[webkit-changes] [149306] trunk

Mon, 29 Apr 2013 12:54:55 -0700

Title: [149306] trunk
Revision
149306
Author
schen...@chromium.org
Date
2013-04-29 12:56:40 -0700 (Mon, 29 Apr 2013)

Log Message

SVGElement destructor can use invalid iterator
https://bugs.webkit.org/show_bug.cgi?id=115361

Reviewed by Philip Rogers.

Source/WebCore:

When an SVGElement object has rare data, its destructor gets a
hash map iterator for the rare data, uses it to clear resources,
then uses the iterator to delete the rare data. However, the resource
cleanup can delete other SVG elements, thus modifying the hash map
from which the iterator came and hence invalidating the iterator
itself.

The fix is to re-get the iterator before deleting the rare data.

Test: svg/custom/svg-element-destructor-iteration-crash.html

* svg/SVGElement.cpp:
(WebCore::SVGElement::~SVGElement): Get a new iterator after clearing rare data.

LayoutTests:

Test asserts in Debug and should also crash in memory checking builds.

* svg/custom/svg-element-destructor-iteration-crash-expected.txt: Added.
* svg/custom/svg-element-destructor-iteration-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (149305 => 149306)


--- trunk/LayoutTests/ChangeLog	2013-04-29 19:52:05 UTC (rev 149305)
+++ trunk/LayoutTests/ChangeLog	2013-04-29 19:56:40 UTC (rev 149306)
@@ -1,3 +1,15 @@
+2013-04-29  Stephen Chenney  <schen...@chromium.org>
+
+        SVGElement destructor can use invalid iterator
+        https://bugs.webkit.org/show_bug.cgi?id=115361
+
+        Reviewed by Philip Rogers.
+
+        Test asserts in Debug and should also crash in memory checking builds.
+
+        * svg/custom/svg-element-destructor-iteration-crash-expected.txt: Added.
+        * svg/custom/svg-element-destructor-iteration-crash.html: Added.
+
 2013-04-29  Dirk Schulze  <k...@webkit.org>
 
         Animate clip rect() between different Length types

Added: trunk/LayoutTests/svg/custom/svg-element-destructor-iteration-crash-expected.txt (0 => 149306)


--- trunk/LayoutTests/svg/custom/svg-element-destructor-iteration-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/svg-element-destructor-iteration-crash-expected.txt	2013-04-29 19:56:40 UTC (rev 149306)
@@ -0,0 +1 @@
+PASS: WebKit did not crash in Asan or assert in Debug.

Added: trunk/LayoutTests/svg/custom/svg-element-destructor-iteration-crash.html (0 => 149306)


--- trunk/LayoutTests/svg/custom/svg-element-destructor-iteration-crash.html	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/svg-element-destructor-iteration-crash.html	2013-04-29 19:56:40 UTC (rev 149306)
@@ -0,0 +1,30 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+    <script type="text/_javascript_">
+      if (window.testRunner) {
+          testRunner.dumpAsText();
+          testRunner.waitUntilDone();
+      }
+      _onload_ = function() {
+        if (location.hash != '#2') {
+          if (location.hash == '')
+            location.hash = '#1';
+          else
+            location.hash = "#" + (parseInt(location.hash.slice(1)) + 1).toString();
+          setTimeout(function(){ location.reload() }, 0);
+        } else {
+          document.body.innerText = 'PASS: WebKit did not crash in Asan or assert in Debug.';
+          if (window.testRunner)
+            testRunner.notifyDone();
+        }
+      }
+    </script>
+
+    <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+        <font>
+            <font-face font-family="any" id="foo"></font-face>
+            <use xlink:href=""
+               <set attributeName="text-anchor"></set>
+            </use>
+        </font>
+    </svg>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (149305 => 149306)


--- trunk/Source/WebCore/ChangeLog	2013-04-29 19:52:05 UTC (rev 149305)
+++ trunk/Source/WebCore/ChangeLog	2013-04-29 19:56:40 UTC (rev 149306)
@@ -1,3 +1,24 @@
+2013-04-29  Stephen Chenney  <schen...@chromium.org>
+
+        SVGElement destructor can use invalid iterator
+        https://bugs.webkit.org/show_bug.cgi?id=115361
+
+        Reviewed by Philip Rogers.
+
+        When an SVGElement object has rare data, its destructor gets a
+        hash map iterator for the rare data, uses it to clear resources,
+        then uses the iterator to delete the rare data. However, the resource
+        cleanup can delete other SVG elements, thus modifying the hash map
+        from which the iterator came and hence invalidating the iterator
+        itself.
+
+        The fix is to re-get the iterator before deleting the rare data.
+
+        Test: svg/custom/svg-element-destructor-iteration-crash.html
+
+        * svg/SVGElement.cpp:
+        (WebCore::SVGElement::~SVGElement): Get a new iterator after clearing rare data.
+
 2013-04-29  Brady Eidson  <beid...@apple.com>
 
         REGRESSION: We see authentication challenge sheets for favicon requests.

Modified: trunk/Source/WebCore/svg/SVGElement.cpp (149305 => 149306)


--- trunk/Source/WebCore/svg/SVGElement.cpp	2013-04-29 19:52:05 UTC (rev 149305)
+++ trunk/Source/WebCore/svg/SVGElement.cpp	2013-04-29 19:56:40 UTC (rev 149306)
@@ -77,6 +77,9 @@
             cursorImageValue->removeReferencedElement(this);
 
         delete rareData;
+
+        it = rareDataMap.find(this);
+        ASSERT(it != rareDataMap.end());
         rareDataMap.remove(it);
     }
     ASSERT(document());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to