[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373
eric at webkit.org
eric at webkit.org
Wed Apr 7 23:39:55 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit 19617a7688ecff12ef67fbda254a3bca78d8d5e0
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri Nov 13 19:56:43 2009 +0000
2009-11-13 Vitaly Repeshko <vitalyr at chromium.org>
Reviewed by Dimitri Glazkov.
[V8] Protect SVG animated properties from destruction in bindings.
https://bugs.webkit.org/show_bug.cgi?id=31474
See http://crbug.com/26719.
Tested by LayoutTests/svg/custom/js-update-transform-addition.svg
under Valgrind.
Made sure we keep a reference to SVG properties while setting a
context:
* bindings/scripts/CodeGeneratorV8.pm:
* bindings/v8/V8Proxy.h:
(WebCore::V8Proxy::withSVGContext):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@50958 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 548ad42..18714af 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,21 @@
+2009-11-13 Vitaly Repeshko <vitalyr at chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ [V8] Protect SVG animated properties from destruction in bindings.
+ https://bugs.webkit.org/show_bug.cgi?id=31474
+
+ See http://crbug.com/26719.
+
+ Tested by LayoutTests/svg/custom/js-update-transform-addition.svg
+ under Valgrind.
+
+ Made sure we keep a reference to SVG properties while setting a
+ context:
+ * bindings/scripts/CodeGeneratorV8.pm:
+ * bindings/v8/V8Proxy.h:
+ (WebCore::V8Proxy::withSVGContext):
+
2009-11-13 Brent Fulgham <bfulgham at webkit.org>
Reviewed by Alexey Proskuryakov.
diff --git a/WebCore/bindings/scripts/CodeGeneratorV8.pm b/WebCore/bindings/scripts/CodeGeneratorV8.pm
index 18141d6..a41f648 100644
--- a/WebCore/bindings/scripts/CodeGeneratorV8.pm
+++ b/WebCore/bindings/scripts/CodeGeneratorV8.pm
@@ -646,8 +646,8 @@ END
if ($attrIsPodType) {
$resultObject = "wrapper";
}
- $resultObject = "WTF::getPtr(" . $resultObject . ")";
- push(@implContentDecls, GenerateSVGContextAssignment($implClassName, $resultObject, " "));
+ push(@implContentDecls, GenerateSVGContextRetrieval($implClassName, " "));
+ $result = "V8Proxy::withSVGContext($resultObject, context)";
}
if ($attrIsPodType) {
diff --git a/WebCore/bindings/v8/V8Proxy.h b/WebCore/bindings/v8/V8Proxy.h
index 99ae1f2..e299d62 100644
--- a/WebCore/bindings/v8/V8Proxy.h
+++ b/WebCore/bindings/v8/V8Proxy.h
@@ -177,6 +177,33 @@ namespace WebCore {
#if ENABLE(SVG)
static void setSVGContext(void*, SVGElement*);
static SVGElement* svgContext(void*);
+
+ // These helper functions are required in case we are given a PassRefPtr
+ // to a (possibly) newly created object and must prevent its reference
+ // count from dropping to zero as would happen in code like
+ //
+ // V8Proxy::setSVGContext(imp->getNewlyCreatedObject().get(), context);
+ // foo(imp->getNewlyCreatedObject().get());
+ //
+ // In the above two lines each time getNewlyCreatedObject() is called it
+ // creates a new object because we don't ref() it. (So our attemts to
+ // associate a context with it fail.) Such code should be rewritten to
+ //
+ // foo(V8Proxy::withSVGContext(imp->getNewlyCreatedObject(), context).get());
+ //
+ // where PassRefPtr::~PassRefPtr() is invoked only after foo() is
+ // called.
+ template <typename T>
+ static PassRefPtr<T> withSVGContext(PassRefPtr<T> object, SVGElement* context)
+ {
+ setSVGContext(object.get(), context);
+ return object;
+ }
+ static void* withSVGContext(void* object, SVGElement* context)
+ {
+ setSVGContext(object, context);
+ return object;
+ }
#endif
void setEventHandlerLineNumber(int lineNumber) { m_handlerLineNumber = lineNumber; }
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list