures::WebAnimationsSVGEnabled() && svg_element) svg_element->SetWebAnimationsPending(); } void KeyframeEffect::DetachTarget(Animation* animation) { if (effect_target_ && animation) effect_target_->GetElementAnimations()->Animations().erase(animation); // If we have sampled this effect previously, we need to purge that state. // ClearEffects takes care of clearing the cached sampled effect, informing // the target that it needs to refresh its style, and doing any necessary // update on the compositor. ClearEffects(); } AnimationTimeDelta KeyframeEffect::CalculateTimeToEffectChange( bool forwards, base::Optional local_time, AnimationTimeDelta time_to_next_iteration) const { const double start_time = SpecifiedTiming().start_delay; const double end_time_minus_end_delay = start_time + SpecifiedTiming().ActiveDuration(); const double end_time = end_time_minus_end_delay + SpecifiedTiming().end_delay; const double after_time = std::min(end_time_minus_end_delay, end_time); Timing::Phase phase = GetPhase(); DCHECK(local_time || phase == Timing::kPhaseNone); switch (phase) { case Timing::kPhaseNone: return AnimationTimeDelta::Max(); case Timing::kPhaseBefore: // Return value is clamped at 0 to prevent unexpected results that could // be caused by returning negative values. return forwards ? AnimationTimeDelta::FromSecondsD(std::max( start_time - local_time.value(), 0)) : AnimationTimeDelta::Max(); case Timing::kPhaseActive: if (forwards) { // Need service to apply fill / fire events. const double time_to_end = after_time - local_time.value(); if (RequiresIterationEvents()) { return std::min(AnimationTimeDelta::FromSecondsD(time_to_end), time_to_next_iteration); } return AnimationTimeDelta::FromSecondsD(time_to_end); } return {}; case Timing::kPhaseAfter: DCHECK_GE(local_time.value(), after_time); if (forwards) { // If an animation has a positive-valued end delay, we need an // additional tick at the end time to ensure that the finished event is // delivered. return end_time > local_time ? AnimationTimeDelta::FromSecondsD( end_time - local_time.value()) : AnimationTimeDelta::Max(); } return AnimationTimeDelta::FromSecondsD(local_time.value() - after_time); default: NOTREACHED(); return AnimationTimeDelta::Max(); } } // Returns true if transform, translate, rotate or scale is composited // and a motion path or other transform properties // has been introduced on the element bool KeyframeEffect::HasIncompatibleStyle() const { if (!effect_target_->GetComputedStyle()) return false; if (HasActiveAnimationsOnCompositor()) { if (effect_target_->GetComputedStyle()->HasOffset()) { static const auto** properties = TransformProperties(); for (size_t i = 0; i < num_transform_properties; i++) { if (Affects(PropertyHandle(*properties[i]))) return true; } } return HasMultipleTransformProperties(); } return false; } bool KeyframeEffect::HasMultipleTransformProperties() const { if (!effect_target_->GetComputedStyle()) return false; unsigned transform_property_count = 0; if (effect_target_->GetComputedStyle()->HasTransformOperations()) transform_property_count++; if (effect_target_->GetComputedStyle()->Rotate()) transform_property_count++; if (effect_target_->GetComputedStyle()->Scale()) transform_property_count++; if (effect_target_->GetComputedStyle()->Translate()) transform_property_count++; return transform_property_count > 1; } ActiveInterpolationsMap KeyframeEffect::InterpolationsForCommitStyles() { // If the associated animation has been removed, it needs to be temporarily // reintroduced to the effect stack in order to be including in the // interpolations map. bool removed = owner_->ReplaceStateRemoved(); if (removed) ApplyEffects(); ActiveInterpolationsMap results = EffectStack::ActiveInterpolations( &target()->GetElementAnimations()->GetEffectStack(), /*new_animations=*/nullptr, /*suppressed_animations=*/nullptr, kDefaultPriority, /*property_pass_filter=*/nullptr, this); if (removed) ClearEffects(); return results; } void KeyframeEffect::SetLogicalPropertyResolutionContext( TextDirection text_direction, WritingMode writing_mode) { if (auto* model = DynamicTo(Model())) { if (model->SetLogicalPropertyResolutionContext(text_direction, writing_mode)) { ClearEffects(); InvalidateAndNotifyOwner(); } } } void KeyframeEffect::CountAnimatedProperties() const { if (target_element_) { Document& document = target_element_->GetDocument(); for (const auto& property : model_->Properties()) { if (property.IsCSSProperty()) { DCHECK(IsValidCSSPropertyID(property.GetCSSProperty().PropertyID())); document.CountAnimatedProperty(property.GetCSSProperty().PropertyID()); } } } } } // namespace blink ================================================ FILE: LEVEL_1/exercise_6/poc.html ================================================ ================================================ FILE: LEVEL_1/exercise_7/README.md ================================================ # Exercise 7 ## CVE-2021-30565 I sugget you don't search any report about it to prevents get too much info like patch. ### Details > cppgc: Fix ephemeron iterations > > If processing the marking worklists found new ephemeron pairs, but processing the existing ephemeron pairs didn't mark new objects, marking would stop and the newly discovered ephemeron pairs would not be processed. This can lead to a marked key with an unmarked value. An ephemeron pair is used to conditionally retain an object. The `value` will be kept alive only if the `key` is alive. ### Set environment set v8 environment ```sh # get depot_tools git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git # add to env var echo 'export PATH=$PATH:"/path/to/depot_tools"' >> ~/.bashrc # get v8 source code fetch v8 # chenge to right commit cd v8 git reset --hard f41f4fb4e66916936ed14d8f9ee20d5fb0afc548 # download others gclient sync # get ninja for compile git clone https://github.com/ninja-build/ninja.git cd ninja && ./configure.py --bootstrap && cd .. # set environment variable echo 'export PATH=$PATH:"/path/to/ninja"' >> ~/.bashrc # compile debug tools/dev/v8gen.py x64.debug ninja -C out.gn/x64.debug d8 # compile release (optional) tools/dev/v8gen.py x64.release ninja -C out.gn/x64.release d8 ``` ### Related code `src/heap/cppgc/marker.cc` `src/heap/cppgc/marking-state.h` ```c++ bool MarkerBase::ProcessWorklistsWithDeadline( size_t marked_bytes_deadline, v8::base::TimeTicks time_deadline) { StatsCollector::EnabledScope stats_scope( heap().stats_collector(), StatsCollector::kMarkTransitiveClosure); do { if ((config_.marking_type == MarkingConfig::MarkingType::kAtomic) || schedule_.ShouldFlushEphemeronPairs()) { mutator_marking_state_.FlushDiscoveredEphemeronPairs(); } // Bailout objects may be complicated to trace and thus might take longer // than other objects. Therefore we reduce the interval between deadline // checks to guarantee the deadline is not exceeded. [ ... ] { StatsCollector::EnabledScope inner_stats_scope( heap().stats_collector(), StatsCollector::kMarkProcessEphemerons); if (!DrainWorklistWithBytesAndTimeDeadline( mutator_marking_state_, marked_bytes_deadline, time_deadline, mutator_marking_state_.ephemeron_pairs_for_processing_worklist(), [this](const MarkingWorklists::EphemeronPairItem& item) { mutator_marking_state_.ProcessEphemeron( item.key, item.value, item.value_desc, visitor()); })) { return false; } } } while (!mutator_marking_state_.marking_worklist().IsLocalAndGlobalEmpty()); return true; } ``` ```c++ void MarkingStateBase::ProcessEphemeron(const void* key, const void* value, TraceDescriptor value_desc, Visitor& visitor) { // Filter out already marked keys. The write barrier for WeakMember // ensures that any newly set value after this point is kept alive and does // not require the callback. if (!HeapObjectHeader::FromObject(key) .IsInConstruction() && HeapObjectHeader::FromObject(key).IsMarked()) { if (value_desc.base_object_payload) { MarkAndPush(value_desc.base_object_payload, value_desc); } else { // If value_desc.base_object_payload is nullptr, the value is not GCed and // should be immediately traced. value_desc.callback(&visitor, value); } return; } // |discovered_ephemeron_pairs_worklist_| may still hold ephemeron pairs with // dead keys. discovered_ephemeron_pairs_worklist_.Push({key, value, value_desc}); } ``` ### Do it Do this exercise by yourself, If you find my answer have something wrong, please correct it. ---------

My answer, probably wrong

```c++ // Marking algorithm. Example for a valid call sequence creating the marking // phase: // 1. StartMarking() [Called implicitly when creating a Marker using // MarkerFactory] // 2. AdvanceMarkingWithLimits() [Optional, depending on environment.] // 3. EnterAtomicPause() // 4. AdvanceMarkingWithLimits() // 5. LeaveAtomicPause() // // Alternatively, FinishMarking combines steps 3.-5. ``` https://chromium.googlesource.com/v8/v8.git/+/e677a6f6b257e992094b9183a958b67ecc68aa85 ```c++ void MarkingStateBase::ProcessEphemeron(const void* key, const void* value, TraceDescriptor value_desc, Visitor& visitor) { // Filter out already marked keys. The write barrier for WeakMember // ensures that any newly set value after this point is kept alive and does // not require the callback. if (!HeapObjectHeader::FromObject(key) .IsInConstruction() && [1] HeapObjectHeader::FromObject(key).IsMarked()) { [2] /** * value_desc.base_object_payload: * * Adjusted base pointer, i.e., the pointer to the class inheriting directly * from GarbageCollected, of the object that is being traced. */ if (value_desc.base_object_payload) { MarkAndPush(value_desc.base_object_payload, value_desc); } else { // If value_desc.base_object_payload is nullptr, the value is not GCed and // should be immediately traced. value_desc.callback(&visitor, value); } return; } discovered_ephemeron_pairs_worklist_.Push({key, value, value_desc}); // if find new ephemeron_pairs, need push } ======================================================================= template bool DrainWorklistWithPredicate(Predicate should_yield, WorklistLocal& worklist_local, Callback callback) { if (worklist_local.IsLocalAndGlobalEmpty()) return true; // For concurrent markers, should_yield also reports marked bytes. if (should_yield()) return false; size_t processed_callback_count = deadline_check_interval; typename WorklistLocal::ItemType item; while (worklist_local.Pop(&item)) { callback(item); // ProcessEphemeron if (--processed_callback_count == 0) { if (should_yield()) { return false; } processed_callback_count = deadline_check_interval; } } return true; } ``` [1] `IsInConstruction == false` means the the data of `Object` all setted up. [2] `IsMarked == true` means this `object` has been marked. the `ProcessEphemeron` will be the parameter of `DrainWorklistWithPredicate` named `callback` and `discovered_ephemeron_pairs_worklist_` pop item to call `RocessEphemeron` in loop ```c++ const HeapObjectHeader& HeapObjectHeader::FromObject(const void* object) { [3] return *reinterpret_cast( static_cast(object) - sizeof(HeapObjectHeader)); } ============================================================ template bool HeapObjectHeader::IsInConstruction() const { const uint16_t encoded = LoadEncoded(); return !FullyConstructedField::decode(encoded); [4] } ============================================================ template bool HeapObjectHeader::IsMarked() const { const uint16_t encoded = LoadEncoded(); return MarkBitField::decode(encoded); [5] } ``` [3] return the ptr to `HeapObjectHeader`, you can treat it as `addrOf(Chunk) - sizeof(ChunkHeader)` can get the addr of ChunkHeader [4] and [5] can get info of the `HeapObjectHeader` which be organized in some regular pattern. The following content explains this clearly ```c++ // Used in |encoded_high_|. using FullyConstructedField = v8::base::BitField16; [6] using UnusedField1 = FullyConstructedField::Next; using GCInfoIndexField = UnusedField1::Next; // Used in |encoded_low_|. using MarkBitField = v8::base::BitField16; using SizeField = void; // Use EncodeSize/DecodeSize instead. ============================================== // Extracts the bit field from the value. static constexpr T decode(U value) { return static_cast((value & kMask) >> kShift); [7] } ``` you can understand [6] better by this. ```c++ // HeapObjectHeader contains meta data per object and is prepended to each // object. // // +-----------------+------+------------------------------------------+ // | name | bits | | // +-----------------+------+------------------------------------------+ // | padding | 32 | Only present on 64-bit platform. | // +-----------------+------+------------------------------------------+ // | GCInfoIndex | 14 | | // | unused | 1 | | // | in construction | 1 | In construction encoded as |false|. | // +-----------------+------+------------------------------------------+ // | size | 15 | 17 bits because allocations are aligned. | // | mark bit | 1 | | // +-----------------+------+------------------------------------------+ // // Notes: // - See |GCInfoTable| for constraints on GCInfoIndex. // - |size| for regular objects is encoded with 15 bits but can actually // represent sizes up to |kBlinkPageSize| (2^17) because allocations are // always 4 byte aligned (see kAllocationGranularity) on 32bit. 64bit uses // 8 byte aligned allocations which leaves 1 bit unused. // - |size| for large objects is encoded as 0. The size of a large object is // stored in |LargeObjectPage::PayloadSize()|. // - |mark bit| and |in construction| bits are located in separate 16-bit halves // to allow potentially accessing them non-atomically. ``` So [7] can get specific bit of `HeapObjectHeader` | meta data, means the Object status information `ProcessEphemeron` func means if object has been marked and `value_desc.base_object_payload`(may be write barrier?) not null, we need to mark value_desc.base_object_payload, else we find new `ephemeron_pairs`. But if `value_desc.base_object_payload` have not been set, we need to callback (maybe used for search old space for what object prt to this value), this may lead to recursive call. And the mark process can be stoped because the time limit. There are many gc processes, if two of them call the `ProcessEphemeron` and the A process prepare to mark value. But B process find new `ephemeron_pairs`, the mark will be stoped, **I gusee** :), lead to a marked key with an unmarked value.

-------- ================================================ FILE: LEVEL_1/exercise_7/marker.cc ================================================ // Copyright 2020 the V8 project authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "src/heap/cppgc/marker.h" #include #include #include "include/cppgc/heap-consistency.h" #include "include/cppgc/platform.h" #include "src/base/platform/time.h" #include "src/heap/cppgc/heap-object-header.h" #include "src/heap/cppgc/heap-page.h" #include "src/heap/cppgc/heap-visitor.h" #include "src/heap/cppgc/heap.h" #include "src/heap/cppgc/liveness-broker.h" #include "src/heap/cppgc/marking-state.h" #include "src/heap/cppgc/marking-visitor.h" #include "src/heap/cppgc/process-heap.h" #include "src/heap/cppgc/stats-collector.h" #include "src/heap/cppgc/write-barrier.h" #if defined(CPPGC_CAGED_HEAP) #include "include/cppgc/internal/caged-heap-local-data.h" #endif namespace cppgc { namespace internal { namespace { bool EnterIncrementalMarkingIfNeeded(Marker::MarkingConfig config, HeapBase& heap) { if (config.marking_type == Marker::MarkingConfig::MarkingType::kIncremental || config.marking_type == Marker::MarkingConfig::MarkingType::kIncrementalAndConcurrent) { WriteBarrier::IncrementalOrConcurrentMarkingFlagUpdater::Enter(); #if defined(CPPGC_CAGED_HEAP) heap.caged_heap().local_data().is_incremental_marking_in_progress = true; #endif // defined(CPPGC_CAGED_HEAP) return true; } return false; } bool ExitIncrementalMarkingIfNeeded(Marker::MarkingConfig config, HeapBase& heap) { if (config.marking_type == Marker::MarkingConfig::MarkingType::kIncremental || config.marking_type == Marker::MarkingConfig::MarkingType::kIncrementalAndConcurrent) { WriteBarrier::IncrementalOrConcurrentMarkingFlagUpdater::Exit(); #if defined(CPPGC_CAGED_HEAP) heap.caged_heap().local_data().is_incremental_marking_in_progress = false; #endif // defined(CPPGC_CAGED_HEAP) return true; } return false; } // Visit remembered set that was recorded in the generational barrier. void VisitRememberedSlots(HeapBase& heap, MutatorMarkingState& mutator_marking_state) { #if defined(CPPGC_YOUNG_GENERATION) StatsCollector::EnabledScope stats_scope( heap.stats_collector(), StatsCollector::kMarkVisitRememberedSets); for (void* slot : heap.remembered_slots()) { auto& slot_header = BasePage::FromInnerAddress(&heap, slot) ->ObjectHeaderFromInnerAddress(slot); if (slot_header.IsYoung()) continue; // The design of young generation requires collections to be executed at the // top level (with the guarantee that no objects are currently being in // construction). This can be ensured by running young GCs from safe points // or by reintroducing nested allocation scopes that avoid finalization. DCHECK(!slot_header.template IsInConstruction()); void* value = *reinterpret_cast(slot); mutator_marking_state.DynamicallyMarkAddress(static_cast

(value)); } #endif } // Assumes that all spaces have their LABs reset. void ResetRememberedSet(HeapBase& heap) { #if defined(CPPGC_YOUNG_GENERATION) auto& local_data = heap.caged_heap().local_data(); local_data.age_table.Reset(&heap.caged_heap().allocator()); heap.remembered_slots().clear(); #endif } static constexpr size_t kDefaultDeadlineCheckInterval = 150u; template bool DrainWorklistWithBytesAndTimeDeadline(MarkingStateBase& marking_state, size_t marked_bytes_deadline, v8::base::TimeTicks time_deadline, WorklistLocal& worklist_local, Callback callback) { return DrainWorklistWithPredicate( [&marking_state, marked_bytes_deadline, time_deadline]() { return (marked_bytes_deadline <= marking_state.marked_bytes()) || (time_deadline <= v8::base::TimeTicks::Now()); }, worklist_local, callback); } size_t GetNextIncrementalStepDuration(IncrementalMarkingSchedule& schedule, HeapBase& heap) { return schedule.GetNextIncrementalStepDuration( heap.stats_collector()->allocated_object_size()); } } // namespace constexpr v8::base::TimeDelta MarkerBase::kMaximumIncrementalStepDuration; MarkerBase::IncrementalMarkingTask::IncrementalMarkingTask( MarkerBase* marker, MarkingConfig::StackState stack_state) : marker_(marker), stack_state_(stack_state), handle_(Handle::NonEmptyTag{}) {} // static MarkerBase::IncrementalMarkingTask::Handle MarkerBase::IncrementalMarkingTask::Post(cppgc::TaskRunner* runner, MarkerBase* marker) { // Incremental GC is possible only via the GCInvoker, so getting here // guarantees that either non-nestable tasks or conservative stack // scanning are supported. This is required so that the incremental // task can safely finalize GC if needed. DCHECK_IMPLIES(marker->heap().stack_support() != HeapBase::StackSupport::kSupportsConservativeStackScan, runner->NonNestableTasksEnabled()); MarkingConfig::StackState stack_state_for_task = runner->NonNestableTasksEnabled() ? MarkingConfig::StackState::kNoHeapPointers : MarkingConfig::StackState::kMayContainHeapPointers; auto task = std::make_unique(marker, stack_state_for_task); auto handle = task->handle_; if (runner->NonNestableTasksEnabled()) { runner->PostNonNestableTask(std::move(task)); } else { runner->PostTask(std::move(task)); } return handle; } void MarkerBase::IncrementalMarkingTask::Run() { if (handle_.IsCanceled()) return; StatsCollector::EnabledScope stats_scope(marker_->heap().stats_collector(), StatsCollector::kIncrementalMark); if (marker_->IncrementalMarkingStep(stack_state_)) { // Incremental marking is done so should finalize GC. marker_->heap().FinalizeIncrementalGarbageCollectionIfNeeded(stack_state_); } } MarkerBase::MarkerBase(Key, HeapBase& heap, cppgc::Platform* platform, MarkingConfig config) : heap_(heap), config_(config), platform_(platform), foreground_task_runner_(platform_->GetForegroundTaskRunner()), mutator_marking_state_(heap, marking_worklists_, heap.compactor().compaction_worklists()) {} MarkerBase::~MarkerBase() { // The fixed point iteration may have found not-fully-constructed objects. // Such objects should have already been found through the stack scan though // and should thus already be marked. if (!marking_worklists_.not_fully_constructed_worklist()->IsEmpty()) { #if DEBUG DCHECK_NE(MarkingConfig::StackState::kNoHeapPointers, config_.stack_state); std::unordered_set objects = mutator_marking_state_.not_fully_constructed_worklist().Extract(); for (HeapObjectHeader* object : objects) DCHECK(object->IsMarked()); #else marking_worklists_.not_fully_constructed_worklist()->Clear(); #endif } // |discovered_ephemeron_pairs_worklist_| may still hold ephemeron pairs with // dead keys. if (!marking_worklists_.discovered_ephemeron_pairs_worklist()->IsEmpty()) { #if DEBUG MarkingWorklists::EphemeronPairItem item; while (mutator_marking_state_.discovered_ephemeron_pairs_worklist().Pop( &item)) { DCHECK(!HeapObjectHeader::FromObject(item.key).IsMarked()); } #else marking_worklists_.discovered_ephemeron_pairs_worklist()->Clear(); #endif } marking_worklists_.weak_containers_worklist()->Clear(); } void MarkerBase::StartMarking() { DCHECK(!is_marking_); StatsCollector::EnabledScope stats_scope( heap().stats_collector(), config_.marking_type == MarkingConfig::MarkingType::kAtomic ? StatsCollector::kAtomicMark : StatsCollector::kIncrementalMark); heap().stats_collector()->NotifyMarkingStarted(config_.collection_type, config_.is_forced_gc); is_marking_ = true; if (EnterIncrementalMarkingIfNeeded(config_, heap())) { StatsCollector::EnabledScope inner_stats_scope( heap().stats_collector(), StatsCollector::kMarkIncrementalStart); // Performing incremental or concurrent marking. schedule_.NotifyIncrementalMarkingStart(); // Scanning the stack is expensive so we only do it at the atomic pause. VisitRoots(MarkingConfig::StackState::kNoHeapPointers); ScheduleIncrementalMarkingTask(); if (config_.marking_type == MarkingConfig::MarkingType::kIncrementalAndConcurrent) { mutator_marking_state_.Publish(); concurrent_marker_->Start(); } } } void MarkerBase::EnterAtomicPause(MarkingConfig::StackState stack_state) { StatsCollector::EnabledScope top_stats_scope(heap().stats_collector(), StatsCollector::kAtomicMark); StatsCollector::EnabledScope stats_scope(heap().stats_collector(), StatsCollector::kMarkAtomicPrologue); if (ExitIncrementalMarkingIfNeeded(config_, heap())) { // Cancel remaining concurrent/incremental tasks. concurrent_marker_->Cancel(); incremental_marking_handle_.Cancel(); } config_.stack_state = stack_state; config_.marking_type = MarkingConfig::MarkingType::kAtomic; { // VisitRoots also resets the LABs. VisitRoots(config_.stack_state); if (config_.stack_state == MarkingConfig::StackState::kNoHeapPointers) { mutator_marking_state_.FlushNotFullyConstructedObjects(); DCHECK(marking_worklists_.not_fully_constructed_worklist()->IsEmpty()); } else { MarkNotFullyConstructedObjects(); } } } void MarkerBase::LeaveAtomicPause() { { StatsCollector::EnabledScope top_stats_scope(heap().stats_collector(), StatsCollector::kAtomicMark); StatsCollector::EnabledScope stats_scope( heap().stats_collector(), StatsCollector::kMarkAtomicEpilogue); DCHECK(!incremental_marking_handle_); ResetRememberedSet(heap()); heap().stats_collector()->NotifyMarkingCompleted( // GetOverallMarkedBytes also includes concurrently marked bytes. schedule_.GetOverallMarkedBytes()); is_marking_ = false; } { // Weakness callbacks are forbidden from allocating objects. cppgc::subtle::DisallowGarbageCollectionScope disallow_gc_scope(heap_); ProcessWeakness(); } // TODO(chromium:1056170): It would be better if the call to Unlock was // covered by some cppgc scope. g_process_mutex.Pointer()->Unlock(); heap().SetStackStateOfPrevGC(config_.stack_state); } void MarkerBase::FinishMarking(MarkingConfig::StackState stack_state) { DCHECK(is_marking_); EnterAtomicPause(stack_state); { StatsCollector::EnabledScope stats_scope(heap().stats_collector(), StatsCollector::kAtomicMark); CHECK(AdvanceMarkingWithLimits(v8::base::TimeDelta::Max(), SIZE_MAX)); mutator_marking_state_.Publish(); } LeaveAtomicPause(); } void MarkerBase::ProcessWeakness() { DCHECK_EQ(MarkingConfig::MarkingType::kAtomic, config_.marking_type); StatsCollector::EnabledScope stats_scope(heap().stats_collector(), StatsCollector::kAtomicWeak); heap().GetWeakPersistentRegion().Trace(&visitor()); // Processing cross-thread handles requires taking the process lock. g_process_mutex.Get().AssertHeld(); CHECK(visited_cross_thread_persistents_in_atomic_pause_); heap().GetWeakCrossThreadPersistentRegion().Trace(&visitor()); // Call weak callbacks on objects that may now be pointing to dead objects. MarkingWorklists::WeakCallbackItem item; LivenessBroker broker = LivenessBrokerFactory::Create(); MarkingWorklists::WeakCallbackWorklist::Local& local = mutator_marking_state_.weak_callback_worklist(); while (local.Pop(&item)) { item.callback(broker, item.parameter); } // Weak callbacks should not add any new objects for marking. DCHECK(marking_worklists_.marking_worklist()->IsEmpty()); } void MarkerBase::VisitRoots(MarkingConfig::StackState stack_state) { StatsCollector::EnabledScope stats_scope(heap().stats_collector(), StatsCollector::kMarkVisitRoots); // Reset LABs before scanning roots. LABs are cleared to allow // ObjectStartBitmap handling without considering LABs. heap().object_allocator().ResetLinearAllocationBuffers(); { { StatsCollector::DisabledScope inner_stats_scope( heap().stats_collector(), StatsCollector::kMarkVisitPersistents); heap().GetStrongPersistentRegion().Trace(&visitor()); } } if (stack_state != MarkingConfig::StackState::kNoHeapPointers) { StatsCollector::DisabledScope stack_stats_scope( heap().stats_collector(), StatsCollector::kMarkVisitStack); heap().stack()->IteratePointers(&stack_visitor()); } if (config_.collection_type == MarkingConfig::CollectionType::kMinor) { VisitRememberedSlots(heap(), mutator_marking_state_); } } bool MarkerBase::VisitCrossThreadPersistentsIfNeeded() { if (config_.marking_type != MarkingConfig::MarkingType::kAtomic || visited_cross_thread_persistents_in_atomic_pause_) return false; StatsCollector::DisabledScope inner_stats_scope( heap().stats_collector(), StatsCollector::kMarkVisitCrossThreadPersistents); // Lock guards against changes to {Weak}CrossThreadPersistent handles, that // may conflict with marking. E.g., a WeakCrossThreadPersistent may be // converted into a CrossThreadPersistent which requires that the handle // is either cleared or the object is retained. g_process_mutex.Pointer()->Lock(); heap().GetStrongCrossThreadPersistentRegion().Trace(&visitor()); visited_cross_thread_persistents_in_atomic_pause_ = true; return (heap().GetStrongCrossThreadPersistentRegion().NodesInUse() > 0); } void MarkerBase::ScheduleIncrementalMarkingTask() { DCHECK(platform_); if (!foreground_task_runner_ || incremental_marking_handle_) return; incremental_marking_handle_ = IncrementalMarkingTask::Post(foreground_task_runner_.get(), this); } bool MarkerBase::IncrementalMarkingStepForTesting( MarkingConfig::StackState stack_state) { return IncrementalMarkingStep(stack_state); } bool MarkerBase::IncrementalMarkingStep(MarkingConfig::StackState stack_state) { if (stack_state == MarkingConfig::StackState::kNoHeapPointers) { mutator_marking_state_.FlushNotFullyConstructedObjects(); } config_.stack_state = stack_state; return AdvanceMarkingWithLimits(); } void MarkerBase::AdvanceMarkingOnAllocation() { StatsCollector::EnabledScope stats_scope(heap().stats_collector(), StatsCollector::kIncrementalMark); StatsCollector::EnabledScope nested_scope(heap().stats_collector(), StatsCollector::kMarkOnAllocation); if (AdvanceMarkingWithLimits()) { // Schedule another incremental task for finalizing without a stack. ScheduleIncrementalMarkingTask(); } } bool MarkerBase::AdvanceMarkingWithLimits(v8::base::TimeDelta max_duration, size_t marked_bytes_limit) { bool is_done = false; if (!main_marking_disabled_for_testing_) { if (marked_bytes_limit == 0) { marked_bytes_limit = mutator_marking_state_.marked_bytes() + GetNextIncrementalStepDuration(schedule_, heap_); } StatsCollector::EnabledScope deadline_scope( heap().stats_collector(), StatsCollector::kMarkTransitiveClosureWithDeadline, "deadline_ms", max_duration.InMillisecondsF()); const auto deadline = v8::base::TimeTicks::Now() + max_duration; is_done = ProcessWorklistsWithDeadline(marked_bytes_limit, deadline); if (is_done && VisitCrossThreadPersistentsIfNeeded()) { // Both limits are absolute and hence can be passed along without further // adjustment. is_done = ProcessWorklistsWithDeadline(marked_bytes_limit, deadline); } schedule_.UpdateMutatorThreadMarkedBytes( mutator_marking_state_.marked_bytes()); } mutator_marking_state_.Publish(); if (!is_done) { // If marking is atomic, |is_done| should always be true. DCHECK_NE(MarkingConfig::MarkingType::kAtomic, config_.marking_type); ScheduleIncrementalMarkingTask(); if (config_.marking_type == MarkingConfig::MarkingType::kIncrementalAndConcurrent) { concurrent_marker_->NotifyIncrementalMutatorStepCompleted(); } } return is_done; } bool MarkerBase::ProcessWorklistsWithDeadline( size_t marked_bytes_deadline, v8::base::TimeTicks time_deadline) { StatsCollector::EnabledScope stats_scope( heap().stats_collector(), StatsCollector::kMarkTransitiveClosure); do { if ((config_.marking_type == MarkingConfig::MarkingType::kAtomic) || schedule_.ShouldFlushEphemeronPairs()) { mutator_marking_state_.FlushDiscoveredEphemeronPairs(); } // Bailout objects may be complicated to trace and thus might take longer // than other objects. Therefore we reduce the interval between deadline // checks to guarantee the deadline is not exceeded. { StatsCollector::EnabledScope inner_scope( heap().stats_collector(), StatsCollector::kMarkProcessBailOutObjects); if (!DrainWorklistWithBytesAndTimeDeadline( mutator_marking_state_, marked_bytes_deadline, time_deadline, mutator_marking_state_.concurrent_marking_bailout_worklist(), [this]( const MarkingWorklists::ConcurrentMarkingBailoutItem& item) { mutator_marking_state_.AccountMarkedBytes(item.bailedout_size); item.callback(&visitor(), item.parameter); })) { return false; } } { StatsCollector::EnabledScope inner_scope( heap().stats_collector(), StatsCollector::kMarkProcessNotFullyconstructedWorklist); if (!DrainWorklistWithBytesAndTimeDeadline( mutator_marking_state_, marked_bytes_deadline, time_deadline, mutator_marking_state_ .previously_not_fully_constructed_worklist(), [this](HeapObjectHeader* header) { mutator_marking_state_.AccountMarkedBytes(*header); DynamicallyTraceMarkedObject(visitor(), *header); })) { return false; } } { StatsCollector::EnabledScope inner_scope( heap().stats_collector(), StatsCollector::kMarkProcessMarkingWorklist); if (!DrainWorklistWithBytesAndTimeDeadline( mutator_marking_state_, marked_bytes_deadline, time_deadline, mutator_marking_state_.marking_worklist(), [this](const MarkingWorklists::MarkingItem& item) { const HeapObjectHeader& header = HeapObjectHeader::FromObject(item.base_object_payload); DCHECK(!header.IsInConstruction()); DCHECK(header.IsMarked()); mutator_marking_state_.AccountMarkedBytes(header); item.callback(&visitor(), item.base_object_payload); })) { return false; } } { StatsCollector::EnabledScope inner_scope( heap().stats_collector(), StatsCollector::kMarkProcessWriteBarrierWorklist); if (!DrainWorklistWithBytesAndTimeDeadline( mutator_marking_state_, marked_bytes_deadline, time_deadline, mutator_marking_state_.write_barrier_worklist(), [this](HeapObjectHeader* header) { mutator_marking_state_.AccountMarkedBytes(*header); DynamicallyTraceMarkedObject(visitor(), *header); })) { return false; } if (!DrainWorklistWithBytesAndTimeDeadline( mutator_marking_state_, marked_bytes_deadline, time_deadline, mutator_marking_state_.retrace_marked_objects_worklist(), [this](HeapObjectHeader* header) { // Retracing does not increment marked bytes as the object has // already been processed before. DynamicallyTraceMarkedObject(visitor(), *header); })) { return false; } } { StatsCollector::EnabledScope inner_stats_scope( heap().stats_collector(), StatsCollector::kMarkProcessEphemerons); if (!DrainWorklistWithBytesAndTimeDeadline( mutator_marking_state_, marked_bytes_deadline, time_deadline, mutator_marking_state_.ephemeron_pairs_for_processing_worklist(), [this](const MarkingWorklists::EphemeronPairItem& item) { mutator_marking_state_.ProcessEphemeron( item.key, item.value, item.value_desc, visitor()); })) { return false; } } } while (!mutator_marking_state_.marking_worklist().IsLocalAndGlobalEmpty()); return true; } void MarkerBase::MarkNotFullyConstructedObjects() { StatsCollector::DisabledScope stats_scope( heap().stats_collector(), StatsCollector::kMarkVisitNotFullyConstructedObjects); std::unordered_set objects = mutator_marking_state_.not_fully_constructed_worklist().Extract(); for (HeapObjectHeader* object : objects) { DCHECK(object); // TraceConservativelyIfNeeded delegates to either in-construction or // fully constructed handling. Both handlers have their own marked bytes // accounting and markbit handling (bailout). conservative_visitor().TraceConservativelyIfNeeded(*object); } } void MarkerBase::ClearAllWorklistsForTesting() { marking_worklists_.ClearForTesting(); auto* compaction_worklists = heap_.compactor().compaction_worklists(); if (compaction_worklists) compaction_worklists->ClearForTesting(); } void MarkerBase::SetMainThreadMarkingDisabledForTesting(bool value) { main_marking_disabled_for_testing_ = value; } void MarkerBase::WaitForConcurrentMarkingForTesting() { concurrent_marker_->JoinForTesting(); } void MarkerBase::NotifyCompactionCancelled() { // Compaction cannot be cancelled while concurrent marking is active. DCHECK_EQ(MarkingConfig::MarkingType::kAtomic, config_.marking_type); DCHECK_IMPLIES(concurrent_marker_, !concurrent_marker_->IsActive()); mutator_marking_state_.NotifyCompactionCancelled(); } Marker::Marker(Key key, HeapBase& heap, cppgc::Platform* platform, MarkingConfig config) : MarkerBase(key, heap, platform, config), marking_visitor_(heap, mutator_marking_state_), conservative_marking_visitor_(heap, mutator_marking_state_, marking_visitor_) { concurrent_marker_ = std::make_unique( heap_, marking_worklists_, schedule_, platform_); } } // namespace internal } // namespace cppgc ================================================ FILE: LEVEL_1/exercise_7/marking-state.h ================================================ // Copyright 2020 the V8 project authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef V8_HEAP_CPPGC_MARKING_STATE_H_ #define V8_HEAP_CPPGC_MARKING_STATE_H_ #include #include "include/cppgc/trace-trait.h" #include "include/cppgc/visitor.h" #include "src/heap/cppgc/compaction-worklists.h" #include "src/heap/cppgc/globals.h" #include "src/heap/cppgc/heap-object-header.h" #include "src/heap/cppgc/heap-page.h" #include "src/heap/cppgc/liveness-broker.h" #include "src/heap/cppgc/marking-worklists.h" namespace cppgc { namespace internal { // C++ marking implementation. class MarkingStateBase { public: inline MarkingStateBase(HeapBase& heap, MarkingWorklists&, CompactionWorklists*); MarkingStateBase(const MarkingStateBase&) = delete; MarkingStateBase& operator=(const MarkingStateBase&) = delete; inline void MarkAndPush(const void*, TraceDescriptor); inline void MarkAndPush(HeapObjectHeader&); inline void PushMarked(HeapObjectHeader&, TraceDescriptor desc); inline void RegisterWeakReferenceIfNeeded(const void*, TraceDescriptor, WeakCallback, const void*); inline void RegisterWeakCallback(WeakCallback, const void*); void RegisterMovableReference(const void** slot) { if (!movable_slots_worklist_) return; movable_slots_worklist_->Push(slot); } // Weak containers are special in that they may require re-tracing if // reachable through stack, even if the container was already traced before. // ProcessWeakContainer records which weak containers were already marked so // that conservative stack scanning knows to retrace them. inline void ProcessWeakContainer(const void*, TraceDescriptor, WeakCallback, const void*); inline void ProcessEphemeron(const void*, const void*, TraceDescriptor, Visitor&); inline void AccountMarkedBytes(const HeapObjectHeader&); inline void AccountMarkedBytes(size_t); size_t marked_bytes() const { return marked_bytes_; } void Publish() { marking_worklist_.Publish(); previously_not_fully_constructed_worklist_.Publish(); weak_callback_worklist_.Publish(); write_barrier_worklist_.Publish(); concurrent_marking_bailout_worklist_.Publish(); discovered_ephemeron_pairs_worklist_.Publish(); ephemeron_pairs_for_processing_worklist_.Publish(); if (IsCompactionEnabled()) movable_slots_worklist_->Publish(); } MarkingWorklists::MarkingWorklist::Local& marking_worklist() { return marking_worklist_; } MarkingWorklists::NotFullyConstructedWorklist& not_fully_constructed_worklist() { return not_fully_constructed_worklist_; } MarkingWorklists::PreviouslyNotFullyConstructedWorklist::Local& previously_not_fully_constructed_worklist() { return previously_not_fully_constructed_worklist_; } MarkingWorklists::WeakCallbackWorklist::Local& weak_callback_worklist() { return weak_callback_worklist_; } MarkingWorklists::WriteBarrierWorklist::Local& write_barrier_worklist() { return write_barrier_worklist_; } MarkingWorklists::ConcurrentMarkingBailoutWorklist::Local& concurrent_marking_bailout_worklist() { return concurrent_marking_bailout_worklist_; } MarkingWorklists::EphemeronPairsWorklist::Local& discovered_ephemeron_pairs_worklist() { return discovered_ephemeron_pairs_worklist_; } MarkingWorklists::EphemeronPairsWorklist::Local& ephemeron_pairs_for_processing_worklist() { return ephemeron_pairs_for_processing_worklist_; } MarkingWorklists::WeakContainersWorklist& weak_containers_worklist() { return weak_containers_worklist_; } MarkingWorklists::RetraceMarkedObjectsWorklist::Local& retrace_marked_objects_worklist() { return retrace_marked_objects_worklist_; } CompactionWorklists::MovableReferencesWorklist::Local* movable_slots_worklist() { return movable_slots_worklist_.get(); } void NotifyCompactionCancelled() { DCHECK(IsCompactionEnabled()); movable_slots_worklist_->Clear(); movable_slots_worklist_.reset(); } protected: inline void MarkAndPush(HeapObjectHeader&, TraceDescriptor); inline bool MarkNoPush(HeapObjectHeader&); inline void RegisterWeakContainer(HeapObjectHeader&); inline bool IsCompactionEnabled() const { return movable_slots_worklist_.get(); } HeapBase& heap_; MarkingWorklists::MarkingWorklist::Local marking_worklist_; MarkingWorklists::NotFullyConstructedWorklist& not_fully_constructed_worklist_; MarkingWorklists::PreviouslyNotFullyConstructedWorklist::Local previously_not_fully_constructed_worklist_; MarkingWorklists::WeakCallbackWorklist::Local weak_callback_worklist_; MarkingWorklists::WriteBarrierWorklist::Local write_barrier_worklist_; MarkingWorklists::ConcurrentMarkingBailoutWorklist::Local concurrent_marking_bailout_worklist_; MarkingWorklists::EphemeronPairsWorklist::Local discovered_ephemeron_pairs_worklist_; MarkingWorklists::EphemeronPairsWorklist::Local ephemeron_pairs_for_processing_worklist_; MarkingWorklists::WeakContainersWorklist& weak_containers_worklist_; MarkingWorklists::RetraceMarkedObjectsWorklist::Local retrace_marked_objects_worklist_; // Existence of the worklist (|movable_slot_worklist_| != nullptr) denotes // that compaction is currently enabled and slots must be recorded. std::unique_ptr movable_slots_worklist_; size_t marked_bytes_ = 0; }; MarkingStateBase::MarkingStateBase(HeapBase& heap, MarkingWorklists& marking_worklists, CompactionWorklists* compaction_worklists) : heap_(heap), marking_worklist_(marking_worklists.marking_worklist()), not_fully_constructed_worklist_( *marking_worklists.not_fully_constructed_worklist()), previously_not_fully_constructed_worklist_( marking_worklists.previously_not_fully_constructed_worklist()), weak_callback_worklist_(marking_worklists.weak_callback_worklist()), write_barrier_worklist_(marking_worklists.write_barrier_worklist()), concurrent_marking_bailout_worklist_( marking_worklists.concurrent_marking_bailout_worklist()), discovered_ephemeron_pairs_worklist_( marking_worklists.discovered_ephemeron_pairs_worklist()), ephemeron_pairs_for_processing_worklist_( marking_worklists.ephemeron_pairs_for_processing_worklist()), weak_containers_worklist_(*marking_worklists.weak_containers_worklist()), retrace_marked_objects_worklist_( marking_worklists.retrace_marked_objects_worklist()) { if (compaction_worklists) { movable_slots_worklist_ = std::make_unique( compaction_worklists->movable_slots_worklist()); } } void MarkingStateBase::MarkAndPush(const void* object, TraceDescriptor desc) { DCHECK_NOT_NULL(object); MarkAndPush( HeapObjectHeader::FromObject(const_cast(desc.base_object_payload)), desc); } void MarkingStateBase::MarkAndPush(HeapObjectHeader& header, TraceDescriptor desc) { DCHECK_NOT_NULL(desc.callback); if (header.IsInConstruction()) { not_fully_constructed_worklist_.Push(&header); } else if (MarkNoPush(header)) { PushMarked(header, desc); } } bool MarkingStateBase::MarkNoPush(HeapObjectHeader& header) { // A GC should only mark the objects that belong in its heap. DCHECK_EQ(&heap_, &BasePage::FromPayload(&header)->heap()); // Never mark free space objects. This would e.g. hint to marking a promptly // freed backing store. DCHECK(!header.IsFree()); return header.TryMarkAtomic(); } void MarkingStateBase::MarkAndPush(HeapObjectHeader& header) { MarkAndPush( header, {header.ObjectStart(), GlobalGCInfoTable::GCInfoFromIndex(header.GetGCInfoIndex()).trace}); } void MarkingStateBase::PushMarked(HeapObjectHeader& header, TraceDescriptor desc) { DCHECK(header.IsMarked()); DCHECK(!header.IsInConstruction()); DCHECK_NOT_NULL(desc.callback); marking_worklist_.Push(desc); } void MarkingStateBase::RegisterWeakReferenceIfNeeded(const void* object, TraceDescriptor desc, WeakCallback weak_callback, const void* parameter) { // Filter out already marked values. The write barrier for WeakMember // ensures that any newly set value after this point is kept alive and does // not require the callback. const HeapObjectHeader& header = HeapObjectHeader::FromObject(desc.base_object_payload); if (!header.IsInConstruction() && header.IsMarked()) return; RegisterWeakCallback(weak_callback, parameter); } void MarkingStateBase::RegisterWeakCallback(WeakCallback callback, const void* object) { DCHECK_NOT_NULL(callback); weak_callback_worklist_.Push({callback, object}); } void MarkingStateBase::RegisterWeakContainer(HeapObjectHeader& header) { weak_containers_worklist_.Push(&header); } void MarkingStateBase::ProcessWeakContainer(const void* object, TraceDescriptor desc, WeakCallback callback, const void* data) { DCHECK_NOT_NULL(object); HeapObjectHeader& header = HeapObjectHeader::FromObject(const_cast(object)); if (header.IsInConstruction()) { not_fully_constructed_worklist_.Push(&header); return; } // Only mark the container initially. Its buckets will be processed after // marking. if (!MarkNoPush(header)) return; RegisterWeakContainer(header); // Register final weak processing of the backing store. RegisterWeakCallback(callback, data); // Weak containers might not require tracing. In such cases the callback in // the TraceDescriptor will be nullptr. For ephemerons the callback will be // non-nullptr so that the container is traced and the ephemeron pairs are // processed. if (desc.callback) { PushMarked(header, desc); } else { // For weak containers, there's no trace callback and no processing loop to // update the marked bytes, hence inline that here. AccountMarkedBytes(header); } } void MarkingStateBase::ProcessEphemeron(const void* key, const void* value, TraceDescriptor value_desc, Visitor& visitor) { // Filter out already marked keys. The write barrier for WeakMember // ensures that any newly set value after this point is kept alive and does // not require the callback. if (!HeapObjectHeader::FromObject(key) .IsInConstruction() && HeapObjectHeader::FromObject(key).IsMarked()) { if (value_desc.base_object_payload) { MarkAndPush(value_desc.base_object_payload, value_desc); } else { // If value_desc.base_object_payload is nullptr, the value is not GCed and // should be immediately traced. value_desc.callback(&visitor, value); } return; } discovered_ephemeron_pairs_worklist_.Push({key, value, value_desc}); } void MarkingStateBase::AccountMarkedBytes(const HeapObjectHeader& header) { AccountMarkedBytes( header.IsLargeObject() ? reinterpret_cast(BasePage::FromPayload(&header)) ->PayloadSize() : header.AllocatedSize()); } void MarkingStateBase::AccountMarkedBytes(size_t marked_bytes) { marked_bytes_ += marked_bytes; } class MutatorMarkingState : public MarkingStateBase { public: MutatorMarkingState(HeapBase& heap, MarkingWorklists& marking_worklists, CompactionWorklists* compaction_worklists) : MarkingStateBase(heap, marking_worklists, compaction_worklists) {} inline bool MarkNoPush(HeapObjectHeader& header) { return MutatorMarkingState::MarkingStateBase::MarkNoPush(header); } inline void ReTraceMarkedWeakContainer(cppgc::Visitor&, HeapObjectHeader&); inline void DynamicallyMarkAddress(ConstAddress); // Moves objects in not_fully_constructed_worklist_ to // previously_not_full_constructed_worklists_. void FlushNotFullyConstructedObjects(); // Moves ephemeron pairs in discovered_ephemeron_pairs_worklist_ to // ephemeron_pairs_for_processing_worklist_. void FlushDiscoveredEphemeronPairs(); inline void InvokeWeakRootsCallbackIfNeeded(const void*, TraceDescriptor, WeakCallback, const void*); inline bool IsMarkedWeakContainer(HeapObjectHeader&); private: // Weak containers are strongly retraced during conservative stack scanning. // Stack scanning happens once per GC at the start of the atomic pause. // Because the visitor is not retained between GCs, there is no need to clear // the set at the end of GC. class RecentlyRetracedWeakContainers { static constexpr size_t kMaxCacheSize = 8; public: inline bool Contains(const HeapObjectHeader*); inline void Insert(const HeapObjectHeader*); private: std::vector recently_retraced_cache_; size_t last_used_index_ = -1; } recently_retraced_weak_containers_; }; void MutatorMarkingState::ReTraceMarkedWeakContainer(cppgc::Visitor& visitor, HeapObjectHeader& header) { DCHECK(weak_containers_worklist_.Contains(&header)); recently_retraced_weak_containers_.Insert(&header); retrace_marked_objects_worklist().Push(&header); } void MutatorMarkingState::DynamicallyMarkAddress(ConstAddress address) { HeapObjectHeader& header = BasePage::FromPayload(address)->ObjectHeaderFromInnerAddress( const_cast

(address)); DCHECK(!header.IsInConstruction()); if (MarkNoPush(header)) { marking_worklist_.Push( {reinterpret_cast(header.ObjectStart()), GlobalGCInfoTable::GCInfoFromIndex(header.GetGCInfoIndex()).trace}); } } void MutatorMarkingState::InvokeWeakRootsCallbackIfNeeded( const void* object, TraceDescriptor desc, WeakCallback weak_callback, const void* parameter) { // Since weak roots are only traced at the end of marking, we can execute // the callback instead of registering it. #if DEBUG const HeapObjectHeader& header = HeapObjectHeader::FromObject(desc.base_object_payload); DCHECK_IMPLIES(header.IsInConstruction(), header.IsMarked()); #endif // DEBUG weak_callback(LivenessBrokerFactory::Create(), parameter); } bool MutatorMarkingState::IsMarkedWeakContainer(HeapObjectHeader& header) { const bool result = weak_containers_worklist_.Contains(&header) && !recently_retraced_weak_containers_.Contains(&header); DCHECK_IMPLIES(result, header.IsMarked()); DCHECK_IMPLIES(result, !header.IsInConstruction()); return result; } bool MutatorMarkingState::RecentlyRetracedWeakContainers::Contains( const HeapObjectHeader* header) { return std::find(recently_retraced_cache_.begin(), recently_retraced_cache_.end(), header) != recently_retraced_cache_.end(); } void MutatorMarkingState::RecentlyRetracedWeakContainers::Insert( const HeapObjectHeader* header) { last_used_index_ = (last_used_index_ + 1) % kMaxCacheSize; if (recently_retraced_cache_.size() <= last_used_index_) recently_retraced_cache_.push_back(header); else recently_retraced_cache_[last_used_index_] = header; } class ConcurrentMarkingState : public MarkingStateBase { public: ConcurrentMarkingState(HeapBase& heap, MarkingWorklists& marking_worklists, CompactionWorklists* compaction_worklists) : MarkingStateBase(heap, marking_worklists, compaction_worklists) {} ~ConcurrentMarkingState() { DCHECK_EQ(last_marked_bytes_, marked_bytes_); } size_t RecentlyMarkedBytes() { return marked_bytes_ - std::exchange(last_marked_bytes_, marked_bytes_); } inline void AccountDeferredMarkedBytes(size_t deferred_bytes) { // AccountDeferredMarkedBytes is called from Trace methods, which are always // called after AccountMarkedBytes, so there should be no underflow here. DCHECK_LE(deferred_bytes, marked_bytes_); marked_bytes_ -= deferred_bytes; } private: size_t last_marked_bytes_ = 0; }; template bool DrainWorklistWithPredicate(Predicate should_yield, WorklistLocal& worklist_local, Callback callback) { if (worklist_local.IsLocalAndGlobalEmpty()) return true; // For concurrent markers, should_yield also reports marked bytes. if (should_yield()) return false; size_t processed_callback_count = deadline_check_interval; typename WorklistLocal::ItemType item; while (worklist_local.Pop(&item)) { callback(item); if (--processed_callback_count == 0) { if (should_yield()) { return false; } processed_callback_count = deadline_check_interval; } } return true; } template void DynamicallyTraceMarkedObject(Visitor& visitor, const HeapObjectHeader& header) { DCHECK(!header.IsInConstruction()); DCHECK(header.IsMarked()); header.Trace(&visitor); } } // namespace internal } // namespace cppgc #endif // V8_HEAP_CPPGC_MARKING_STATE_H_ ================================================ FILE: LEVEL_2/README.md ================================================ # LEVEL 2 This time, you cann't rely on the `Details` to search the bug. The only info you get is the related files of the bug exist. For me, I will find the patch file, and write down its path. Then I will try to find the bug and check whether these files exist this bug to provide the right file. Find the bug yourself, and if you feel difficult can see tips or the answer. I believe you can do better than me. ================================================ FILE: LEVEL_2/exercise_1/README.md ================================================ # Exercise 1 In LEVEL 1, we can relay on Details and just to search for the func which Details mentioned. It is far away from the real bug hunting scene. therefore in LEVEL 2 we do the same as LEVEL 1 without the help of Details. ## CVE-2021-21128 I sugget you don't search any report about it to prevents get too much info like patch. ### Details In level 2, we do it without the help of Details ---------

For more info click me! But you'd better not do this

https://bugs.chromium.org/p/chromium/issues/detail?id=1138877

-------- ### Set environment after you fetch chromium ```sh git reset --hard 04fe9cc9bf0b67233b9f7f80b9a914499a431fa4 ``` ### Related code [third_party/blink/renderer/core/editing/iterators/text_searcher_icu.cc](https://source.chromium.org/chromium/chromium/src/+/04fe9cc9bf0b67233b9f7f80b9a914499a431fa4:third_party/blink/renderer/core/editing/iterators/text_searcher_icu.cc) ### Do it Do this exercise by yourself, If you find my answer have something wrong, please correct it. ---------

My answer

`IsWholeWordMatch` This func looks like buggy. ```c++ static bool IsWholeWordMatch(const UChar* text, int text_length, MatchResultICU& result) { DCHECK_LE((int)(result.start + result.length), text_length); UChar32 first_character; U16_GET(text, 0, result.start, result.length, first_character); [1] // Chinese and Japanese lack word boundary marks, and there is no clear // agreement on what constitutes a word, so treat the position before any CJK // character as a word start. if (Character::IsCJKIdeographOrSymbol(first_character)) return true; wtf_size_t word_break_search_start = result.start + result.length; while (word_break_search_start > result.start) { word_break_search_start = FindNextWordBackward(text, text_length, word_break_search_start); } if (word_break_search_start != result.start) return false; return static_cast(result.start + result.length) == FindWordEndBoundary(text, text_length, word_break_search_start); } ========================================================== #define CHECK_LE(val1, val2) CHECK_OP(<=, val1, val2) ``` [1] call `U16_GET` after `DCHECK_LE`. This check means `result.start + result.length` must lessthan `text_length`, we can see about `U16_GET` ```c++ /** * Get a code point from a string at a random-access offset, * without changing the offset. * "Safe" macro, handles unpaired surrogates and checks for string boundaries. * * The offset may point to either the lead or trail surrogate unit * for a supplementary code point, in which case the macro will read * the adjacent matching surrogate as well. * * The length can be negative for a NUL-terminated string. * * If the offset points to a single, unpaired surrogate, then * c is set to that unpaired surrogate. * Iteration through a string is more efficient with U16_NEXT_UNSAFE or U16_NEXT. * * @param s const UChar * string * @param start starting string offset (usually 0) * @param i string offset, must be start<=i(start) && U16_IS_LEAD(__c2=(s)[(i)-1])) { \ (c)=U16_GET_SUPPLEMENTARY(__c2, (c)); \ } \ } \ } \ } UPRV_BLOCK_MACRO_END ``` the third parameter is the length of the target string which be searched, just like find xy in xyd, and the length of this time is two. But [2] makes me puzzle, it seems like the `length` parameter is the end index of the `xyd`, but in truth it is the length of `xy`. And `@param length string length` proves my opinion. If we assignment i == length like i = 2, length = 2 and `__c2=(s)[(i)+1]` can oob read. We can check our answer by Detail. > This patch chagnes |IsWholeWordMatch()| to use |U16_GET()| with valid > parameters to avoid reading out of bounds data. > > In case of search "\uDB00" (broken surrogate pair) in "\u0022\uDB00", we > call |U16_GET(text, start, index, length, u32)| with start=1, index=1, > length=1, where text = "\u0022\DB800", then |U16_GET()| reads text[2] > for surrogate tail. > > After this patch, we call |U16_GET()| with length=2==end of match, to > make |U16_GET()| not to read text[2].

-------- ================================================ FILE: LEVEL_2/exercise_1/text_searcher_icu.cc ================================================ /* * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2012 Apple Inc. All * rights reserved. * Copyright (C) 2005 Alexey Proskuryakov. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "third_party/blink/renderer/core/editing/iterators/text_searcher_icu.h" #include #include "base/macros.h" #include "third_party/blink/renderer/platform/text/character.h" #include "third_party/blink/renderer/platform/text/text_boundaries.h" #include "third_party/blink/renderer/platform/text/text_break_iterator_internal_icu.h" #include "third_party/blink/renderer/platform/text/unicode_utilities.h" #include "third_party/blink/renderer/platform/wtf/allocator/allocator.h" #include "third_party/blink/renderer/platform/wtf/text/character_names.h" #include "third_party/blink/renderer/platform/wtf/text/wtf_string.h" namespace blink { namespace { UStringSearch* CreateSearcher() { // Provide a non-empty pattern and non-empty text so usearch_open will not // fail, but it doesn't matter exactly what it is, since we don't perform any // searches without setting both the pattern and the text. UErrorCode status = U_ZERO_ERROR; String search_collator_name = CurrentSearchLocaleID() + String("@collation=search"); UStringSearch* searcher = usearch_open(&kNewlineCharacter, 1, &kNewlineCharacter, 1, search_collator_name.Utf8().c_str(), nullptr, &status); DCHECK(status == U_ZERO_ERROR || status == U_USING_FALLBACK_WARNING || status == U_USING_DEFAULT_WARNING) << status; return searcher; } class ICULockableSearcher { STACK_ALLOCATED(); public: static UStringSearch* AcquireSearcher() { Instance().lock(); return Instance().searcher_; } static void ReleaseSearcher() { Instance().unlock(); } private: static ICULockableSearcher& Instance() { static ICULockableSearcher searcher(CreateSearcher()); return searcher; } explicit ICULockableSearcher(UStringSearch* searcher) : searcher_(searcher) {} void lock() { #if DCHECK_IS_ON() DCHECK(!locked_); locked_ = true; #endif } void unlock() { #if DCHECK_IS_ON() DCHECK(locked_); locked_ = false; #endif } UStringSearch* const searcher_ = nullptr; #if DCHECK_IS_ON() bool locked_ = false; #endif DISALLOW_COPY_AND_ASSIGN(ICULockableSearcher); }; } // namespace static bool IsWholeWordMatch(const UChar* text, int text_length, MatchResultICU& result) { DCHECK_LE((int)(result.start + result.length), text_length); UChar32 first_character; U16_GET(text, 0, result.start, result.length, first_character); // Chinese and Japanese lack word boundary marks, and there is no clear // agreement on what constitutes a word, so treat the position before any CJK // character as a word start. if (Character::IsCJKIdeographOrSymbol(first_character)) return true; wtf_size_t word_break_search_start = result.start + result.length; while (word_break_search_start > result.start) { word_break_search_start = FindNextWordBackward(text, text_length, word_break_search_start); } if (word_break_search_start != result.start) return false; return static_cast(result.start + result.length) == FindWordEndBoundary(text, text_length, word_break_search_start); } // Grab the single global searcher. // If we ever have a reason to do more than once search buffer at once, we'll // have to move to multiple searchers. TextSearcherICU::TextSearcherICU() : searcher_(ICULockableSearcher::AcquireSearcher()) {} TextSearcherICU::~TextSearcherICU() { // Leave the static object pointing to valid strings (pattern=target, // text=buffer). Otheriwse, usearch_reset() will results in 'use-after-free' // error. SetPattern(&kNewlineCharacter, 1); SetText(&kNewlineCharacter, 1); ICULockableSearcher::ReleaseSearcher(); } void TextSearcherICU::SetPattern(const StringView& pattern, FindOptions options) { DCHECK_GT(pattern.length(), 0u); options_ = options; SetCaseSensitivity(!(options & kCaseInsensitive)); SetPattern(pattern.Characters16(), pattern.length()); if (ContainsKanaLetters(pattern.ToString())) { NormalizeCharactersIntoNFCForm(pattern.Characters16(), pattern.length(), normalized_search_text_); } } void TextSearcherICU::SetText(const UChar* text, wtf_size_t length) { UErrorCode status = U_ZERO_ERROR; usearch_setText(searcher_, text, length, &status); DCHECK_EQ(status, U_ZERO_ERROR); text_length_ = length; } void TextSearcherICU::SetOffset(wtf_size_t offset) { UErrorCode status = U_ZERO_ERROR; usearch_setOffset(searcher_, offset, &status); DCHECK_EQ(status, U_ZERO_ERROR); } bool TextSearcherICU::NextMatchResult(MatchResultICU& result) { while (NextMatchResultInternal(result)) { if (!ShouldSkipCurrentMatch(result)) return true; } return false; } bool TextSearcherICU::NextMatchResultInternal(MatchResultICU& result) { UErrorCode status = U_ZERO_ERROR; const int match_start = usearch_next(searcher_, &status); DCHECK_EQ(status, U_ZERO_ERROR); // TODO(iceman): It is possible to use |usearch_getText| function // to retrieve text length and not store it explicitly. if (!(match_start >= 0 && static_cast(match_start) < text_length_)) { DCHECK_EQ(match_start, USEARCH_DONE); result.start = 0; result.length = 0; return false; } result.start = static_cast(match_start); result.length = usearch_getMatchedLength(searcher_); // Might be possible to get zero-length result with some Unicode characters // that shouldn't actually match but is matched by ICU such as \u0080. if (result.length == 0u) { result.start = 0; return false; } return true; } bool TextSearcherICU::ShouldSkipCurrentMatch(MatchResultICU& result) const { int32_t text_length; const UChar* text = usearch_getText(searcher_, &text_length); DCHECK_LE((int32_t)(result.start + result.length), text_length); DCHECK_GT(result.length, 0u); if (!normalized_search_text_.IsEmpty() && !IsCorrectKanaMatch(text, result)) return true; if ((options_ & kWholeWord) && !IsWholeWordMatch(text, text_length, result)) return true; return false; } bool TextSearcherICU::IsCorrectKanaMatch(const UChar* text, MatchResultICU& result) const { Vector normalized_match; NormalizeCharactersIntoNFCForm(text + result.start, result.length, normalized_match); return CheckOnlyKanaLettersInStrings( normalized_search_text_.data(), normalized_search_text_.size(), normalized_match.begin(), normalized_match.size()); } void TextSearcherICU::SetPattern(const UChar* pattern, wtf_size_t length) { UErrorCode status = U_ZERO_ERROR; usearch_setPattern(searcher_, pattern, length, &status); DCHECK_EQ(status, U_ZERO_ERROR); } void TextSearcherICU::SetCaseSensitivity(bool case_sensitive) { const UCollationStrength strength = case_sensitive ? UCOL_TERTIARY : UCOL_PRIMARY; UCollator* const collator = usearch_getCollator(searcher_); if (ucol_getStrength(collator) == strength) return; ucol_setStrength(collator, strength); usearch_reset(searcher_); } } // namespace blink ================================================ FILE: LEVEL_2/exercise_2/README.md ================================================ # Exercise 2 In LEVEL 1, we can relay on Details and just to search for the func which Details mentioned. It is far away from the real bug hunting scene. therefore in LEVEL 2 we do the same as LEVEL 1 without the help of Details. ## CVE-2021-21122 I sugget you don't search any report about it to prevents get too much info like patch. ### Details In level 2, we do it without the help of Details ---------

For more info click me! But you'd better not do this

https://bugs.chromium.org/p/chromium/issues/detail?id=1162131#c13

-------- ### Set environment after you fetch chromium ```sh git reset --hard 978994829edb17b9583ab7a6a8b001a5b9dab04e ``` ### Related code [src/third_party/blink/renderer/core/editing/visible_units.cc](https://source.chromium.org/chromium/chromium/src/+/978994829edb17b9583ab7a6a8b001a5b9dab04e:third_party/blink/renderer/core/editing/visible_units.cc) You'd better read some introduce for [DOM](https://chromium.googlesource.com/chromium/src/+/8689d5f68d3ce081fb0b81230a4f316c03221418/third_party/blink/renderer/core/dom/#dom) and [layout](https://chromium.googlesource.com/chromium/src/+/8689d5f68d3ce081fb0b81230a4f316c03221418/third_party/blink/renderer/core/layout/#blink-layout) in chrome tips: CanContainRange[xxxxxxxx]() is virtual func, you can find all its def carefully for the true one. ### Do it Do this exercise by yourself, If you find my answer have something wrong, please correct it. ---------

My answer

At first, I analysis the [patched file](https://source.chromium.org/chromium/chromium/src/+/978994829edb17b9583ab7a6a8b001a5b9dab04e:third_party/blink/renderer/core/layout/hit_test_result.cc), but have no idea about the bug, so I see more about this cve at issue website. I notice that it was found by [Grammarinator fuzzer](https://github.com/renatahodovan/grammarinator), and when I want to use this fuzzer to continue this analysis, the usage can't run properly at my local. I don't make much time on environment or it's usage, because I don't think I can do the same as the author of this fuzzer in just two days :/ Some bug found by fuzzer are difficult to find by analysis the source files, so I want continue this work with the help of break trace which author [pasted](https://bugs.chromium.org/p/chromium/issues/detail?id=1162131). I decide to analysis these func from top to bottom, the first ```c++ bool EndsOfNodeAreVisuallyDistinctPositions(const Node* node) { if (!node) return false; LayoutObject* layout_object = node->GetLayoutObject(); if (!layout_object) return false; if (!layout_object->IsInline()) return true; // Don't include inline tables. if (IsA(*node)) return false; // A Marquee elements are moving so we should assume their ends are always // visibily distinct. if (IsA(*node)) return true; // There is a VisiblePosition inside an empty inline-block container. return layout_object->IsAtomicInlineLevel() && CanHaveChildrenForEditing(node) && !To(layout_object)->Size().IsEmpty() && [1] !HasRenderedNonAnonymousDescendantsWithHeight(layout_object); } ``` We can know [1] trigger the uaf from break trace. So the `layout_object` can be free before call [1]. `layout_object->IsAtomicInlineLevel()` seems like just a judgement, so we can analysis `CanHaveChildrenForEditing(node)`. Because `layout_object` get from `node`, so `layout_object` can be deleted by `node`. ```c++ inline bool CanHaveChildrenForEditing(const Node* node) { return !node->IsTextNode() && node->CanContainRangeEndPoint(); } ``` `node->CanContainRangeEndPoint()` is a virtual func which can be override. At first I ignore this point and just notice this func return false... ```c++ bool HTMLMeterElement::CanContainRangeEndPoint() const { GetDocument().UpdateStyleAndLayoutTreeForNode(this); [2] return GetComputedStyle() && !GetComputedStyle()->HasEffectiveAppearance(); } ``` Notice this UpdateStyle, I guess it can delete object. ```c++ void Document::UpdateStyleAndLayoutTreeForNode(const Node* node) { [ ... ] DisplayLockUtilities::ScopedForcedUpdate scoped_update_forced(node); UpdateStyleAndLayoutTree(); [3] } ``` in [3] and later will call delete, we can get this by call tree. ```shell #1 0x563e4438c880 in Free base/allocator/partition_allocator/partition_root.h:673 #2 0x563e4438c880 in operator delete third_party/blink/renderer/core/layout/layout_object.cc:240 [4] #3 0x563e443c643f in blink::LayoutObject::Destroy() third_party/blink/renderer/core/layout/layout_object.cc:3826 #4 0x563e443c6169 in blink::LayoutObject::DestroyAndCleanupAnonymousWrappers() layout_object.cc:? #5 0x563e42da53d3 in blink::Node::DetachLayoutTree(bool) third_party/blink/renderer/core/dom/node.cc:1714 #6 0x563e42c3b542 in blink::Element::DetachLayoutTree(bool) element.cc:? #7 0x563e42a818bd in blink::ContainerNode::DetachLayoutTree(bool) third_party/blink/renderer/core/dom/container_node.cc:1014 #8 0x563e42c3b534 in blink::Element::DetachLayoutTree(bool) third_party/blink/renderer/core/dom/element.cc:2807 #9 0x563e42a818bd in blink::ContainerNode::DetachLayoutTree(bool) third_party/blink/renderer/core/dom/container_node.cc:1014 #10 0x563e42c3b534 in blink::Element::DetachLayoutTree(bool) third_party/blink/renderer/core/dom/element.cc:2807 #11 0x563e42da4968 in blink::Node::ReattachLayoutTree(blink::Node::AttachContext&) third_party/blink/renderer/core/dom/node.cc:1679 #12 0x563e42c43106 in blink::Element::RebuildLayoutTree(blink::WhitespaceAttacher&) third_party/blink/renderer/core/dom/element.cc:3163 #13 0x563e42a8660a in blink::ContainerNode::RebuildLayoutTreeForChild(blink::Node*, blink::WhitespaceAttacher&) third_party/blink/renderer/core/dom/container_node.cc:1378 #14 0x563e42a869ca in blink::ContainerNode::RebuildChildrenLayoutTrees(blink::WhitespaceAttacher&) third_party/blink/renderer/core/dom/container_node.cc:1403 #15 0x563e42c43428 in blink::Element::RebuildLayoutTree(blink::WhitespaceAttacher&) third_party/blink/renderer/core/dom/element.cc:3192 #16 0x563e4293af00 in blink::StyleEngine::RebuildLayoutTree() third_party/blink/renderer/core/css/style_engine.cc:2071 #17 0x563e4293c4d7 in blink::StyleEngine::UpdateStyleAndLayoutTree() third_party/blink/renderer/core/css/style_engine.cc:2110 #18 0x563e42aee703 in blink::Document::UpdateStyle() third_party/blink/renderer/core/dom/document.cc:2540 #19 0x563e42ade9f6 in blink::Document::UpdateStyleAndLayoutTree() third_party/blink/renderer/core/dom/document.cc:2493 #20 0x563e42af049b in blink::Document::UpdateStyleAndLayoutTreeForNode(blink::Node const*) [5] ``` [5] is the func we mentioned above. [4] delete object and we can delete layout_object there by set content-visibility to hidden. So in `EndsOfNodeAreVisuallyDistinctPositions` after `CanHaveChildrenForEditing(node)` will trigger uaf

-------- ================================================ FILE: LEVEL_2/exercise_2/visible_units.cc ================================================ /* * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights * reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY APPLE COMPUTER, INC. ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "third_party/blink/renderer/core/editing/visible_units.h" #include "third_party/blink/renderer/core/display_lock/display_lock_utilities.h" #include "third_party/blink/renderer/core/dom/document.h" #include "third_party/blink/renderer/core/dom/element.h" #include "third_party/blink/renderer/core/dom/first_letter_pseudo_element.h" #include "third_party/blink/renderer/core/dom/node_traversal.h" #include "third_party/blink/renderer/core/dom/text.h" #include "third_party/blink/renderer/core/editing/editing_utilities.h" #include "third_party/blink/renderer/core/editing/ephemeral_range.h" #include "third_party/blink/renderer/core/editing/frame_selection.h" #include "third_party/blink/renderer/core/editing/iterators/character_iterator.h" #include "third_party/blink/renderer/core/editing/local_caret_rect.h" #include "third_party/blink/renderer/core/editing/position.h" #include "third_party/blink/renderer/core/editing/position_iterator.h" #include "third_party/blink/renderer/core/editing/position_with_affinity.h" #include "third_party/blink/renderer/core/editing/selection_adjuster.h" #include "third_party/blink/renderer/core/editing/selection_template.h" #include "third_party/blink/renderer/core/editing/text_affinity.h" #include "third_party/blink/renderer/core/editing/visible_position.h" #include "third_party/blink/renderer/core/editing/visible_selection.h" #include "third_party/blink/renderer/core/frame/local_frame.h" #include "third_party/blink/renderer/core/frame/settings.h" #include "third_party/blink/renderer/core/html/forms/text_control_element.h" #include "third_party/blink/renderer/core/html/html_br_element.h" #include "third_party/blink/renderer/core/html_names.h" #include "third_party/blink/renderer/core/layout/api/line_layout_item.h" #include "third_party/blink/renderer/core/layout/hit_test_request.h" #include "third_party/blink/renderer/core/layout/hit_test_result.h" #include "third_party/blink/renderer/core/layout/layout_inline.h" #include "third_party/blink/renderer/core/layout/layout_text_fragment.h" #include "third_party/blink/renderer/core/layout/layout_view.h" #include "third_party/blink/renderer/core/layout/line/inline_iterator.h" #include "third_party/blink/renderer/core/layout/line/inline_text_box.h" #include "third_party/blink/renderer/core/layout/ng/inline/ng_inline_node_data.h" #include "third_party/blink/renderer/core/svg_element_type_helpers.h" #include "third_party/blink/renderer/platform/heap/handle.h" #include "third_party/blink/renderer/platform/text/text_boundaries.h" namespace blink { template static PositionType CanonicalizeCandidate(const PositionType& candidate) { if (candidate.IsNull()) return PositionType(); DCHECK(IsVisuallyEquivalentCandidate(candidate)); PositionType upstream = MostBackwardCaretPosition(candidate); if (IsVisuallyEquivalentCandidate(upstream)) return upstream; return candidate; } template static PositionType SnapFallbackTemplate(const PositionType& position) { // When neither upstream or downstream gets us to a candidate // (upstream/downstream won't leave blocks or enter new ones), we search // forward and backward until we find one. const PositionType& next = CanonicalizeCandidate(NextCandidate(position)); const PositionType& prev = CanonicalizeCandidate(PreviousCandidate(position)); // The new position must be in the same editable element. Enforce that // first. Unless the descent is from a non-editable html element to an // editable body. Node* const node = position.ComputeContainerNode(); if (node && node->GetDocument().documentElement() == node && !HasEditableStyle(*node) && node->GetDocument().body() && HasEditableStyle(*node->GetDocument().body())) return next.IsNotNull() ? next : prev; Element* const editing_root = RootEditableElementOf(position); // If the html element is editable, descending into its body will look like // a descent from non-editable to editable content since // |rootEditableElementOf()| always stops at the body. if ((editing_root && editing_root->GetDocument().documentElement() == editing_root) || position.AnchorNode()->IsDocumentNode()) return next.IsNotNull() ? next : prev; Node* const next_node = next.AnchorNode(); Node* const prev_node = prev.AnchorNode(); const bool prev_is_in_same_editable_element = prev_node && RootEditableElementOf(prev) == editing_root; const bool next_is_in_same_editable_element = next_node && RootEditableElementOf(next) == editing_root; if (prev_is_in_same_editable_element && !next_is_in_same_editable_element) return prev; if (next_is_in_same_editable_element && !prev_is_in_same_editable_element) return next; if (!next_is_in_same_editable_element && !prev_is_in_same_editable_element) return PositionType(); // The new position should be in the same block flow element. Favor that. Element* const original_block = node ? EnclosingBlockFlowElement(*node) : nullptr; const bool next_is_outside_original_block = !next_node->IsDescendantOf(original_block) && next_node != original_block; const bool prev_is_outside_original_block = !prev_node->IsDescendantOf(original_block) && prev_node != original_block; if (next_is_outside_original_block && !prev_is_outside_original_block) return prev; return next; } template static PositionWithAffinityTemplate SnapBackwardTemplate( const PositionTemplate& position) { // Sometimes updating selection positions can be extremely expensive and // occur frequently. Often calling preventDefault on mousedown events can // avoid doing unnecessary text selection work. http://crbug.com/472258. TRACE_EVENT0("input", "VisibleUnits::SnapBackward"); if (position.IsNull()) return PositionWithAffinityTemplate(); DCHECK(position.GetDocument()); DCHECK(!position.GetDocument()->NeedsLayoutTreeUpdate()); const PositionTemplate& candidate1 = MostBackwardCaretPosition(position); if (IsVisuallyEquivalentCandidate(candidate1)) { return PositionWithAffinityTemplate(candidate1, TextAffinity::kUpstream); } const PositionTemplate& candidate2 = MostForwardCaretPosition(position); if (IsVisuallyEquivalentCandidate(candidate2)) { return PositionWithAffinityTemplate(candidate2, TextAffinity::kDownstream); } return PositionWithAffinityTemplate(SnapFallbackTemplate(position), TextAffinity::kDownstream); } PositionWithAffinity SnapBackward(const Position& position) { return SnapBackwardTemplate(position); } PositionInFlatTreeWithAffinity SnapBackward( const PositionInFlatTree& position) { return SnapBackwardTemplate(position); } template static PositionWithAffinityTemplate SnapForwardTemplate( const PositionTemplate& position) { // Sometimes updating selection positions can be extremely expensive and // occur frequently. Often calling preventDefault on mousedown events can // avoid doing unnecessary text selection work. http://crbug.com/472258. TRACE_EVENT0("input", "VisibleUnits::SnapForward"); if (position.IsNull()) return PositionWithAffinityTemplate(); DCHECK(position.GetDocument()); DCHECK(!position.GetDocument()->NeedsLayoutTreeUpdate()); const PositionTemplate& candidate1 = MostForwardCaretPosition(position); if (IsVisuallyEquivalentCandidate(candidate1)) { return PositionWithAffinityTemplate(candidate1, TextAffinity::kDownstream); } const PositionTemplate& candidate2 = MostBackwardCaretPosition(position); if (IsVisuallyEquivalentCandidate(candidate2)) { return PositionWithAffinityTemplate(candidate2, TextAffinity::kDownstream); } return PositionWithAffinityTemplate(SnapFallbackTemplate(position), TextAffinity::kDownstream); } PositionWithAffinity SnapForward(const Position& position) { return SnapForwardTemplate(position); } PositionInFlatTreeWithAffinity SnapForward(const PositionInFlatTree& position) { return SnapForwardTemplate(position); } Position CanonicalPositionOf(const Position& position) { return SnapBackward(position).GetPosition(); } PositionInFlatTree CanonicalPositionOf(const PositionInFlatTree& position) { return SnapBackward(position).GetPosition(); } template static PositionWithAffinityTemplate AdjustBackwardPositionToAvoidCrossingEditingBoundariesTemplate( const PositionWithAffinityTemplate& pos, const PositionTemplate& anchor) { if (pos.IsNull()) return pos; ContainerNode* highest_root = HighestEditableRoot(anchor); // Return empty position if |pos| is not somewhere inside the editable // region containing this position if (highest_root && !pos.AnchorNode()->IsDescendantOf(highest_root)) return PositionWithAffinityTemplate(); // Return |pos| itself if the two are from the very same editable region, or // both are non-editable // TODO(yosin) In the non-editable case, just because the new position is // non-editable doesn't mean movement to it is allowed. // |VisibleSelection::adjustForEditableContent()| has this problem too. if (HighestEditableRoot(pos.GetPosition()) == highest_root) return pos; // Return empty position if this position is non-editable, but |pos| is // editable. // TODO(yosin) Move to the previous non-editable region. if (!highest_root) return PositionWithAffinityTemplate(); // Return the last position before |pos| that is in the same editable region // as this position return PositionWithAffinityTemplate( LastEditablePositionBeforePositionInRoot(pos.GetPosition(), *highest_root)); } PositionWithAffinity AdjustBackwardPositionToAvoidCrossingEditingBoundaries( const PositionWithAffinity& pos, const Position& anchor) { return AdjustBackwardPositionToAvoidCrossingEditingBoundariesTemplate(pos, anchor); } PositionInFlatTreeWithAffinity AdjustBackwardPositionToAvoidCrossingEditingBoundaries( const PositionInFlatTreeWithAffinity& pos, const PositionInFlatTree& anchor) { return AdjustBackwardPositionToAvoidCrossingEditingBoundariesTemplate(pos, anchor); } template static PositionWithAffinityTemplate AdjustForwardPositionToAvoidCrossingEditingBoundariesTemplate( const PositionWithAffinityTemplate& pos, const PositionTemplate& anchor) { if (pos.IsNull()) return pos; ContainerNode* highest_root = HighestEditableRoot(anchor); // Return empty position if |pos| is not somewhere inside the editable // region containing this position if (highest_root && !pos.AnchorNode()->IsDescendantOf(highest_root)) return PositionWithAffinityTemplate(); // Return |pos| itself if the two are from the very same editable region, or // both are non-editable // TODO(yosin) In the non-editable case, just because the new position is // non-editable doesn't mean movement to it is allowed. // |VisibleSelection::adjustForEditableContent()| has this problem too. if (HighestEditableRoot(pos.GetPosition()) == highest_root) return pos; // Returns the last position in the highest non-editable ancestor of |anchor|. if (!highest_root) { const Node* last_non_editable = anchor.ComputeContainerNode(); for (const Node& ancestor : Strategy::AncestorsOf(*last_non_editable)) { if (HasEditableStyle(ancestor)) { return PositionWithAffinityTemplate( PositionTemplate::LastPositionInNode(*last_non_editable)); } last_non_editable = &ancestor; } return PositionWithAffinityTemplate(); } // Return the next position after |pos| that is in the same editable region // as this position return PositionWithAffinityTemplate( FirstEditablePositionAfterPositionInRoot(pos.GetPosition(), *highest_root)); } PositionWithAffinity AdjustForwardPositionToAvoidCrossingEditingBoundaries( const PositionWithAffinity& pos, const Position& anchor) { return AdjustForwardPositionToAvoidCrossingEditingBoundariesTemplate(pos, anchor); } PositionInFlatTreeWithAffinity AdjustForwardPositionToAvoidCrossingEditingBoundaries( const PositionInFlatTreeWithAffinity& pos, const PositionInFlatTree& anchor) { return AdjustForwardPositionToAvoidCrossingEditingBoundariesTemplate( PositionInFlatTreeWithAffinity(pos), anchor); } template static ContainerNode* NonShadowBoundaryParentNode(Node* node) { ContainerNode* parent = Strategy::Parent(*node); return parent && !parent->IsShadowRoot() ? parent : nullptr; } template static Node* ParentEditingBoundary(const PositionTemplate& position) { Node* const anchor_node = position.AnchorNode(); if (!anchor_node) return nullptr; Node* document_element = anchor_node->GetDocument().documentElement(); if (!document_element) return nullptr; Node* boundary = position.ComputeContainerNode(); while (boundary != document_element && NonShadowBoundaryParentNode(boundary) && HasEditableStyle(*anchor_node) == HasEditableStyle(*Strategy::Parent(*boundary))) boundary = NonShadowBoundaryParentNode(boundary); return boundary; } // --------- template static PositionTemplate StartOfDocumentAlgorithm( const PositionTemplate& position) { const Node* const node = position.AnchorNode(); if (!node || !node->GetDocument().documentElement()) return PositionTemplate(); return PositionTemplate::FirstPositionInNode( *node->GetDocument().documentElement()); } Position StartOfDocument(const Position& c) { return StartOfDocumentAlgorithm(c); } PositionInFlatTree StartOfDocument(const PositionInFlatTree& c) { return StartOfDocumentAlgorithm(c); } template static VisiblePositionTemplate EndOfDocumentAlgorithm( const VisiblePositionTemplate& visible_position) { DCHECK(visible_position.IsValid()) << visible_position; Node* node = visible_position.DeepEquivalent().AnchorNode(); if (!node || !node->GetDocument().documentElement()) return VisiblePositionTemplate(); Element* doc = node->GetDocument().documentElement(); return CreateVisiblePosition( PositionTemplate::LastPositionInNode(*doc)); } VisiblePosition EndOfDocument(const VisiblePosition& c) { return EndOfDocumentAlgorithm(c); } VisiblePositionInFlatTree EndOfDocument(const VisiblePositionInFlatTree& c) { return EndOfDocumentAlgorithm(c); } bool IsStartOfDocument(const VisiblePosition& p) { DCHECK(p.IsValid()) << p; return p.IsNotNull() && PreviousPositionOf(p, kCanCrossEditingBoundary).IsNull(); } bool IsEndOfDocument(const VisiblePosition& p) { DCHECK(p.IsValid()) << p; return p.IsNotNull() && NextPositionOf(p, kCanCrossEditingBoundary).IsNull(); } // --------- PositionInFlatTree StartOfEditableContent(const PositionInFlatTree& position) { ContainerNode* highest_root = HighestEditableRoot(position); if (!highest_root) return PositionInFlatTree(); return PositionInFlatTree::FirstPositionInNode(*highest_root); } PositionInFlatTree EndOfEditableContent(const PositionInFlatTree& position) { ContainerNode* highest_root = HighestEditableRoot(position); if (!highest_root) return PositionInFlatTree(); return PositionInFlatTree::LastPositionInNode(*highest_root); } bool IsEndOfEditableOrNonEditableContent(const VisiblePosition& position) { DCHECK(position.IsValid()) << position; return position.IsNotNull() && NextPositionOf(position).IsNull(); } // TODO(yosin) We should rename |isEndOfEditableOrNonEditableContent()| what // this function does, e.g. |isLastVisiblePositionOrEndOfInnerEditor()|. bool IsEndOfEditableOrNonEditableContent( const VisiblePositionInFlatTree& position) { DCHECK(position.IsValid()) << position; if (position.IsNull()) return false; const VisiblePositionInFlatTree next_position = NextPositionOf(position); if (next_position.IsNull()) return true; // In DOM version, following condition, the last position of inner editor // of INPUT/TEXTAREA element, by |nextPosition().isNull()|, because of // an inner editor is an only leaf node. if (!next_position.DeepEquivalent().IsAfterAnchor()) return false; return IsTextControl(next_position.DeepEquivalent().AnchorNode()); } static LayoutUnit BoundingBoxLogicalHeight(LayoutObject* o, const LayoutRect& rect) { return o->Style()->IsHorizontalWritingMode() ? rect.Height() : rect.Width(); } // TODO(editing-dev): The semantics seems wrong when we're in a one-letter block // with first-letter style, e.g.,

, where the letter is laid-out in // an anonymous first-letter LayoutTextFragment instead of the LayoutObject of // the text node. It seems weird to return false in this case. bool HasRenderedNonAnonymousDescendantsWithHeight( const LayoutObject* layout_object) { if (DisplayLockUtilities::NearestLockedInclusiveAncestor(*layout_object)) return false; if (auto* block_flow = DynamicTo(layout_object)) { // Returns false for empty content editable, e.g. // -

// -

// Note: tests[1][2] require this. // [1] editing/style/underline.html // [2] editing/inserting/return-with-object-element.html if (block_flow->HasNGInlineNodeData() && block_flow->GetNGInlineNodeData() ->ItemsData(false) .text_content.IsEmpty() && block_flow->HasLineIfEmpty()) return false; } const LayoutObject* stop = layout_object->NextInPreOrderAfterChildren(); // TODO(editing-dev): Avoid single-character parameter names. for (LayoutObject* o = layout_object->SlowFirstChild(); o && o != stop; o = o->NextInPreOrder()) { if (o->NonPseudoNode()) { if ((o->IsText() && To(o)->HasNonCollapsedText()) || (o->IsBox() && To(o)->PixelSnappedLogicalHeight()) || (o->IsLayoutInline() && IsEmptyInline(LineLayoutItem(o)) && // TODO(crbug.com/771398): Find alternative ways to check whether an // empty LayoutInline is rendered, without checking InlineBox. BoundingBoxLogicalHeight( o, To(o)->PhysicalLinesBoundingBox().ToLayoutRect()))) return true; } } return false; } PositionWithAffinity PositionForContentsPointRespectingEditingBoundary( const IntPoint& contents_point, LocalFrame* frame) { HitTestRequest request = HitTestRequest::kMove | HitTestRequest::kReadOnly | HitTestRequest::kActive | HitTestRequest::kIgnoreClipping | HitTestRequest::kRetargetForInert; HitTestLocation location(contents_point); HitTestResult result(request, location); frame->GetDocument()->GetLayoutView()->HitTest(location, result); if (result.InnerNode()) { return PositionRespectingEditingBoundary( frame->Selection().ComputeVisibleSelectionInDOMTreeDeprecated().Start(), result); } return PositionWithAffinity(); } // TODO(yosin): We should use |AssociatedLayoutObjectOf()| in "visible_units.cc" // where it takes |LayoutObject| from |Position|. int CaretMinOffset(const Node* node) { const LayoutObject* layout_object = AssociatedLayoutObjectOf(*node, 0); if (const LayoutText* layout_text = DynamicTo(layout_object)) return layout_text->CaretMinOffset(); return 0; } int CaretMaxOffset(const Node* n) { return EditingStrategy::CaretMaxOffset(*n); } template static bool InRenderedText(const PositionTemplate& position) { Node* const anchor_node = position.AnchorNode(); if (!anchor_node || !anchor_node->IsTextNode()) return false; const int offset_in_node = position.ComputeEditingOffset(); const LayoutObject* layout_object = AssociatedLayoutObjectOf(*anchor_node, offset_in_node); if (!layout_object) return false; const auto* text_layout_object = To(layout_object); const int text_offset = offset_in_node - text_layout_object->TextStartOffset(); if (!text_layout_object->ContainsCaretOffset(text_offset)) return false; // Return false for offsets inside composed characters. // TODO(editing-dev): Previous/NextGraphemeBoundaryOf() work on DOM offsets, // So they should use |offset_in_node| instead of |text_offset|. return text_offset == text_layout_object->CaretMinOffset() || text_offset == NextGraphemeBoundaryOf(*anchor_node, PreviousGraphemeBoundaryOf( *anchor_node, text_offset)); } bool RendersInDifferentPosition(const Position& position1, const Position& position2) { if (position1.IsNull() || position2.IsNull()) return false; const LocalCaretRect& caret_rect1 = LocalCaretRectOfPosition(PositionWithAffinity(position1)); const LocalCaretRect& caret_rect2 = LocalCaretRectOfPosition(PositionWithAffinity(position2)); if (!caret_rect1.layout_object || !caret_rect2.layout_object) return caret_rect1.layout_object != caret_rect2.layout_object; return LocalToAbsoluteQuadOf(caret_rect1) != LocalToAbsoluteQuadOf(caret_rect2); } // TODO(editing-dev): Share code with IsVisuallyEquivalentCandidate if possible. bool EndsOfNodeAreVisuallyDistinctPositions(const Node* node) { if (!node) return false; LayoutObject* layout_object = node->GetLayoutObject(); if (!layout_object) return false; if (!layout_object->IsInline()) return true; // Don't include inline tables. if (IsA(*node)) return false; // A Marquee elements are moving so we should assume their ends are always // visibily distinct. if (IsA(*node)) return true; // There is a VisiblePosition inside an empty inline-block container. return layout_object->IsAtomicInlineLevel() && CanHaveChildrenForEditing(node) && !To(layout_object)->Size().IsEmpty() && !HasRenderedNonAnonymousDescendantsWithHeight(layout_object); } template static Node* EnclosingVisualBoundary(Node* node) { while (node && !EndsOfNodeAreVisuallyDistinctPositions(node)) node = Strategy::Parent(*node); return node; } // upstream() and downstream() want to return positions that are either in a // text node or at just before a non-text node. This method checks for that. template static bool IsStreamer(const PositionIteratorAlgorithm& pos) { if (!pos.GetNode()) return true; if (IsAtomicNode(pos.GetNode())) return true; return pos.AtStartOfNode(); } template static Position MostBackwardOrForwardCaretPosition( const Position& position, EditingBoundaryCrossingRule rule, F AlgorithmInFlatTree) { Node* position_anchor = position.AnchorNode(); if (!position_anchor) return Position(); DCHECK(position.IsValidFor(*position.GetDocument())); // Find the most backward or forward caret position in the flat tree. const Position& candidate = ToPositionInDOMTree( AlgorithmInFlatTree(ToPositionInFlatTree(position), rule)); Node* candidate_anchor = candidate.AnchorNode(); if (!candidate_anchor) return candidate; // Fast path for common cases when there is no shadow involved. if (!position_anchor->IsInShadowTree() && !IsShadowHost(position_anchor) && !candidate_anchor->IsInShadowTree() && !IsShadowHost(candidate_anchor)) { return candidate; } // Adjust the candidate to avoid crossing shadow boundaries. const SelectionInDOMTree& selection = SelectionInDOMTree::Builder() .SetBaseAndExtent(position, candidate) .Build(); if (selection.IsCaret()) return candidate; const SelectionInDOMTree& shadow_adjusted_selection = SelectionAdjuster::AdjustSelectionToAvoidCrossingShadowBoundaries( selection); // If we have to adjust the position, the editability may change, so avoid // crossing editing boundaries if it's not allowed. if (rule == kCannotCrossEditingBoundary && selection != shadow_adjusted_selection) { const SelectionInDOMTree& editing_adjusted_selection = SelectionAdjuster::AdjustSelectionToAvoidCrossingEditingBoundaries( shadow_adjusted_selection); return editing_adjusted_selection.Extent(); } return shadow_adjusted_selection.Extent(); } template static PositionTemplate AdjustPositionForBackwardIteration( const PositionTemplate& position) { DCHECK(!position.IsNull()); if (!position.IsAfterAnchor()) return position; if (IsUserSelectContain(*position.AnchorNode())) return position.ToOffsetInAnchor(); return PositionTemplate::EditingPositionOf( position.AnchorNode(), Strategy::CaretMaxOffset(*position.AnchorNode())); } // TODO(yosin): We should make |Most{Back,For}kwardCaretPosition()| to work for // positions other than |kOffsetInAnchor|. When we convert |position| to // |kOffsetInAnchor|, following tests are failed: // * editing/execCommand/delete-non-editable-range-crash.html // * editing/execCommand/keep_typing_style.html // * editing/selection/skip-over-contenteditable.html // See also |AdjustForEditingBoundary()|. It has workaround for before/after // positions. template static PositionTemplate MostBackwardCaretPosition( const PositionTemplate& position, EditingBoundaryCrossingRule rule) { DCHECK(!NeedsLayoutTreeUpdate(position)) << position; TRACE_EVENT0("input", "VisibleUnits::mostBackwardCaretPosition"); Node* const start_node = position.AnchorNode(); if (!start_node) return PositionTemplate(); // iterate backward from there, looking for a qualified position Node* const boundary = EnclosingVisualBoundary(start_node); // FIXME: PositionIterator should respect Before and After positions. PositionIteratorAlgorithm last_visible( AdjustPositionForBackwardIteration(position)); const bool start_editable = HasEditableStyle(*start_node); Node* last_node = start_node; bool boundary_crossed = false; for (PositionIteratorAlgorithm current_pos = last_visible; !current_pos.AtStart(); current_pos.Decrement()) { Node* current_node = current_pos.GetNode(); // Don't check for an editability change if we haven't moved to a different // node, to avoid the expense of computing hasEditableStyle(). if (current_node != last_node) { // Don't change editability. const bool current_editable = HasEditableStyle(*current_node); if (start_editable != current_editable) { if (rule == kCannotCrossEditingBoundary) break; boundary_crossed = true; } last_node = current_node; } // There is no caret position in non-text svg elements. if (current_node->IsSVGElement() && !IsA(current_node)) continue; // If we've moved to a position that is visually distinct, return the last // saved position. There is code below that terminates early if we're // *about* to move to a visually distinct position. if (EndsOfNodeAreVisuallyDistinctPositions(current_node) && current_node != boundary) return last_visible.DeprecatedComputePosition(); // skip position in non-laid out or invisible node const LayoutObject* const layout_object = AssociatedLayoutObjectOf(*current_node, current_pos.OffsetInLeafNode(), LayoutObjectSide::kFirstLetterIfOnBoundary); if (!layout_object || layout_object->Style()->Visibility() != EVisibility::kVisible) continue; if (DisplayLockUtilities::NearestLockedExclusiveAncestor(*layout_object)) continue; if (rule == kCanCrossEditingBoundary && boundary_crossed) { last_visible = current_pos; break; } // track last visible streamer position if (IsStreamer(current_pos)) last_visible = current_pos; // Don't move past a position that is visually distinct. We could rely on // code above to terminate and return lastVisible on the next iteration, but // we terminate early to avoid doing a nodeIndex() call. if (EndsOfNodeAreVisuallyDistinctPositions(current_node) && current_pos.AtStartOfNode()) return last_visible.DeprecatedComputePosition(); // Return position after tables and nodes which have content that can be // ignored. if (EditingIgnoresContent(*current_node) || IsDisplayInsideTable(current_node)) { if (current_pos.AtEndOfNode()) return PositionTemplate::AfterNode(*current_node); continue; } // return current position if it is in laid out text if (!layout_object->IsText()) continue; const auto* const text_layout_object = To(layout_object); if (!text_layout_object->HasNonCollapsedText()) continue; const unsigned text_start_offset = text_layout_object->TextStartOffset(); if (current_node != start_node) { // This assertion fires in web tests in the case-transform.html test // because of a mix-up between offsets in the text in the DOM tree with // text in the layout tree which can have a different length due to case // transformation. // Until we resolve that, disable this so we can run the web tests! // DCHECK_GE(currentOffset, layoutObject->caretMaxOffset()); return PositionTemplate( current_node, text_layout_object->CaretMaxOffset() + text_start_offset); } DCHECK_GE(current_pos.OffsetInLeafNode(), static_cast(text_layout_object->TextStartOffset())); if (text_layout_object->IsAfterNonCollapsedCharacter( current_pos.OffsetInLeafNode() - text_layout_object->TextStartOffset())) return current_pos.ComputePosition(); } return last_visible.DeprecatedComputePosition(); } Position MostBackwardCaretPosition(const Position& position, EditingBoundaryCrossingRule rule) { return MostBackwardOrForwardCaretPosition( position, rule, MostBackwardCaretPosition); } PositionInFlatTree MostBackwardCaretPosition(const PositionInFlatTree& position, EditingBoundaryCrossingRule rule) { return MostBackwardCaretPosition(position, rule); } namespace { bool HasInvisibleFirstLetter(const Node* node) { if (!node || !node->IsTextNode()) return false; const auto* remaining_text = DynamicTo(node->GetLayoutObject()); if (!remaining_text || !remaining_text->IsRemainingTextLayoutObject()) return false; const auto* first_letter = DynamicTo(AssociatedLayoutObjectOf(*node, 0)); if (!first_letter || first_letter == remaining_text) return false; return first_letter->StyleRef().Visibility() != EVisibility::kVisible || DisplayLockUtilities::NearestLockedExclusiveAncestor(*first_letter); } } // namespace template PositionTemplate MostForwardCaretPosition( const PositionTemplate