mutter/clutter
Jonas Ådahl 802d4e0cf8 clutter/actor: First clear all stage views before emitting they changed
If one would end up with an actor attached to mapped actor, where the
attached actor doesn't itself have an up to date stage view list while
listening on the stage for updating, when clearing the stage views of
the list, anything that would query the stage views list at this time
would end up accessing freed memory.

This could happen if

 1) An actor was added to a newly created container actor attached to
    the stage
 2) The actor got a timeline attached to it
 3) The actor was moved to a container that already was mapped
 4) A hotplug happened

After (1) both the container and actor would not have any stage views.
After (2) the timeline would listen on the stage for stage views
updates. After (3) the actor would still listen on the stage for stage
views updates. When (4) happened, the actor would be signalled when the
stage got its stage view cleared, at which point it would traverse up
its actor's tree finding an appropriate stage view to base its animation
on. The problem here would be that it'd query the already mapped
container and its yet-to-be-cleared stage view list, resulting in
use-after free, resulting in for example the following backtrace:

  0)  g_type_check_instance_cast ()
  1)  CLUTTER_STAGE_VIEW ()
  2)  clutter_actor_pick_frame_clock ()
  3)  clutter_actor_pick_frame_clock ()
  4)  update_frame_clock ()
  5)  on_frame_clock_actor_stage_views_changed ()
  6)  g_closure_invoke ()
  7)  signal_emit_unlocked_R ()
  8)  g_signal_emit_valist ()
  9)  g_signal_emit ()
  10) clear_stage_views_cb ()
  11) _clutter_actor_traverse_depth ()
  12) _clutter_actor_traverse ()
  13) clutter_actor_clear_stage_views_recursive ()
  14) clutter_stage_clear_stage_views ()
  ...

Avoid this issue by making sure that we don't emit 'stage-views-changed'
signals while the actor tree is in an invalid state. While we now end up
traversing tree twice, it doesn't change the Big-O notation. It has not
been measured whether this has any noticible performance impact.

Closes: https://gitlab.gnome.org/GNOME/mutter/-/issues/1950
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2025>
2021-11-06 14:25:40 +00:00
..
clutter clutter/actor: First clear all stage views before emitting they changed 2021-11-06 14:25:40 +00:00
.gitignore clutter: Remove clutter specific version 2018-11-06 17:17:36 +01:00
meson.build clutter: Move pointer a11y settings management from MetaInputSettings 2021-05-05 19:07:26 +00:00