[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.3-2-25-gb2c19be
Gustavo Noronha Silva
gns at gnome.org
Mon Sep 6 13:09:44 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit ed3c7278abc3bc0dfacf3f22ea48a708530f5f3d
Author: zimmermann at webkit.org <zimmermann at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Jul 5 12:27:35 2010 +0000
2010-07-05 Nikolas Zimmermann <nzimmermann at rim.com>
Reviewed by Darin Adler.
Memory corruption with SVG <use> element
https://bugs.webkit.org/show_bug.cgi?id=40994
Fix race condition in svgAttributeChanged. Never call svgAttributeChanged() from attributeChanged()
when we're synchronizing SVG attributes. It leads to either unnecessary extra work being done or
crashes. Especially together with <polyline>/<polygon> which always synchronize the SVGAnimatedPoints
datastructure with the points attribute, no matter if there are changes are not. This should be
furhter optimized, but this fix is sane and fixes the root of the evil races.
Test: svg/custom/use-property-synchronization-crash.svg
* svg/SVGElement.cpp:
(WebCore::SVGElement::attributeChanged):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@62482 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index a615fe9..19e349a 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2010-07-05 Nikolas Zimmermann <nzimmermann at rim.com>
+
+ Reviewed by Darin Adler.
+
+ Memory corruption with SVG <use> element
+ https://bugs.webkit.org/show_bug.cgi?id=40994
+
+ * platform/mac/svg/custom/use-property-synchronization-crash-expected.checksum: Added.
+ * platform/mac/svg/custom/use-property-synchronization-crash-expected.png: Added.
+ * platform/mac/svg/custom/use-property-synchronization-crash-expected.txt: Added.
+ * svg/custom/use-property-synchronization-crash.svg: Added.
+
2010-07-02 Peter Varga <pvarga at inf.u-szeged.hu>
Reviewed by Oliver Hunt.
diff --git a/LayoutTests/platform/mac-tiger/svg/custom/mask-excessive-malloc-expected.checksum b/LayoutTests/platform/mac/svg/custom/use-property-synchronization-crash-expected.checksum
similarity index 100%
copy from LayoutTests/platform/mac-tiger/svg/custom/mask-excessive-malloc-expected.checksum
copy to LayoutTests/platform/mac/svg/custom/use-property-synchronization-crash-expected.checksum
diff --git a/LayoutTests/platform/mac/svg/custom/use-property-synchronization-crash-expected.txt b/LayoutTests/platform/mac/svg/custom/use-property-synchronization-crash-expected.txt
new file mode 100644
index 0000000..8523806
--- /dev/null
+++ b/LayoutTests/platform/mac/svg/custom/use-property-synchronization-crash-expected.txt
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: line 5: Error: Problem parsing points="0"
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600
+ RenderSVGRoot {svg} at (0,0) size 800x600
+ RenderSVGContainer {g} at (0,0) size 0x0
+ RenderSVGContainer {g} at (0,0) size 0x0
+ RenderPath {polyline} at (0,0) size 0x0 [fill={[type=SOLID] [color=#000000]}] [data=""]
+ RenderSVGContainer {use} at (0,0) size 0x0
+ RenderSVGContainer {g} at (0,0) size 0x0
+ RenderSVGContainer {g} at (0,0) size 0x0
+ RenderPath {polyline} at (0,0) size 0x0 [fill={[type=SOLID] [color=#000000]}] [data=""]
+ RenderSVGContainer {g} at (0,0) size 0x0
diff --git a/LayoutTests/svg/custom/use-property-synchronization-crash.svg b/LayoutTests/svg/custom/use-property-synchronization-crash.svg
new file mode 100644
index 0000000..6c3f4a2
--- /dev/null
+++ b/LayoutTests/svg/custom/use-property-synchronization-crash.svg
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
+ <g>
+ <g id="setOneRef">
+ <polyline points="0"/>
+ </g>
+ <use xlink:href="#setOneRef"/>
+ </g>
+ <g/>
+</svg>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 3429101..cc8cff2 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,21 @@
+2010-07-05 Nikolas Zimmermann <nzimmermann at rim.com>
+
+ Reviewed by Darin Adler.
+
+ Memory corruption with SVG <use> element
+ https://bugs.webkit.org/show_bug.cgi?id=40994
+
+ Fix race condition in svgAttributeChanged. Never call svgAttributeChanged() from attributeChanged()
+ when we're synchronizing SVG attributes. It leads to either unnecessary extra work being done or
+ crashes. Especially together with <polyline>/<polygon> which always synchronize the SVGAnimatedPoints
+ datastructure with the points attribute, no matter if there are changes are not. This should be
+ furhter optimized, but this fix is sane and fixes the root of the evil races.
+
+ Test: svg/custom/use-property-synchronization-crash.svg
+
+ * svg/SVGElement.cpp:
+ (WebCore::SVGElement::attributeChanged):
+
2010-07-01 Justin Schuh <jschuh at chromium.org>
Reviewed by Dan Bernstein.
diff --git a/WebCore/svg/SVGElement.cpp b/WebCore/svg/SVGElement.cpp
index 198e638..89b8919 100644
--- a/WebCore/svg/SVGElement.cpp
+++ b/WebCore/svg/SVGElement.cpp
@@ -304,6 +304,15 @@ void SVGElement::attributeChanged(Attribute* attr, bool preserveDecls)
return;
StyledElement::attributeChanged(attr, preserveDecls);
+
+ // When an animated SVG property changes through SVG DOM, svgAttributeChanged() is called, not attributeChanged().
+ // Next time someone tries to access the XML attributes, the synchronization code starts. During that synchronization
+ // SVGAnimatedPropertySynchronizer may call NamedNodeMap::removeAttribute(), which in turn calls attributeChanged().
+ // At this point we're not allowed to call svgAttributeChanged() again - it may lead to extra work being done, or crashes
+ // see bug https://bugs.webkit.org/show_bug.cgi?id=40994.
+ if (m_synchronizingSVGAttributes)
+ return;
+
svgAttributeChanged(attr->name());
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list