Diff
Modified: branches/safari-606-branch/LayoutTests/ChangeLog (239241 => 239242)
--- branches/safari-606-branch/LayoutTests/ChangeLog 2018-12-15 00:30:48 UTC (rev 239241)
+++ branches/safari-606-branch/LayoutTests/ChangeLog 2018-12-15 00:55:23 UTC (rev 239242)
@@ -1,3 +1,18 @@
+2018-12-14 Alan Coon <alanc...@apple.com>
+
+ Apply patch. rdar://problem/46603448
+
+ 2018-12-14 Brent Fulgham <bfulg...@apple.com>
+
+ SVGViewSpec objects should mark relevant SVG elements
+ https://bugs.webkit.org/show_bug.cgi?id=192567
+ <rdar://problem/46491325>
+
+ Reviewed by Ryosuke Niwa.
+
+ * svg/animations/view-dependency-crash-expected.txt: Added.
+ * svg/animations/view-dependency-crash.html: Added.
+
2018-12-11 Alan Coon <alanc...@apple.com>
Cherry-pick r238877. rdar://problem/45997440
Added: branches/safari-606-branch/LayoutTests/svg/animations/view-dependency-crash-expected.txt (0 => 239242)
--- branches/safari-606-branch/LayoutTests/svg/animations/view-dependency-crash-expected.txt (rev 0)
+++ branches/safari-606-branch/LayoutTests/svg/animations/view-dependency-crash-expected.txt 2018-12-15 00:55:23 UTC (rev 239242)
@@ -0,0 +1,2 @@
+This test passes if it does not crash
+
Added: branches/safari-606-branch/LayoutTests/svg/animations/view-dependency-crash.html (0 => 239242)
--- branches/safari-606-branch/LayoutTests/svg/animations/view-dependency-crash.html (rev 0)
+++ branches/safari-606-branch/LayoutTests/svg/animations/view-dependency-crash.html 2018-12-15 00:55:23 UTC (rev 239242)
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src=""
+</head>
+<body _onload_="runTest()">
+This test passes if it does not crash<br/>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+function runTest() {
+ var svg = document.createElementNS("http://www.w3.org/2000/svg", "svg");
+ var view = svg.currentView;
+ svg.pauseAnimations();
+ svg = null;
+ if (window.gc)
+ gc();
+ var rect = document.createElementNS("http://www.w3.org/2000/svg", "rect");
+ var viewBox = view.viewBox;
+}
+</script>
+</body>
+</html>
Modified: branches/safari-606-branch/Source/WebCore/ChangeLog (239241 => 239242)
--- branches/safari-606-branch/Source/WebCore/ChangeLog 2018-12-15 00:30:48 UTC (rev 239241)
+++ branches/safari-606-branch/Source/WebCore/ChangeLog 2018-12-15 00:55:23 UTC (rev 239242)
@@ -1,3 +1,42 @@
+2018-12-14 Alan Coon <alanc...@apple.com>
+
+ Apply patch. rdar://problem/46603448
+
+ 2018-12-14 Brent Fulgham <bfulg...@apple.com>
+
+ SVGViewSpec objects should mark relevant SVG elements
+ https://bugs.webkit.org/show_bug.cgi?id=192567
+ <rdar://problem/46491325>
+
+ Reviewed by Ryosuke Niwa.
+
+ SVGViewSpec elements reflect the state of an underlying SVGElement. Teach the mark algorithm to
+ recognize the relevant SVGElement as active as long as the SVGViewSpec is active.
+
+ Update SVGElement so that it can vend WeakPtrs. I also noticed that SVGAttributeOwner used a bare
+ pointer to the SVGElement, so switched to a WeakPtr.
+
+ Test: svg/animations/view-dependency-crash.html
+
+ * Sources.txt: Add new files.
+ * WebCore.xcodeproj/project.pbxproj: Ditto.
+ * bindings/js/JSSVGViewSpecCustom.cpp: Added.
+ (WebCore::JSSVGViewSpec::visitAdditionalChildren):
+ * svg/SVGElement.h:
+ * svg/SVGPathElement.h:
+ * svg/SVGViewSpec.cpp:
+ (WebCore::SVGViewSpec::SVGViewSpec): Hold a weak pointer (rather than a bare pointer) to the underlying element.
+ * svg/SVGViewSpec.h:
+ * svg/SVGViewSpec.idl:
+ * svg/properties/SVGAttributeOwnerProxy.cpp: Added.
+ (WebCore::SVGAttributeOwnerProxy::SVGAttributeOwnerProxy): Hold a weak pointer (rather than a bare pointer) to
+ the underling SVGElement.
+ (WebCore::SVGAttributeOwnerProxy::element const): Ditto.
+ * svg/properties/SVGAttributeOwnerProxy.h:
+ (WebCore::SVGAttributeOwnerProxy::SVGAttributeOwnerProxy): Move implementation to cpp file.
+ (WebCore::SVGAttributeOwnerProxy::element const): Ditto.
+ * svg/properties/SVGAttributeOwnerProxyImpl.h: Update for WeakPtr use.
+
2018-12-11 Alan Coon <alanc...@apple.com>
Cherry-pick r238877. rdar://problem/45997440
Modified: branches/safari-606-branch/Source/WebCore/Sources.txt (239241 => 239242)
--- branches/safari-606-branch/Source/WebCore/Sources.txt 2018-12-15 00:30:48 UTC (rev 239241)
+++ branches/safari-606-branch/Source/WebCore/Sources.txt 2018-12-15 00:55:23 UTC (rev 239242)
@@ -437,6 +437,7 @@
bindings/js/JSRemoteDOMWindowBase.cpp
bindings/js/JSRemoteDOMWindowCustom.cpp
bindings/js/JSSVGPathSegCustom.cpp
+bindings/js/JSSVGViewSpecCustom.cpp
bindings/js/JSStyleSheetCustom.cpp
bindings/js/JSServiceWorkerClientCustom.cpp
bindings/js/JSServiceWorkerGlobalScopeCustom.cpp
Modified: branches/safari-606-branch/Source/WebCore/WebCore.xcodeproj/project.pbxproj (239241 => 239242)
--- branches/safari-606-branch/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2018-12-15 00:30:48 UTC (rev 239241)
+++ branches/safari-606-branch/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2018-12-15 00:55:23 UTC (rev 239242)
@@ -9333,6 +9333,7 @@
7A29BA67187B732200F29CEB /* TemporaryOpenGLSetting.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TemporaryOpenGLSetting.h; sourceTree = "<group>"; };
7A29BA69187B781C00F29CEB /* TemporaryOpenGLSetting.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = TemporaryOpenGLSetting.cpp; sourceTree = "<group>"; };
7A29F57118C69514004D0F81 /* OutOfBandTextTrackPrivateAVF.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OutOfBandTextTrackPrivateAVF.h; sourceTree = "<group>"; };
+ 7A3EBEAA21BF054C000D043D /* JSSVGViewSpecCustom.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = JSSVGViewSpecCustom.cpp; sourceTree = "<group>"; };
7A45032D18DB717200377B34 /* BufferedLineReader.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = BufferedLineReader.cpp; sourceTree = "<group>"; };
7A45032E18DB717200377B34 /* BufferedLineReader.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = BufferedLineReader.h; sourceTree = "<group>"; };
7A54857D14E02D51006AE05A /* InspectorHistory.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = InspectorHistory.cpp; sourceTree = "<group>"; };
@@ -24011,6 +24012,7 @@
BCE1C43F0D9830F4003B02F2 /* JSLocationCustom.cpp */,
418C395D1C8F0AAB0051C8A3 /* JSReadableStreamSourceCustom.cpp */,
46BCBBBE2085005B00710638 /* JSRemoteDOMWindowCustom.cpp */,
+ 7A3EBEAA21BF054C000D043D /* JSSVGViewSpecCustom.cpp */,
);
name = Custom;
sourceTree = "<group>";
Copied: branches/safari-606-branch/Source/WebCore/bindings/js/JSSVGViewSpecCustom.cpp (from rev 239239, branches/safari-606-branch/Source/WebCore/svg/SVGViewSpec.idl) (0 => 239242)
--- branches/safari-606-branch/Source/WebCore/bindings/js/JSSVGViewSpecCustom.cpp (rev 0)
+++ branches/safari-606-branch/Source/WebCore/bindings/js/JSSVGViewSpecCustom.cpp 2018-12-15 00:55:23 UTC (rev 239242)
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "JSSVGViewSpec.h"
+
+#include "JSNode.h"
+
+namespace WebCore {
+
+void JSSVGViewSpec::visitAdditionalChildren(JSC::SlotVisitor& visitor)
+{
+ ASSERT(wrapped().contextElementConcurrently().get());
+ visitor.addOpaqueRoot(root(wrapped().contextElementConcurrently().get()));
+}
+
+}
Modified: branches/safari-606-branch/Source/WebCore/svg/SVGElement.h (239241 => 239242)
--- branches/safari-606-branch/Source/WebCore/svg/SVGElement.h 2018-12-15 00:30:48 UTC (rev 239241)
+++ branches/safari-606-branch/Source/WebCore/svg/SVGElement.h 2018-12-15 00:55:23 UTC (rev 239242)
@@ -31,6 +31,7 @@
#include "StyledElement.h"
#include <wtf/HashMap.h>
#include <wtf/HashSet.h>
+#include <wtf/WeakPtr.h>
namespace WebCore {
@@ -46,7 +47,7 @@
void mapAttributeToCSSProperty(HashMap<AtomicStringImpl*, CSSPropertyID>* propertyNameToIdMap, const QualifiedName& attrName);
-class SVGElement : public StyledElement, public SVGLangSpace {
+class SVGElement : public StyledElement, public SVGLangSpace, public CanMakeWeakPtr<SVGElement> {
WTF_MAKE_ISO_ALLOCATED(SVGElement);
public:
bool isOutermostSVGSVGElement() const;
Modified: branches/safari-606-branch/Source/WebCore/svg/SVGPathElement.h (239241 => 239242)
--- branches/safari-606-branch/Source/WebCore/svg/SVGPathElement.h 2018-12-15 00:30:48 UTC (rev 239241)
+++ branches/safari-606-branch/Source/WebCore/svg/SVGPathElement.h 2018-12-15 00:55:23 UTC (rev 239242)
@@ -53,7 +53,7 @@
class SVGPathSegList;
class SVGPoint;
-class SVGPathElement final : public SVGGeometryElement, public SVGExternalResourcesRequired, public CanMakeWeakPtr<SVGPathElement> {
+class SVGPathElement final : public SVGGeometryElement, public SVGExternalResourcesRequired {
WTF_MAKE_ISO_ALLOCATED(SVGPathElement);
public:
static Ref<SVGPathElement> create(const QualifiedName&, Document&);
Modified: branches/safari-606-branch/Source/WebCore/svg/SVGViewSpec.cpp (239241 => 239242)
--- branches/safari-606-branch/Source/WebCore/svg/SVGViewSpec.cpp 2018-12-15 00:30:48 UTC (rev 239241)
+++ branches/safari-606-branch/Source/WebCore/svg/SVGViewSpec.cpp 2018-12-15 00:55:23 UTC (rev 239242)
@@ -78,7 +78,7 @@
}
SVGViewSpec::SVGViewSpec(SVGElement& contextElement)
- : m_contextElement(&contextElement)
+ : m_contextElement(makeWeakPtr(contextElement))
{
}
Modified: branches/safari-606-branch/Source/WebCore/svg/SVGViewSpec.h (239241 => 239242)
--- branches/safari-606-branch/Source/WebCore/svg/SVGViewSpec.h 2018-12-15 00:30:48 UTC (rev 239241)
+++ branches/safari-606-branch/Source/WebCore/svg/SVGViewSpec.h 2018-12-15 00:55:23 UTC (rev 239242)
@@ -67,6 +67,8 @@
SVGPreserveAspectRatioValue& preserveAspectRatio() { return m_preserveAspectRatio; }
void setPreserveAspectRatioBaseValue(const SVGPreserveAspectRatioValue& preserveAspectRatio) { m_preserveAspectRatio = preserveAspectRatio; }
+ const WeakPtr<SVGElement>& contextElementConcurrently() const { return m_contextElement; }
+
private:
explicit SVGViewSpec(SVGElement&);
@@ -82,7 +84,7 @@
static Ref<SVGAnimatedProperty> lookupOrCreateViewBoxWrapper(SVGViewSpec* contextElement);
static Ref<SVGAnimatedProperty> lookupOrCreatePreserveAspectRatioWrapper(SVGViewSpec* contextElement);
- SVGElement* m_contextElement;
+ WeakPtr<SVGElement> m_contextElement;
SVGZoomAndPanType m_zoomAndPan { SVGZoomAndPanMagnify };
SVGTransformListValues m_transform;
FloatRect m_viewBox;
Modified: branches/safari-606-branch/Source/WebCore/svg/SVGViewSpec.idl (239241 => 239242)
--- branches/safari-606-branch/Source/WebCore/svg/SVGViewSpec.idl 2018-12-15 00:30:48 UTC (rev 239241)
+++ branches/safari-606-branch/Source/WebCore/svg/SVGViewSpec.idl 2018-12-15 00:55:23 UTC (rev 239242)
@@ -27,6 +27,7 @@
// It would require that any of those classes would be RefCounted, and we want to avoid that.
[
ImplementationLacksVTable,
+ JSCustomMarkFunction,
JSGenerateToJSObject,
] interface SVGViewSpec {
readonly attribute SVGTransformList transform;
