Skip to site navigation (Press enter)

[webkit-changes] [91005] trunk

commit-queue Thu, 14 Jul 2011 09:57:49 -0700

Title: [91005] trunk

Revision: 91005
Author: [email protected]
Date: 2011-07-14 09:57:44 -0700 (Thu, 14 Jul 2011)

Log Message

Clear SVGElementInstance's children immediately upon detachment
https://bugs.webkit.org/show_bug.cgi?id=63739
<rdar://problem/9705708>


Patch by Tim Horton <[email protected]> on 2011-07-14
Reviewed by Nikolas Zimmermann.

In addition to clearing the instance's children in the destructor,
clear them when the instance is detached from its <use>. This way,
we won't attempt to use them after we're detached but before the
destructor has been called.

Source/WebCore:

Test: svg/custom/use-crash-using-children-before-destroy.svg

* svg/SVGElementInstance.cpp:
(WebCore::SVGElementInstance::~SVGElementInstance):
(WebCore::SVGElementInstance::clearChildren):
* svg/SVGElementInstance.h:
* svg/SVGUseElement.cpp:
(WebCore::SVGUseElement::detachInstance):

LayoutTests:

* svg/custom/use-crash-using-children-before-destroy-expected.txt: Added.
* svg/custom/use-crash-using-children-before-destroy.svg: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/svg/SVGElementInstance.cpp
trunk/Source/WebCore/svg/SVGElementInstance.h
trunk/Source/WebCore/svg/SVGUseElement.cpp

Added Paths

trunk/LayoutTests/svg/custom/use-crash-using-children-before-destroy-expected.txt
trunk/LayoutTests/svg/custom/use-crash-using-children-before-destroy.svg

Diff

Modified: trunk/LayoutTests/ChangeLog (91004 => 91005)


--- trunk/LayoutTests/ChangeLog	2011-07-14 16:42:50 UTC (rev 91004)
+++ trunk/LayoutTests/ChangeLog	2011-07-14 16:57:44 UTC (rev 91005)
@@ -1,3 +1,19 @@
+2011-07-14  Tim Horton  <[email protected]>
+
+        Clear SVGElementInstance's children immediately upon detachment
+        https://bugs.webkit.org/show_bug.cgi?id=63739
+        <rdar://problem/9705708>
+
+        Reviewed by Nikolas Zimmermann.
+
+        In addition to clearing the instance's children in the destructor,
+        clear them when the instance is detached from its <use>. This way,
+        we won't attempt to use them after we're detached but before the
+        destructor has been called.
+
+        * svg/custom/use-crash-using-children-before-destroy-expected.txt: Added.
+        * svg/custom/use-crash-using-children-before-destroy.svg: Added.
+
 2011-07-14  Csaba Osztrogonác  <[email protected]>
 
         [Qt]Update layout test results for newer Qt 4.8.x

Added: trunk/LayoutTests/svg/custom/use-crash-using-children-before-destroy-expected.txt (0 => 91005)


--- trunk/LayoutTests/svg/custom/use-crash-using-children-before-destroy-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/use-crash-using-children-before-destroy-expected.txt	2011-07-14 16:57:44 UTC (rev 91005)
@@ -0,0 +1,2 @@
+PASS if no crash/assert
+

Added: trunk/LayoutTests/svg/custom/use-crash-using-children-before-destroy.svg (0 => 91005)


--- trunk/LayoutTests/svg/custom/use-crash-using-children-before-destroy.svg	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/use-crash-using-children-before-destroy.svg	2011-07-14 16:57:44 UTC (rev 91005)
@@ -0,0 +1,20 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <text>PASS if no crash/assert</text>
+    <g id="outer"><use id="a"></use></g>
+    <use id="b" xlink:href="" />
+<script><![CDATA[
+var useobj = document.getElementById("b").instanceRoot;
+
+function test() {
+    var elem = document.getElementById("b");
+    elem.parentNode.removeChild(elem);
+}
+test();
+
+document.getElementById("a").appendChild(document.createElement("g"));
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+}
+]]></script>
+</svg>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (91004 => 91005)


--- trunk/Source/WebCore/ChangeLog	2011-07-14 16:42:50 UTC (rev 91004)
+++ trunk/Source/WebCore/ChangeLog	2011-07-14 16:57:44 UTC (rev 91005)
@@ -1,3 +1,25 @@
+2011-07-14  Tim Horton  <[email protected]>
+
+        Clear SVGElementInstance's children immediately upon detachment
+        https://bugs.webkit.org/show_bug.cgi?id=63739
+        <rdar://problem/9705708>
+
+        Reviewed by Nikolas Zimmermann.
+
+        In addition to clearing the instance's children in the destructor,
+        clear them when the instance is detached from its <use>. This way,
+        we won't attempt to use them after we're detached but before the
+        destructor has been called.
+
+        Test: svg/custom/use-crash-using-children-before-destroy.svg
+
+        * svg/SVGElementInstance.cpp:
+        (WebCore::SVGElementInstance::~SVGElementInstance):
+        (WebCore::SVGElementInstance::clearChildren):
+        * svg/SVGElementInstance.h:
+        * svg/SVGUseElement.cpp:
+        (WebCore::SVGUseElement::detachInstance):
+
 2011-07-14  Nate Chapin  <[email protected]>
 
         Don't skip custom cursors if an Image* is null,

Modified: trunk/Source/WebCore/svg/SVGElementInstance.cpp (91004 => 91005)


--- trunk/Source/WebCore/svg/SVGElementInstance.cpp	2011-07-14 16:42:50 UTC (rev 91004)
+++ trunk/Source/WebCore/svg/SVGElementInstance.cpp	2011-07-14 16:57:44 UTC (rev 91005)
@@ -70,6 +70,11 @@
     // Deregister as instance for passed element.
     m_element->removeInstanceMapping(this);
 
+    clearChildren();
+}
+
+void SVGElementInstance::clearChildren()
+{
     removeAllChildrenInContainer<SVGElementInstance, SVGElementInstance>(this);
 }
 
@@ -105,8 +110,10 @@
     const HashSet<SVGElementInstance*>::const_iterator end = set.end();
     for (HashSet<SVGElementInstance*>::const_iterator it = set.begin(); it != end; ++it) {
         ASSERT((*it)->correspondingElement() == element);
-        if (SVGUseElement* element = (*it)->correspondingUseElement())
+        if (SVGUseElement* element = (*it)->correspondingUseElement()) {
+            ASSERT(element->inDocument());
             element->invalidateShadowTree();
+        }
     }
 
     // Be sure to rebuild use trees, if needed

Modified: trunk/Source/WebCore/svg/SVGElementInstance.h (91004 => 91005)


--- trunk/Source/WebCore/svg/SVGElementInstance.h	2011-07-14 16:42:50 UTC (rev 91004)
+++ trunk/Source/WebCore/svg/SVGElementInstance.h	2011-07-14 16:57:44 UTC (rev 91005)
@@ -59,6 +59,7 @@
     SVGUseElement* correspondingUseElement() const { return m_correspondingUseElement; }
     SVGUseElement* directUseElement() const { return m_directUseElement; }
     SVGElement* shadowTreeElement() const { return m_shadowTreeElement.get(); }
+    void clearChildren();
     void clearUseElements()
     {
         m_directUseElement = 0;

Modified: trunk/Source/WebCore/svg/SVGUseElement.cpp (91004 => 91005)


--- trunk/Source/WebCore/svg/SVGUseElement.cpp	2011-07-14 16:42:50 UTC (rev 91004)
+++ trunk/Source/WebCore/svg/SVGUseElement.cpp	2011-07-14 16:57:44 UTC (rev 91005)
@@ -646,6 +646,7 @@
     if (!m_targetElementInstance)
         return;
     m_targetElementInstance->clearUseElements();
+    m_targetElementInstance->clearChildren();
     m_targetElementInstance = 0;
 }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes