[webkit-changes] [219334] trunk

Tue, 11 Jul 2017 09:31:25 -0700

Title: [219334] trunk
Revision
219334
Author
[email protected]
Date
2017-07-11 09:30:43 -0700 (Tue, 11 Jul 2017)

Log Message

[SVG] Leak in SVGAnimatedListPropertyTearOff
https://bugs.webkit.org/show_bug.cgi?id=172545

Source/WebCore:

Reviewed by Said Abou-Hallawa.

SVGAnimatedListPropertyTearOff maintains a vector m_wrappers with references to
SVGPropertyTraits<PropertyType>::ListItemTearOff. Apart from that SVGPropertyTearOff has a
reference to SVGAnimatedProperty.

When SVGListProperty::getItemValuesAndWrappers() is called, it creates a
SVGPropertyTraits<PropertyType>::ListItemTearOff pointing to the same SVGAnimatedProperty (a
SVGAnimatedListPropertyTearOff) which stores the m_wrappers vector where the ListItemTearOff
is going to be added to. This effectively creates a reference cycle between the
SVGAnimatedListPropertyTearOff and all the ListItemTearOff it stores in m_wrappers.

We should detach those wrappers in propertyWillBeDeleted() in order to break the cycle.

* svg/properties/SVGAnimatedListPropertyTearOff.h:

LayoutTests:

Reviewed by Darin Adler.

* svg/animations/animation-leak-list-property-instances-expected.txt: Added.
* svg/animations/animation-leak-list-property-instances.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (219333 => 219334)


--- trunk/LayoutTests/ChangeLog	2017-07-11 16:15:11 UTC (rev 219333)
+++ trunk/LayoutTests/ChangeLog	2017-07-11 16:30:43 UTC (rev 219334)
@@ -1,3 +1,13 @@
+2017-07-11  Sergio Villar Senin  <[email protected]>
+
+        [SVG] Leak in SVGAnimatedListPropertyTearOff
+        https://bugs.webkit.org/show_bug.cgi?id=172545
+
+        Reviewed by Darin Adler.
+
+        * svg/animations/animation-leak-list-property-instances-expected.txt: Added.
+        * svg/animations/animation-leak-list-property-instances.html: Added.
+
 2017-07-11  Carlos Alberto Lopez Perez  <[email protected]>
 
         [GTK] Spin buttons on input type number appear over the value itself for small widths

Added: trunk/LayoutTests/svg/animations/animation-leak-list-property-instances-expected.txt (0 => 219334)


--- trunk/LayoutTests/svg/animations/animation-leak-list-property-instances-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/animations/animation-leak-list-property-instances-expected.txt	2017-07-11 16:30:43 UTC (rev 219334)
@@ -0,0 +1,7 @@
+This test checks that adding an animation to a SVG element does not leak the whole SVGDocument.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS 0 is 0
+
Property changes on: trunk/LayoutTests/svg/animations/animation-leak-list-property-instances-expected.txt
___________________________________________________________________

Added: svn:eol-style

+LF \ No newline at end of property

Added: trunk/LayoutTests/svg/animations/animation-leak-list-property-instances.html (0 => 219334)


--- trunk/LayoutTests/svg/animations/animation-leak-list-property-instances.html	                        (rev 0)
+++ trunk/LayoutTests/svg/animations/animation-leak-list-property-instances.html	2017-07-11 16:30:43 UTC (rev 219334)
@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<script src=""
+
+<body _onload_="test()">
+    <svg id="rootSVG" width="300" height="300" xmlns="http://www.w3.org/2000/svg" version="1.1"></svg>
+</body>
+
+<script>
+ description("This test checks that adding an animation to a SVG element does not leak the whole SVGDocument.")
+
+ function addRect()
+ {
+     var elem = document.createElementNS("http://www.w3.org/2000/svg", "rect");
+     elem.setAttribute("id", "rect");
+     elem.setAttribute("x", 50);
+     elem.setAttribute("y", 50);
+     elem.setAttribute("width", 50);
+     elem.setAttribute("height", 50);
+     elem.setAttribute("fill", "blue");
+
+     document.getElementById("rootSVG").appendChild(elem);
+ }
+
+ function applyTransform()
+ {
+     var svgroot = document.getElementById("rootSVG");
+     var transformList = document.getElementById("rect").transform.baseVal;
+     var rotate = svgroot.createSVGTransform();
+     rotate.setRotate(15,0,0);
+     transformList.appendItem(rotate);
+ }
+
+ function removeRect()
+ {
+     document.getElementById("rootSVG").removeChild(document.getElementById("rect"));
+ }
+
+ function test()
+ {
+     if (!window.internals || !window.GCController) {
+	 testFailed("This test requires internals and GCController");
+	 return;
+     }
+
+     testRunner.dumpAsText();
+
+     // One gc() call is not enough and cause flakiness in some platforms.
+     gc();
+     gc();
+     var originalLiveElements = internals.numberOfLiveNodes();
+
+     addRect();
+     applyTransform();
+     removeRect();
+
+     // One gc() call is not enough and cause flakiness in some platforms.
+     gc();
+     gc();
+     var delta = internals.numberOfLiveNodes() - originalLiveElements;
+     shouldBeZero(delta.toString());
+     var successfullyParsed = true;
+ }
+</script>
Property changes on: trunk/LayoutTests/svg/animations/animation-leak-list-property-instances.html
___________________________________________________________________

Added: svn:eol-style

+LF \ No newline at end of property

Added: svn:mime-type

+text/html \ No newline at end of property

Modified: trunk/Source/WebCore/ChangeLog (219333 => 219334)


--- trunk/Source/WebCore/ChangeLog	2017-07-11 16:15:11 UTC (rev 219333)
+++ trunk/Source/WebCore/ChangeLog	2017-07-11 16:30:43 UTC (rev 219334)
@@ -1,3 +1,24 @@
+2017-05-24  Sergio Villar Senin  <[email protected]>
+
+        [SVG] Leak in SVGAnimatedListPropertyTearOff
+        https://bugs.webkit.org/show_bug.cgi?id=172545
+
+        Reviewed by Said Abou-Hallawa.
+
+        SVGAnimatedListPropertyTearOff maintains a vector m_wrappers with references to
+        SVGPropertyTraits<PropertyType>::ListItemTearOff. Apart from that SVGPropertyTearOff has a
+        reference to SVGAnimatedProperty.
+
+        When SVGListProperty::getItemValuesAndWrappers() is called, it creates a
+        SVGPropertyTraits<PropertyType>::ListItemTearOff pointing to the same SVGAnimatedProperty (a
+        SVGAnimatedListPropertyTearOff) which stores the m_wrappers vector where the ListItemTearOff
+        is going to be added to. This effectively creates a reference cycle between the
+        SVGAnimatedListPropertyTearOff and all the ListItemTearOff it stores in m_wrappers.
+
+        We should detach those wrappers in propertyWillBeDeleted() in order to break the cycle.
+
+        * svg/properties/SVGAnimatedListPropertyTearOff.h:
+
 2017-07-11  Carlos Alberto Lopez Perez  <[email protected]>
 
         [GTK] Spin buttons on input type number appear over the value itself for small widths

Modified: trunk/Source/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h (219333 => 219334)


--- trunk/Source/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h	2017-07-11 16:15:11 UTC (rev 219333)
+++ trunk/Source/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h	2017-07-11 16:30:43 UTC (rev 219334)
@@ -73,6 +73,8 @@
             m_baseVal = nullptr;
         else if (&property == m_animVal)
             m_animVal = nullptr;
+        if (!m_baseVal && !m_animVal)
+            detachListWrappers(m_values.size());
     }
 
     int findItem(SVGProperty* property)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to