- Revision
- 226065
- Author
- za...@apple.com
- Date
- 2017-12-18 11:32:49 -0800 (Mon, 18 Dec 2017)
Log Message
[SVG] Detach list wrappers before resetting the base value.
https://bugs.webkit.org/show_bug.cgi?id=180912
<rdar://problem/36017970>
Reviewed by Simon Fraser.
Source/WebCore:
Before resetting the animation value (and destroying the assigned SVG object -SVGLengthValue in this case),
we need to check if there's an associated tear off wrapper for the said SVG object and make a copy of it.
This is currently done in the wrong order through animValDidChange.
Test: svg/animations/crash-when-animation-is-running-while-getting-value.html
* svg/SVGAnimatedTypeAnimator.h:
(WebCore::SVGAnimatedTypeAnimator::resetFromBaseValue):
* svg/properties/SVGAnimatedPropertyTearOff.h:
* svg/properties/SVGAnimatedStaticPropertyTearOff.h:
(WebCore::SVGAnimatedStaticPropertyTearOff::synchronizeWrappersIfNeeded):
LayoutTests:
* svg/animations/crash-when-animation-is-running-while-getting-value-expected.txt: Added.
* svg/animations/crash-when-animation-is-running-while-getting-value.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (226064 => 226065)
--- trunk/LayoutTests/ChangeLog 2017-12-18 19:20:40 UTC (rev 226064)
+++ trunk/LayoutTests/ChangeLog 2017-12-18 19:32:49 UTC (rev 226065)
@@ -1,3 +1,14 @@
+2017-12-18 Zalan Bujtas <za...@apple.com>
+
+ [SVG] Detach list wrappers before resetting the base value.
+ https://bugs.webkit.org/show_bug.cgi?id=180912
+ <rdar://problem/36017970>
+
+ Reviewed by Simon Fraser.
+
+ * svg/animations/crash-when-animation-is-running-while-getting-value-expected.txt: Added.
+ * svg/animations/crash-when-animation-is-running-while-getting-value.html: Added.
+
2017-12-18 Jer Noble <jer.no...@apple.com>
Playing media elements which call "pause(); play()" will have the play promise rejected.
Added: trunk/LayoutTests/svg/animations/crash-when-animation-is-running-while-getting-value-expected.txt (0 => 226065)
--- trunk/LayoutTests/svg/animations/crash-when-animation-is-running-while-getting-value-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/animations/crash-when-animation-is-running-while-getting-value-expected.txt 2017-12-18 19:32:49 UTC (rev 226065)
@@ -0,0 +1,2 @@
+PASS if no crash.
+
Added: trunk/LayoutTests/svg/animations/crash-when-animation-is-running-while-getting-value.html (0 => 226065)
--- trunk/LayoutTests/svg/animations/crash-when-animation-is-running-while-getting-value.html (rev 0)
+++ trunk/LayoutTests/svg/animations/crash-when-animation-is-running-while-getting-value.html 2017-12-18 19:32:49 UTC (rev 226065)
@@ -0,0 +1,16 @@
+PASS if no crash.
+<svg>
+<text x="1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1" id="textElement">
+<set attributeName="x" to="0"/>
+</svg>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+setTimeout(function() {
+ textElement.x.animVal.getItem(0);
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, 0);
+</script>
Modified: trunk/Source/WebCore/ChangeLog (226064 => 226065)
--- trunk/Source/WebCore/ChangeLog 2017-12-18 19:20:40 UTC (rev 226064)
+++ trunk/Source/WebCore/ChangeLog 2017-12-18 19:32:49 UTC (rev 226065)
@@ -1,3 +1,23 @@
+2017-12-18 Zalan Bujtas <za...@apple.com>
+
+ [SVG] Detach list wrappers before resetting the base value.
+ https://bugs.webkit.org/show_bug.cgi?id=180912
+ <rdar://problem/36017970>
+
+ Reviewed by Simon Fraser.
+
+ Before resetting the animation value (and destroying the assigned SVG object -SVGLengthValue in this case),
+ we need to check if there's an associated tear off wrapper for the said SVG object and make a copy of it.
+ This is currently done in the wrong order through animValDidChange.
+
+ Test: svg/animations/crash-when-animation-is-running-while-getting-value.html
+
+ * svg/SVGAnimatedTypeAnimator.h:
+ (WebCore::SVGAnimatedTypeAnimator::resetFromBaseValue):
+ * svg/properties/SVGAnimatedPropertyTearOff.h:
+ * svg/properties/SVGAnimatedStaticPropertyTearOff.h:
+ (WebCore::SVGAnimatedStaticPropertyTearOff::synchronizeWrappersIfNeeded):
+
2017-12-18 Brady Eidson <beid...@apple.com>
REGRESSION: ASSERTION FAILED: !m_importCompleted
Modified: trunk/Source/WebCore/svg/SVGAnimatedTypeAnimator.h (226064 => 226065)
--- trunk/Source/WebCore/svg/SVGAnimatedTypeAnimator.h 2017-12-18 19:20:40 UTC (rev 226064)
+++ trunk/Source/WebCore/svg/SVGAnimatedTypeAnimator.h 2017-12-18 19:32:49 UTC (rev 226065)
@@ -78,8 +78,11 @@
{
ASSERT(animatedTypes[0].properties.size() == 1);
ASSERT(type.type() == m_type);
+ auto* property = castAnimatedPropertyToActualType<AnimValType>(animatedTypes[0].properties[0].get());
+ property->synchronizeWrappersIfNeeded();
+
typename AnimValType::ContentType& animatedTypeValue = (type.*getter)();
- animatedTypeValue = castAnimatedPropertyToActualType<AnimValType>(animatedTypes[0].properties[0].get())->currentBaseValue();
+ animatedTypeValue = property->currentBaseValue();
executeAction<AnimValType>(StartAnimationAction, animatedTypes, 0, &animatedTypeValue);
}
Modified: trunk/Source/WebCore/svg/properties/SVGAnimatedPropertyTearOff.h (226064 => 226065)
--- trunk/Source/WebCore/svg/properties/SVGAnimatedPropertyTearOff.h 2017-12-18 19:20:40 UTC (rev 226064)
+++ trunk/Source/WebCore/svg/properties/SVGAnimatedPropertyTearOff.h 2017-12-18 19:32:49 UTC (rev 226065)
@@ -106,6 +106,11 @@
ASSERT(isAnimating());
}
+ void synchronizeWrappersIfNeeded()
+ {
+ // no-op
+ }
+
private:
SVGAnimatedPropertyTearOff(SVGElement* contextElement, const QualifiedName& attributeName, AnimatedPropertyType animatedPropertyType, PropertyType& property)
: SVGAnimatedProperty(contextElement, attributeName, animatedPropertyType)
Modified: trunk/Source/WebCore/svg/properties/SVGAnimatedStaticPropertyTearOff.h (226064 => 226065)
--- trunk/Source/WebCore/svg/properties/SVGAnimatedStaticPropertyTearOff.h 2017-12-18 19:20:40 UTC (rev 226064)
+++ trunk/Source/WebCore/svg/properties/SVGAnimatedStaticPropertyTearOff.h 2017-12-18 19:32:49 UTC (rev 226065)
@@ -93,6 +93,11 @@
ASSERT(isAnimating());
}
+ void synchronizeWrappersIfNeeded()
+ {
+ // no-op
+ }
+
protected:
SVGAnimatedStaticPropertyTearOff(SVGElement* contextElement, const QualifiedName& attributeName, AnimatedPropertyType animatedPropertyType, PropertyType& property)
: SVGAnimatedProperty(contextElement, attributeName, animatedPropertyType)
