Skip to site navigation (Press enter)

[webkit-changes] [109345] trunk

commit-queue Thu, 01 Mar 2012 07:05:10 -0800

Title: [109345] trunk

Revision: 109345
Author: [email protected]
Date: 2012-03-01 07:04:36 -0800 (Thu, 01 Mar 2012)

Log Message

Crash in WebCore::SVGDocumentExtensions::removeAnimationElementFromTarget
https://bugs.webkit.org/show_bug.cgi?id=79831


Patch by Stephen Chenney <[email protected]> on 2012-03-01
Reviewed by Eric Seidel.

Out-of-order operations in the SVGSMILElement::removedFromDocument
method caused its target to be removed and then re-added due to a
later call. This led to the target being set on the animation while
the target element itself was unaware. At deletion time, this caused a
crash (or assert in debug builds). Thanks to Abhishek Arya for help
with the layout test.

Source/WebCore:

Test: svg/animations/smil-element-target-crash-main.html

* svg/animation/SVGSMILElement.cpp:
(WebCore::SVGSMILElement::removedFromDocument):

LayoutTests:

* svg/animations/resources/smil-element-target-crash.svg: Added.
* svg/animations/smil-element-target-crash-main-expected.txt: Added.
* svg/animations/smil-element-target-crash-main.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp

Added Paths

trunk/LayoutTests/svg/animations/resources/smil-element-target-crash.svg
trunk/LayoutTests/svg/animations/smil-element-target-crash-main-expected.txt
trunk/LayoutTests/svg/animations/smil-element-target-crash-main.html

Diff

Modified: trunk/LayoutTests/ChangeLog (109344 => 109345)


--- trunk/LayoutTests/ChangeLog	2012-03-01 14:46:56 UTC (rev 109344)
+++ trunk/LayoutTests/ChangeLog	2012-03-01 15:04:36 UTC (rev 109345)
@@ -1,3 +1,21 @@
+2012-03-01  Stephen Chenney  <[email protected]>
+
+        Crash in WebCore::SVGDocumentExtensions::removeAnimationElementFromTarget
+        https://bugs.webkit.org/show_bug.cgi?id=79831
+
+        Reviewed by Eric Seidel.
+
+        Out-of-order operations in the SVGSMILElement::removedFromDocument
+        method caused its target to be removed and then re-added due to a
+        later call. This led to the target being set on the animation while
+        the target element itself was unaware. At deletion time, this caused a
+        crash (or assert in debug builds). Thanks to Abhishek Arya for help
+        with the layout test.
+
+        * svg/animations/resources/smil-element-target-crash.svg: Added.
+        * svg/animations/smil-element-target-crash-main-expected.txt: Added.
+        * svg/animations/smil-element-target-crash-main.html: Added.
+
 2012-03-01  Nikolas Zimmermann  <[email protected]>
 
         Not reviewed. Rebaseline another SVG test on SnowLeopard, now new-run-webkit-tests --tolerance 0 -p svg also passes w/o failures on SL.

Added: trunk/LayoutTests/svg/animations/resources/smil-element-target-crash.svg (0 => 109345)


--- trunk/LayoutTests/svg/animations/resources/smil-element-target-crash.svg	                        (rev 0)
+++ trunk/LayoutTests/svg/animations/resources/smil-element-target-crash.svg	2012-03-01 15:04:36 UTC (rev 109345)
@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+<set attributeName="visibility" begin="focusin"/>
+</svg>

Added: trunk/LayoutTests/svg/animations/smil-element-target-crash-main-expected.txt (0 => 109345)


--- trunk/LayoutTests/svg/animations/smil-element-target-crash-main-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/animations/smil-element-target-crash-main-expected.txt	2012-03-01 15:04:36 UTC (rev 109345)
@@ -0,0 +1 @@
+PASS

Added: trunk/LayoutTests/svg/animations/smil-element-target-crash-main.html (0 => 109345)


--- trunk/LayoutTests/svg/animations/smil-element-target-crash-main.html	                        (rev 0)
+++ trunk/LayoutTests/svg/animations/smil-element-target-crash-main.html	2012-03-01 15:04:36 UTC (rev 109345)
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function crash()
+{
+    var doc = document.implementation.createDocument();
+    doc.adoptNode(object1.contentDocument.getElementsByTagName("svg")[0]);
+    delete doc;
+
+    if (window.GCController)
+        GCController.collect();
+
+    document.open();
+    document.write('PASS');
+    document.close();
+
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+
+function runTest()
+{
+    setTimeout("crash()", 0);
+}
+</script>
+<object data="" id="object1" _onload_="runTest()"></object>
+<iframe id="iframe1"></iframe>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (109344 => 109345)


--- trunk/Source/WebCore/ChangeLog	2012-03-01 14:46:56 UTC (rev 109344)
+++ trunk/Source/WebCore/ChangeLog	2012-03-01 15:04:36 UTC (rev 109345)
@@ -1,3 +1,22 @@
+2012-03-01  Stephen Chenney  <[email protected]>
+
+        Crash in WebCore::SVGDocumentExtensions::removeAnimationElementFromTarget
+        https://bugs.webkit.org/show_bug.cgi?id=79831
+
+        Reviewed by Eric Seidel.
+
+        Out-of-order operations in the SVGSMILElement::removedFromDocument
+        method caused its target to be removed and then re-added due to a
+        later call. This led to the target being set on the animation while
+        the target element itself was unaware. At deletion time, this caused a
+        crash (or assert in debug builds). Thanks to Abhishek Arya for help
+        with the layout test.
+
+        Test: svg/animations/smil-element-target-crash-main.html
+
+        * svg/animation/SVGSMILElement.cpp:
+        (WebCore::SVGSMILElement::removedFromDocument):
+
 2012-03-01  Ilya Tikhonovsky  <[email protected]>
 
         Web Inspector: move heap snapshot nodes data to external array.

Modified: trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp (109344 => 109345)


--- trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp	2012-03-01 14:46:56 UTC (rev 109344)
+++ trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp	2012-03-01 15:04:36 UTC (rev 109345)
@@ -221,14 +221,17 @@
         m_timeContainer->unschedule(this);
         m_timeContainer = 0;
     }
+    // Calling disconnectConditions() may kill us if there are syncbase conditions.
+    // OK, but we don't want to die inside the call.
+    RefPtr<SVGSMILElement> keepAlive(this);
+    disconnectConditions();
+
+    // Clear target now, because disconnectConditions calls targetElement() which will recreate the target if we removed it sooner. 
     if (m_targetElement) {
         document()->accessSVGExtensions()->removeAnimationElementFromTarget(this, m_targetElement);
         m_targetElement = 0;
     }
-    // Calling disconnectConditions() may kill us if there are syncbase conditions.
-    // OK, but we don't want to die inside the call.
-    RefPtr<SVGSMILElement> keepAlive(this);
-    disconnectConditions();
+
     SVGElement::removedFromDocument();
 }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes