Fix use after free in ui/tweener.js (!11) · Merge requests · GNOME / gnome-shell

Mike Salway requested to merge mike.salway/gnome-shell:tweener-fix into master Jan 28, 2018

In several cases addTween() in ui/tweener.js is passed a onComplete handler that destroys the target (one example being _swapBackgroundActor in ui/background.js). tweener.js adds it's own onComplete handler which calls _resetTweenState() and references the __ShellTweenerState property on the target. The onComplete handler passed to addTween() is executed before the one added by ui/tweener.js resulting a "has already been finalized" error from gjs.

This merge request switches the order of the onComplete handlers so the one from ui/tweener.js executes first delaying the destruction of the target until tweener.js has finished with it.

Closes #1 (closed)

Fix use after free in ui/tweener.js

Merge request reports