nephele
/
haikuwebkit
1
0
Fork 0
Code Issues Releases Activity
haikuwebkit/LayoutTests/svg/dom/SVGAnimatedListPropertyTear...

101 lines
2.6 KiB
HTML
Raw Permalink Normal View History

[SVG] Leak in SVGAnimatedListPropertyTearOff https://bugs.webkit.org/show_bug.cgi?id=172545 Reviewed by Darin Adler. Source/WebCore: SVGAnimatedListPropertyTearOff maintains a vector m_wrappers with references to SVGPropertyTraits<PropertyType>::ListItemTearOff. Apart from that SVGPropertyTearOff has a reference to SVGAnimatedProperty. When SVGListProperty::getItemValuesAndWrappers() is called, it creates a SVGPropertyTraits<PropertyType>::ListItemTearOff pointing to the same SVGAnimatedProperty (a SVGAnimatedListPropertyTearOff) which stores the m_wrappers vector where the ListItemTearOff is going to be added to. This effectively creates a reference cycle between the SVGAnimatedListPropertyTearOff and all the ListItemTearOff it stores in m_wrappers. In order to effectively break the cycle without freeing too many wrappers we should take two measures: 1) Break the reference cycle by storing raw pointers in the m_wrappers Vector 2) Remove the ListItemTearOff which is being deleted (it notifies the animated property by calling propertyWillBeDeleted) from the m_wrappers Vector. This is a re-land of r219334 which caused early releases of custom data attribute objects added to SVG elements (wkb.ug/175023). Tests: svg/animations/animation-leak-list-property-instances.html svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html svg/dom/SVGAnimatedListPropertyTearOff-crash.html svg/dom/SVGAnimatedListPropertyTearOff-leak.html * svg/properties/SVGAnimatedListPropertyTearOff.h: * svg/properties/SVGListProperty.h: (WebCore::SVGListProperty::getItemValuesAndWrappers): * svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::removeItemFromList): LayoutTests: The list of new added tests includes the one for the original bug, a new test for the regression and a couple of tests imported from Blink which verify that SVGAnimatedListPropertyTearOff does not crash after the context element goes out of scope. * svg/animations/animation-leak-list-property-instances-expected.txt: Added. * svg/animations/animation-leak-list-property-instances.html: Added. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-leak-expected.txt: Added. * svg/dom/SVGAnimatedListPropertyTearOff-leak.html: Added. Canonical link: https://commits.webkit.org/192721@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221292 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-29 09:32:34 +00:00
<!DOCTYPE html>
<style>
body {
overflow: hidden;
}
#svg {
width: 100%;
height: 100%;
}
#current-transform {
height: 30px;
}
#is-same-instance {
width: 30px;
height: 30px;
background-color: green;
}
</style>
<p id="description"></p>
<div id="console"></div>
<body onload="runTest()">
<div id="current-transform">translate(0, 0)</div>
<div id="is-same-instance"></div>
<div id="svg-container">
<svg id="svg" xmlns="http://www.w3.org/2000/svg" version="1.1">
<g transform="translate(0, 0)">
<rect width="100" height="100" fill="green"></rect>
</g>
</svg>
</div>
</body>
<script src="../../resources/js-test-pre.js"></script>
<script>
REGRESSION(r221292): svg/animations/animateTransform-pattern-transform.html crashes with security assertion https://bugs.webkit.org/show_bug.cgi?id=179986 Reviewed by Simon Fraser. Source/WebCore: This patch reverts all or parts of the following changes-sets <http://trac.webkit.org/changeset/221292> <http://trac.webkit.org/changeset/197967> <http://trac.webkit.org/changeset/196670> A JS statement like this: var item = text.x.animVal.getItem(0); Creates the following C++ objects: SVGAnimatedListPropertyTearOff<SVGLengthListValues> for 'text.x' SVGListPropertyTearOff<SVGLengthListValues> for 'text.x.animVal' SVGPropertyTearOff<SVGLengthValue> for 'text.x.animVal.getItem(0)' If 'item' changes, the attribute 'x' of the element '<text>' will change as well. But this binding works only in one direction. If the attribute 'x' of the element '<text>' changes, e.g.: text.setAttribute('x', '10,20,30'); This will detach 'item' from the element <text> and any further changes in 'item' won't affect the attribute 'x' of element <text>. The one direction binding can only work if this chain of tear-off objects is kept connected. This is implemented by RefCounted back pointers from SVGPropertyTearOff and SVGListPropertyTearOff to SVGAnimatedListPropertyTearOff. The security crashes and the memory leaks are happening because of the raw forward pointers: -- SVGAnimatedListPropertyTearOff maintains raw pointers of type SVGListPropertyTearOff for m_baseVal and m_animVal -- The m_wrappers and m_animatedWrappers of SVGAnimatedListPropertyTearOff are vectors of raw pointer Vector<SVGLength*> To control the life cycle of the raw pointers, SVGListPropertyTearOff and SVGPropertyTearOff call SVGAnimatedListPropertyTearOff::propertyWillBeDeleted() to notify it they are going to be deleted. In propertyWillBeDeleted(), we clear the pointers so they are not used after being freed. This mechanism has been error-prone and we've never got it 100% right. The solution we need to adopt with SVG tear-off objects is the following: -- All the forward pointers should be weak pointers. -- All the back pointers should be ref pointers. This solution may not look intuitive but it solves the bugs and keeps the one direction binding. The forward weak pointers allows the tear-off objects to go aways if no reference from JS exists. The back ref pointers maintains the chain of objects and guarantees the correct binding. * svg/SVGPathSegList.h: * svg/SVGTransformList.h: * svg/properties/SVGAnimatedListPropertyTearOff.h: (WebCore::SVGAnimatedListPropertyTearOff::baseVal): (WebCore::SVGAnimatedListPropertyTearOff::animVal): * svg/properties/SVGAnimatedPathSegListPropertyTearOff.h: * svg/properties/SVGAnimatedProperty.h: (WebCore::SVGAnimatedProperty::isAnimatedListTearOff const): (WebCore::SVGAnimatedProperty::propertyWillBeDeleted): Deleted. * svg/properties/SVGAnimatedPropertyTearOff.h: * svg/properties/SVGAnimatedTransformListPropertyTearOff.h: * svg/properties/SVGListProperty.h: (WebCore::SVGListProperty::initializeValuesAndWrappers): (WebCore::SVGListProperty::getItemValuesAndWrappers): (WebCore::SVGListProperty::insertItemBeforeValuesAndWrappers): (WebCore::SVGListProperty::replaceItemValuesAndWrappers): (WebCore::SVGListProperty::removeItemValuesAndWrappers): (WebCore::SVGListProperty::appendItemValuesAndWrappers): (WebCore::SVGListProperty::createWeakPtr const): * svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::removeItemFromList): (WebCore::SVGListPropertyTearOff::~SVGListPropertyTearOff): Deleted. * svg/properties/SVGPropertyTearOff.h: (WebCore::SVGPropertyTearOff::createWeakPtr const): (WebCore::SVGPropertyTearOff::~SVGPropertyTearOff): LayoutTests: * svg/dom/SVGAnimatedListPropertyTearOff-leak.html: Canonical link: https://commits.webkit.org/197539@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226993 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2018-01-16 20:21:28 +00:00
description("This test checks that custom data attributes are not lost due GC while still referenced.");
[SVG] Leak in SVGAnimatedListPropertyTearOff https://bugs.webkit.org/show_bug.cgi?id=172545 Reviewed by Darin Adler. Source/WebCore: SVGAnimatedListPropertyTearOff maintains a vector m_wrappers with references to SVGPropertyTraits<PropertyType>::ListItemTearOff. Apart from that SVGPropertyTearOff has a reference to SVGAnimatedProperty. When SVGListProperty::getItemValuesAndWrappers() is called, it creates a SVGPropertyTraits<PropertyType>::ListItemTearOff pointing to the same SVGAnimatedProperty (a SVGAnimatedListPropertyTearOff) which stores the m_wrappers vector where the ListItemTearOff is going to be added to. This effectively creates a reference cycle between the SVGAnimatedListPropertyTearOff and all the ListItemTearOff it stores in m_wrappers. In order to effectively break the cycle without freeing too many wrappers we should take two measures: 1) Break the reference cycle by storing raw pointers in the m_wrappers Vector 2) Remove the ListItemTearOff which is being deleted (it notifies the animated property by calling propertyWillBeDeleted) from the m_wrappers Vector. This is a re-land of r219334 which caused early releases of custom data attribute objects added to SVG elements (wkb.ug/175023). Tests: svg/animations/animation-leak-list-property-instances.html svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html svg/dom/SVGAnimatedListPropertyTearOff-crash.html svg/dom/SVGAnimatedListPropertyTearOff-leak.html * svg/properties/SVGAnimatedListPropertyTearOff.h: * svg/properties/SVGListProperty.h: (WebCore::SVGListProperty::getItemValuesAndWrappers): * svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::removeItemFromList): LayoutTests: The list of new added tests includes the one for the original bug, a new test for the regression and a couple of tests imported from Blink which verify that SVGAnimatedListPropertyTearOff does not crash after the context element goes out of scope. * svg/animations/animation-leak-list-property-instances-expected.txt: Added. * svg/animations/animation-leak-list-property-instances.html: Added. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-leak-expected.txt: Added. * svg/dom/SVGAnimatedListPropertyTearOff-leak.html: Added. Canonical link: https://commits.webkit.org/192721@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221292 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-29 09:32:34 +00:00
REGRESSION(r221292): svg/animations/animateTransform-pattern-transform.html crashes with security assertion https://bugs.webkit.org/show_bug.cgi?id=179986 Reviewed by Simon Fraser. Source/WebCore: This patch reverts all or parts of the following changes-sets <http://trac.webkit.org/changeset/221292> <http://trac.webkit.org/changeset/197967> <http://trac.webkit.org/changeset/196670> A JS statement like this: var item = text.x.animVal.getItem(0); Creates the following C++ objects: SVGAnimatedListPropertyTearOff<SVGLengthListValues> for 'text.x' SVGListPropertyTearOff<SVGLengthListValues> for 'text.x.animVal' SVGPropertyTearOff<SVGLengthValue> for 'text.x.animVal.getItem(0)' If 'item' changes, the attribute 'x' of the element '<text>' will change as well. But this binding works only in one direction. If the attribute 'x' of the element '<text>' changes, e.g.: text.setAttribute('x', '10,20,30'); This will detach 'item' from the element <text> and any further changes in 'item' won't affect the attribute 'x' of element <text>. The one direction binding can only work if this chain of tear-off objects is kept connected. This is implemented by RefCounted back pointers from SVGPropertyTearOff and SVGListPropertyTearOff to SVGAnimatedListPropertyTearOff. The security crashes and the memory leaks are happening because of the raw forward pointers: -- SVGAnimatedListPropertyTearOff maintains raw pointers of type SVGListPropertyTearOff for m_baseVal and m_animVal -- The m_wrappers and m_animatedWrappers of SVGAnimatedListPropertyTearOff are vectors of raw pointer Vector<SVGLength*> To control the life cycle of the raw pointers, SVGListPropertyTearOff and SVGPropertyTearOff call SVGAnimatedListPropertyTearOff::propertyWillBeDeleted() to notify it they are going to be deleted. In propertyWillBeDeleted(), we clear the pointers so they are not used after being freed. This mechanism has been error-prone and we've never got it 100% right. The solution we need to adopt with SVG tear-off objects is the following: -- All the forward pointers should be weak pointers. -- All the back pointers should be ref pointers. This solution may not look intuitive but it solves the bugs and keeps the one direction binding. The forward weak pointers allows the tear-off objects to go aways if no reference from JS exists. The back ref pointers maintains the chain of objects and guarantees the correct binding. * svg/SVGPathSegList.h: * svg/SVGTransformList.h: * svg/properties/SVGAnimatedListPropertyTearOff.h: (WebCore::SVGAnimatedListPropertyTearOff::baseVal): (WebCore::SVGAnimatedListPropertyTearOff::animVal): * svg/properties/SVGAnimatedPathSegListPropertyTearOff.h: * svg/properties/SVGAnimatedProperty.h: (WebCore::SVGAnimatedProperty::isAnimatedListTearOff const): (WebCore::SVGAnimatedProperty::propertyWillBeDeleted): Deleted. * svg/properties/SVGAnimatedPropertyTearOff.h: * svg/properties/SVGAnimatedTransformListPropertyTearOff.h: * svg/properties/SVGListProperty.h: (WebCore::SVGListProperty::initializeValuesAndWrappers): (WebCore::SVGListProperty::getItemValuesAndWrappers): (WebCore::SVGListProperty::insertItemBeforeValuesAndWrappers): (WebCore::SVGListProperty::replaceItemValuesAndWrappers): (WebCore::SVGListProperty::removeItemValuesAndWrappers): (WebCore::SVGListProperty::appendItemValuesAndWrappers): (WebCore::SVGListProperty::createWeakPtr const): * svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::removeItemFromList): (WebCore::SVGListPropertyTearOff::~SVGListPropertyTearOff): Deleted. * svg/properties/SVGPropertyTearOff.h: (WebCore::SVGPropertyTearOff::createWeakPtr const): (WebCore::SVGPropertyTearOff::~SVGPropertyTearOff): LayoutTests: * svg/dom/SVGAnimatedListPropertyTearOff-leak.html: Canonical link: https://commits.webkit.org/197539@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226993 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2018-01-16 20:21:28 +00:00
let iterations = 0;
let currentScaling = 1
const gElement = document.getElementById('svg').firstElementChild
const transform = document.getElementById('current-transform')
[SVG] Leak in SVGAnimatedListPropertyTearOff https://bugs.webkit.org/show_bug.cgi?id=172545 Reviewed by Darin Adler. Source/WebCore: SVGAnimatedListPropertyTearOff maintains a vector m_wrappers with references to SVGPropertyTraits<PropertyType>::ListItemTearOff. Apart from that SVGPropertyTearOff has a reference to SVGAnimatedProperty. When SVGListProperty::getItemValuesAndWrappers() is called, it creates a SVGPropertyTraits<PropertyType>::ListItemTearOff pointing to the same SVGAnimatedProperty (a SVGAnimatedListPropertyTearOff) which stores the m_wrappers vector where the ListItemTearOff is going to be added to. This effectively creates a reference cycle between the SVGAnimatedListPropertyTearOff and all the ListItemTearOff it stores in m_wrappers. In order to effectively break the cycle without freeing too many wrappers we should take two measures: 1) Break the reference cycle by storing raw pointers in the m_wrappers Vector 2) Remove the ListItemTearOff which is being deleted (it notifies the animated property by calling propertyWillBeDeleted) from the m_wrappers Vector. This is a re-land of r219334 which caused early releases of custom data attribute objects added to SVG elements (wkb.ug/175023). Tests: svg/animations/animation-leak-list-property-instances.html svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html svg/dom/SVGAnimatedListPropertyTearOff-crash.html svg/dom/SVGAnimatedListPropertyTearOff-leak.html * svg/properties/SVGAnimatedListPropertyTearOff.h: * svg/properties/SVGListProperty.h: (WebCore::SVGListProperty::getItemValuesAndWrappers): * svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::removeItemFromList): LayoutTests: The list of new added tests includes the one for the original bug, a new test for the regression and a couple of tests imported from Blink which verify that SVGAnimatedListPropertyTearOff does not crash after the context element goes out of scope. * svg/animations/animation-leak-list-property-instances-expected.txt: Added. * svg/animations/animation-leak-list-property-instances.html: Added. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-leak-expected.txt: Added. * svg/dom/SVGAnimatedListPropertyTearOff-leak.html: Added. Canonical link: https://commits.webkit.org/192721@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221292 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-29 09:32:34 +00:00
REGRESSION(r221292): svg/animations/animateTransform-pattern-transform.html crashes with security assertion https://bugs.webkit.org/show_bug.cgi?id=179986 Reviewed by Simon Fraser. Source/WebCore: This patch reverts all or parts of the following changes-sets <http://trac.webkit.org/changeset/221292> <http://trac.webkit.org/changeset/197967> <http://trac.webkit.org/changeset/196670> A JS statement like this: var item = text.x.animVal.getItem(0); Creates the following C++ objects: SVGAnimatedListPropertyTearOff<SVGLengthListValues> for 'text.x' SVGListPropertyTearOff<SVGLengthListValues> for 'text.x.animVal' SVGPropertyTearOff<SVGLengthValue> for 'text.x.animVal.getItem(0)' If 'item' changes, the attribute 'x' of the element '<text>' will change as well. But this binding works only in one direction. If the attribute 'x' of the element '<text>' changes, e.g.: text.setAttribute('x', '10,20,30'); This will detach 'item' from the element <text> and any further changes in 'item' won't affect the attribute 'x' of element <text>. The one direction binding can only work if this chain of tear-off objects is kept connected. This is implemented by RefCounted back pointers from SVGPropertyTearOff and SVGListPropertyTearOff to SVGAnimatedListPropertyTearOff. The security crashes and the memory leaks are happening because of the raw forward pointers: -- SVGAnimatedListPropertyTearOff maintains raw pointers of type SVGListPropertyTearOff for m_baseVal and m_animVal -- The m_wrappers and m_animatedWrappers of SVGAnimatedListPropertyTearOff are vectors of raw pointer Vector<SVGLength*> To control the life cycle of the raw pointers, SVGListPropertyTearOff and SVGPropertyTearOff call SVGAnimatedListPropertyTearOff::propertyWillBeDeleted() to notify it they are going to be deleted. In propertyWillBeDeleted(), we clear the pointers so they are not used after being freed. This mechanism has been error-prone and we've never got it 100% right. The solution we need to adopt with SVG tear-off objects is the following: -- All the forward pointers should be weak pointers. -- All the back pointers should be ref pointers. This solution may not look intuitive but it solves the bugs and keeps the one direction binding. The forward weak pointers allows the tear-off objects to go aways if no reference from JS exists. The back ref pointers maintains the chain of objects and guarantees the correct binding. * svg/SVGPathSegList.h: * svg/SVGTransformList.h: * svg/properties/SVGAnimatedListPropertyTearOff.h: (WebCore::SVGAnimatedListPropertyTearOff::baseVal): (WebCore::SVGAnimatedListPropertyTearOff::animVal): * svg/properties/SVGAnimatedPathSegListPropertyTearOff.h: * svg/properties/SVGAnimatedProperty.h: (WebCore::SVGAnimatedProperty::isAnimatedListTearOff const): (WebCore::SVGAnimatedProperty::propertyWillBeDeleted): Deleted. * svg/properties/SVGAnimatedPropertyTearOff.h: * svg/properties/SVGAnimatedTransformListPropertyTearOff.h: * svg/properties/SVGListProperty.h: (WebCore::SVGListProperty::initializeValuesAndWrappers): (WebCore::SVGListProperty::getItemValuesAndWrappers): (WebCore::SVGListProperty::insertItemBeforeValuesAndWrappers): (WebCore::SVGListProperty::replaceItemValuesAndWrappers): (WebCore::SVGListProperty::removeItemValuesAndWrappers): (WebCore::SVGListProperty::appendItemValuesAndWrappers): (WebCore::SVGListProperty::createWeakPtr const): * svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::removeItemFromList): (WebCore::SVGListPropertyTearOff::~SVGListPropertyTearOff): Deleted. * svg/properties/SVGPropertyTearOff.h: (WebCore::SVGPropertyTearOff::createWeakPtr const): (WebCore::SVGPropertyTearOff::~SVGPropertyTearOff): LayoutTests: * svg/dom/SVGAnimatedListPropertyTearOff-leak.html: Canonical link: https://commits.webkit.org/197539@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226993 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2018-01-16 20:21:28 +00:00
if (window.testRunner) {
testRunner.dumpAsText();
testRunner.waitUntilDone();
}
[SVG] Leak in SVGAnimatedListPropertyTearOff https://bugs.webkit.org/show_bug.cgi?id=172545 Reviewed by Darin Adler. Source/WebCore: SVGAnimatedListPropertyTearOff maintains a vector m_wrappers with references to SVGPropertyTraits<PropertyType>::ListItemTearOff. Apart from that SVGPropertyTearOff has a reference to SVGAnimatedProperty. When SVGListProperty::getItemValuesAndWrappers() is called, it creates a SVGPropertyTraits<PropertyType>::ListItemTearOff pointing to the same SVGAnimatedProperty (a SVGAnimatedListPropertyTearOff) which stores the m_wrappers vector where the ListItemTearOff is going to be added to. This effectively creates a reference cycle between the SVGAnimatedListPropertyTearOff and all the ListItemTearOff it stores in m_wrappers. In order to effectively break the cycle without freeing too many wrappers we should take two measures: 1) Break the reference cycle by storing raw pointers in the m_wrappers Vector 2) Remove the ListItemTearOff which is being deleted (it notifies the animated property by calling propertyWillBeDeleted) from the m_wrappers Vector. This is a re-land of r219334 which caused early releases of custom data attribute objects added to SVG elements (wkb.ug/175023). Tests: svg/animations/animation-leak-list-property-instances.html svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html svg/dom/SVGAnimatedListPropertyTearOff-crash.html svg/dom/SVGAnimatedListPropertyTearOff-leak.html * svg/properties/SVGAnimatedListPropertyTearOff.h: * svg/properties/SVGListProperty.h: (WebCore::SVGListProperty::getItemValuesAndWrappers): * svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::removeItemFromList): LayoutTests: The list of new added tests includes the one for the original bug, a new test for the regression and a couple of tests imported from Blink which verify that SVGAnimatedListPropertyTearOff does not crash after the context element goes out of scope. * svg/animations/animation-leak-list-property-instances-expected.txt: Added. * svg/animations/animation-leak-list-property-instances.html: Added. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-leak-expected.txt: Added. * svg/dom/SVGAnimatedListPropertyTearOff-leak.html: Added. Canonical link: https://commits.webkit.org/192721@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221292 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-29 09:32:34 +00:00
REGRESSION(r221292): svg/animations/animateTransform-pattern-transform.html crashes with security assertion https://bugs.webkit.org/show_bug.cgi?id=179986 Reviewed by Simon Fraser. Source/WebCore: This patch reverts all or parts of the following changes-sets <http://trac.webkit.org/changeset/221292> <http://trac.webkit.org/changeset/197967> <http://trac.webkit.org/changeset/196670> A JS statement like this: var item = text.x.animVal.getItem(0); Creates the following C++ objects: SVGAnimatedListPropertyTearOff<SVGLengthListValues> for 'text.x' SVGListPropertyTearOff<SVGLengthListValues> for 'text.x.animVal' SVGPropertyTearOff<SVGLengthValue> for 'text.x.animVal.getItem(0)' If 'item' changes, the attribute 'x' of the element '<text>' will change as well. But this binding works only in one direction. If the attribute 'x' of the element '<text>' changes, e.g.: text.setAttribute('x', '10,20,30'); This will detach 'item' from the element <text> and any further changes in 'item' won't affect the attribute 'x' of element <text>. The one direction binding can only work if this chain of tear-off objects is kept connected. This is implemented by RefCounted back pointers from SVGPropertyTearOff and SVGListPropertyTearOff to SVGAnimatedListPropertyTearOff. The security crashes and the memory leaks are happening because of the raw forward pointers: -- SVGAnimatedListPropertyTearOff maintains raw pointers of type SVGListPropertyTearOff for m_baseVal and m_animVal -- The m_wrappers and m_animatedWrappers of SVGAnimatedListPropertyTearOff are vectors of raw pointer Vector<SVGLength*> To control the life cycle of the raw pointers, SVGListPropertyTearOff and SVGPropertyTearOff call SVGAnimatedListPropertyTearOff::propertyWillBeDeleted() to notify it they are going to be deleted. In propertyWillBeDeleted(), we clear the pointers so they are not used after being freed. This mechanism has been error-prone and we've never got it 100% right. The solution we need to adopt with SVG tear-off objects is the following: -- All the forward pointers should be weak pointers. -- All the back pointers should be ref pointers. This solution may not look intuitive but it solves the bugs and keeps the one direction binding. The forward weak pointers allows the tear-off objects to go aways if no reference from JS exists. The back ref pointers maintains the chain of objects and guarantees the correct binding. * svg/SVGPathSegList.h: * svg/SVGTransformList.h: * svg/properties/SVGAnimatedListPropertyTearOff.h: (WebCore::SVGAnimatedListPropertyTearOff::baseVal): (WebCore::SVGAnimatedListPropertyTearOff::animVal): * svg/properties/SVGAnimatedPathSegListPropertyTearOff.h: * svg/properties/SVGAnimatedProperty.h: (WebCore::SVGAnimatedProperty::isAnimatedListTearOff const): (WebCore::SVGAnimatedProperty::propertyWillBeDeleted): Deleted. * svg/properties/SVGAnimatedPropertyTearOff.h: * svg/properties/SVGAnimatedTransformListPropertyTearOff.h: * svg/properties/SVGListProperty.h: (WebCore::SVGListProperty::initializeValuesAndWrappers): (WebCore::SVGListProperty::getItemValuesAndWrappers): (WebCore::SVGListProperty::insertItemBeforeValuesAndWrappers): (WebCore::SVGListProperty::replaceItemValuesAndWrappers): (WebCore::SVGListProperty::removeItemValuesAndWrappers): (WebCore::SVGListProperty::appendItemValuesAndWrappers): (WebCore::SVGListProperty::createWeakPtr const): * svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::removeItemFromList): (WebCore::SVGListPropertyTearOff::~SVGListPropertyTearOff): Deleted. * svg/properties/SVGPropertyTearOff.h: (WebCore::SVGPropertyTearOff::createWeakPtr const): (WebCore::SVGPropertyTearOff::~SVGPropertyTearOff): LayoutTests: * svg/dom/SVGAnimatedListPropertyTearOff-leak.html: Canonical link: https://commits.webkit.org/197539@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226993 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2018-01-16 20:21:28 +00:00
function checkCache() {
let cache = gElement["data-transform-cache"];
shouldBeCloseTo(cache.matrix.a.toString(), 0.5, 0.000000001);
shouldBe(cache.matrix.b.toString(), "0");
shouldBe(cache.matrix.c.toString(), "0");
shouldBeCloseTo(cache.matrix.d.toString(), 0.5, 0.000000001);
shouldBe(cache.matrix.e.toString(), "0");
shouldBe(cache.matrix.f.toString(), "0");
}
[SVG] Leak in SVGAnimatedListPropertyTearOff https://bugs.webkit.org/show_bug.cgi?id=172545 Reviewed by Darin Adler. Source/WebCore: SVGAnimatedListPropertyTearOff maintains a vector m_wrappers with references to SVGPropertyTraits<PropertyType>::ListItemTearOff. Apart from that SVGPropertyTearOff has a reference to SVGAnimatedProperty. When SVGListProperty::getItemValuesAndWrappers() is called, it creates a SVGPropertyTraits<PropertyType>::ListItemTearOff pointing to the same SVGAnimatedProperty (a SVGAnimatedListPropertyTearOff) which stores the m_wrappers vector where the ListItemTearOff is going to be added to. This effectively creates a reference cycle between the SVGAnimatedListPropertyTearOff and all the ListItemTearOff it stores in m_wrappers. In order to effectively break the cycle without freeing too many wrappers we should take two measures: 1) Break the reference cycle by storing raw pointers in the m_wrappers Vector 2) Remove the ListItemTearOff which is being deleted (it notifies the animated property by calling propertyWillBeDeleted) from the m_wrappers Vector. This is a re-land of r219334 which caused early releases of custom data attribute objects added to SVG elements (wkb.ug/175023). Tests: svg/animations/animation-leak-list-property-instances.html svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html svg/dom/SVGAnimatedListPropertyTearOff-crash.html svg/dom/SVGAnimatedListPropertyTearOff-leak.html * svg/properties/SVGAnimatedListPropertyTearOff.h: * svg/properties/SVGListProperty.h: (WebCore::SVGListProperty::getItemValuesAndWrappers): * svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::removeItemFromList): LayoutTests: The list of new added tests includes the one for the original bug, a new test for the regression and a couple of tests imported from Blink which verify that SVGAnimatedListPropertyTearOff does not crash after the context element goes out of scope. * svg/animations/animation-leak-list-property-instances-expected.txt: Added. * svg/animations/animation-leak-list-property-instances.html: Added. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-leak-expected.txt: Added. * svg/dom/SVGAnimatedListPropertyTearOff-leak.html: Added. Canonical link: https://commits.webkit.org/192721@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221292 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-29 09:32:34 +00:00
REGRESSION(r221292): svg/animations/animateTransform-pattern-transform.html crashes with security assertion https://bugs.webkit.org/show_bug.cgi?id=179986 Reviewed by Simon Fraser. Source/WebCore: This patch reverts all or parts of the following changes-sets <http://trac.webkit.org/changeset/221292> <http://trac.webkit.org/changeset/197967> <http://trac.webkit.org/changeset/196670> A JS statement like this: var item = text.x.animVal.getItem(0); Creates the following C++ objects: SVGAnimatedListPropertyTearOff<SVGLengthListValues> for 'text.x' SVGListPropertyTearOff<SVGLengthListValues> for 'text.x.animVal' SVGPropertyTearOff<SVGLengthValue> for 'text.x.animVal.getItem(0)' If 'item' changes, the attribute 'x' of the element '<text>' will change as well. But this binding works only in one direction. If the attribute 'x' of the element '<text>' changes, e.g.: text.setAttribute('x', '10,20,30'); This will detach 'item' from the element <text> and any further changes in 'item' won't affect the attribute 'x' of element <text>. The one direction binding can only work if this chain of tear-off objects is kept connected. This is implemented by RefCounted back pointers from SVGPropertyTearOff and SVGListPropertyTearOff to SVGAnimatedListPropertyTearOff. The security crashes and the memory leaks are happening because of the raw forward pointers: -- SVGAnimatedListPropertyTearOff maintains raw pointers of type SVGListPropertyTearOff for m_baseVal and m_animVal -- The m_wrappers and m_animatedWrappers of SVGAnimatedListPropertyTearOff are vectors of raw pointer Vector<SVGLength*> To control the life cycle of the raw pointers, SVGListPropertyTearOff and SVGPropertyTearOff call SVGAnimatedListPropertyTearOff::propertyWillBeDeleted() to notify it they are going to be deleted. In propertyWillBeDeleted(), we clear the pointers so they are not used after being freed. This mechanism has been error-prone and we've never got it 100% right. The solution we need to adopt with SVG tear-off objects is the following: -- All the forward pointers should be weak pointers. -- All the back pointers should be ref pointers. This solution may not look intuitive but it solves the bugs and keeps the one direction binding. The forward weak pointers allows the tear-off objects to go aways if no reference from JS exists. The back ref pointers maintains the chain of objects and guarantees the correct binding. * svg/SVGPathSegList.h: * svg/SVGTransformList.h: * svg/properties/SVGAnimatedListPropertyTearOff.h: (WebCore::SVGAnimatedListPropertyTearOff::baseVal): (WebCore::SVGAnimatedListPropertyTearOff::animVal): * svg/properties/SVGAnimatedPathSegListPropertyTearOff.h: * svg/properties/SVGAnimatedProperty.h: (WebCore::SVGAnimatedProperty::isAnimatedListTearOff const): (WebCore::SVGAnimatedProperty::propertyWillBeDeleted): Deleted. * svg/properties/SVGAnimatedPropertyTearOff.h: * svg/properties/SVGAnimatedTransformListPropertyTearOff.h: * svg/properties/SVGListProperty.h: (WebCore::SVGListProperty::initializeValuesAndWrappers): (WebCore::SVGListProperty::getItemValuesAndWrappers): (WebCore::SVGListProperty::insertItemBeforeValuesAndWrappers): (WebCore::SVGListProperty::replaceItemValuesAndWrappers): (WebCore::SVGListProperty::removeItemValuesAndWrappers): (WebCore::SVGListProperty::appendItemValuesAndWrappers): (WebCore::SVGListProperty::createWeakPtr const): * svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::removeItemFromList): (WebCore::SVGListPropertyTearOff::~SVGListPropertyTearOff): Deleted. * svg/properties/SVGPropertyTearOff.h: (WebCore::SVGPropertyTearOff::createWeakPtr const): (WebCore::SVGPropertyTearOff::~SVGPropertyTearOff): LayoutTests: * svg/dom/SVGAnimatedListPropertyTearOff-leak.html: Canonical link: https://commits.webkit.org/197539@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226993 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2018-01-16 20:21:28 +00:00
function runTest() {
currentScaling -= 0.1;
const matrix = {
elements: [currentScaling, 0, 0, currentScaling, 0, 0]
}
setMatrix(gElement, matrix);
transform.innerHTML = matrix.elements.toString();
[SVG] Leak in SVGAnimatedListPropertyTearOff https://bugs.webkit.org/show_bug.cgi?id=172545 Reviewed by Darin Adler. Source/WebCore: SVGAnimatedListPropertyTearOff maintains a vector m_wrappers with references to SVGPropertyTraits<PropertyType>::ListItemTearOff. Apart from that SVGPropertyTearOff has a reference to SVGAnimatedProperty. When SVGListProperty::getItemValuesAndWrappers() is called, it creates a SVGPropertyTraits<PropertyType>::ListItemTearOff pointing to the same SVGAnimatedProperty (a SVGAnimatedListPropertyTearOff) which stores the m_wrappers vector where the ListItemTearOff is going to be added to. This effectively creates a reference cycle between the SVGAnimatedListPropertyTearOff and all the ListItemTearOff it stores in m_wrappers. In order to effectively break the cycle without freeing too many wrappers we should take two measures: 1) Break the reference cycle by storing raw pointers in the m_wrappers Vector 2) Remove the ListItemTearOff which is being deleted (it notifies the animated property by calling propertyWillBeDeleted) from the m_wrappers Vector. This is a re-land of r219334 which caused early releases of custom data attribute objects added to SVG elements (wkb.ug/175023). Tests: svg/animations/animation-leak-list-property-instances.html svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html svg/dom/SVGAnimatedListPropertyTearOff-crash.html svg/dom/SVGAnimatedListPropertyTearOff-leak.html * svg/properties/SVGAnimatedListPropertyTearOff.h: * svg/properties/SVGListProperty.h: (WebCore::SVGListProperty::getItemValuesAndWrappers): * svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::removeItemFromList): LayoutTests: The list of new added tests includes the one for the original bug, a new test for the regression and a couple of tests imported from Blink which verify that SVGAnimatedListPropertyTearOff does not crash after the context element goes out of scope. * svg/animations/animation-leak-list-property-instances-expected.txt: Added. * svg/animations/animation-leak-list-property-instances.html: Added. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-leak-expected.txt: Added. * svg/dom/SVGAnimatedListPropertyTearOff-leak.html: Added. Canonical link: https://commits.webkit.org/192721@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221292 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-29 09:32:34 +00:00
REGRESSION(r221292): svg/animations/animateTransform-pattern-transform.html crashes with security assertion https://bugs.webkit.org/show_bug.cgi?id=179986 Reviewed by Simon Fraser. Source/WebCore: This patch reverts all or parts of the following changes-sets <http://trac.webkit.org/changeset/221292> <http://trac.webkit.org/changeset/197967> <http://trac.webkit.org/changeset/196670> A JS statement like this: var item = text.x.animVal.getItem(0); Creates the following C++ objects: SVGAnimatedListPropertyTearOff<SVGLengthListValues> for 'text.x' SVGListPropertyTearOff<SVGLengthListValues> for 'text.x.animVal' SVGPropertyTearOff<SVGLengthValue> for 'text.x.animVal.getItem(0)' If 'item' changes, the attribute 'x' of the element '<text>' will change as well. But this binding works only in one direction. If the attribute 'x' of the element '<text>' changes, e.g.: text.setAttribute('x', '10,20,30'); This will detach 'item' from the element <text> and any further changes in 'item' won't affect the attribute 'x' of element <text>. The one direction binding can only work if this chain of tear-off objects is kept connected. This is implemented by RefCounted back pointers from SVGPropertyTearOff and SVGListPropertyTearOff to SVGAnimatedListPropertyTearOff. The security crashes and the memory leaks are happening because of the raw forward pointers: -- SVGAnimatedListPropertyTearOff maintains raw pointers of type SVGListPropertyTearOff for m_baseVal and m_animVal -- The m_wrappers and m_animatedWrappers of SVGAnimatedListPropertyTearOff are vectors of raw pointer Vector<SVGLength*> To control the life cycle of the raw pointers, SVGListPropertyTearOff and SVGPropertyTearOff call SVGAnimatedListPropertyTearOff::propertyWillBeDeleted() to notify it they are going to be deleted. In propertyWillBeDeleted(), we clear the pointers so they are not used after being freed. This mechanism has been error-prone and we've never got it 100% right. The solution we need to adopt with SVG tear-off objects is the following: -- All the forward pointers should be weak pointers. -- All the back pointers should be ref pointers. This solution may not look intuitive but it solves the bugs and keeps the one direction binding. The forward weak pointers allows the tear-off objects to go aways if no reference from JS exists. The back ref pointers maintains the chain of objects and guarantees the correct binding. * svg/SVGPathSegList.h: * svg/SVGTransformList.h: * svg/properties/SVGAnimatedListPropertyTearOff.h: (WebCore::SVGAnimatedListPropertyTearOff::baseVal): (WebCore::SVGAnimatedListPropertyTearOff::animVal): * svg/properties/SVGAnimatedPathSegListPropertyTearOff.h: * svg/properties/SVGAnimatedProperty.h: (WebCore::SVGAnimatedProperty::isAnimatedListTearOff const): (WebCore::SVGAnimatedProperty::propertyWillBeDeleted): Deleted. * svg/properties/SVGAnimatedPropertyTearOff.h: * svg/properties/SVGAnimatedTransformListPropertyTearOff.h: * svg/properties/SVGListProperty.h: (WebCore::SVGListProperty::initializeValuesAndWrappers): (WebCore::SVGListProperty::getItemValuesAndWrappers): (WebCore::SVGListProperty::insertItemBeforeValuesAndWrappers): (WebCore::SVGListProperty::replaceItemValuesAndWrappers): (WebCore::SVGListProperty::removeItemValuesAndWrappers): (WebCore::SVGListProperty::appendItemValuesAndWrappers): (WebCore::SVGListProperty::createWeakPtr const): * svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::removeItemFromList): (WebCore::SVGListPropertyTearOff::~SVGListPropertyTearOff): Deleted. * svg/properties/SVGPropertyTearOff.h: (WebCore::SVGPropertyTearOff::createWeakPtr const): (WebCore::SVGPropertyTearOff::~SVGPropertyTearOff): LayoutTests: * svg/dom/SVGAnimatedListPropertyTearOff-leak.html: Canonical link: https://commits.webkit.org/197539@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226993 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2018-01-16 20:21:28 +00:00
if (++iterations < 5) {
gc();
gc();
runTest();
} else {
checkCache();
if (window.testRunner)
testRunner.notifyDone();
}
}
[SVG] Leak in SVGAnimatedListPropertyTearOff https://bugs.webkit.org/show_bug.cgi?id=172545 Reviewed by Darin Adler. Source/WebCore: SVGAnimatedListPropertyTearOff maintains a vector m_wrappers with references to SVGPropertyTraits<PropertyType>::ListItemTearOff. Apart from that SVGPropertyTearOff has a reference to SVGAnimatedProperty. When SVGListProperty::getItemValuesAndWrappers() is called, it creates a SVGPropertyTraits<PropertyType>::ListItemTearOff pointing to the same SVGAnimatedProperty (a SVGAnimatedListPropertyTearOff) which stores the m_wrappers vector where the ListItemTearOff is going to be added to. This effectively creates a reference cycle between the SVGAnimatedListPropertyTearOff and all the ListItemTearOff it stores in m_wrappers. In order to effectively break the cycle without freeing too many wrappers we should take two measures: 1) Break the reference cycle by storing raw pointers in the m_wrappers Vector 2) Remove the ListItemTearOff which is being deleted (it notifies the animated property by calling propertyWillBeDeleted) from the m_wrappers Vector. This is a re-land of r219334 which caused early releases of custom data attribute objects added to SVG elements (wkb.ug/175023). Tests: svg/animations/animation-leak-list-property-instances.html svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html svg/dom/SVGAnimatedListPropertyTearOff-crash.html svg/dom/SVGAnimatedListPropertyTearOff-leak.html * svg/properties/SVGAnimatedListPropertyTearOff.h: * svg/properties/SVGListProperty.h: (WebCore::SVGListProperty::getItemValuesAndWrappers): * svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::removeItemFromList): LayoutTests: The list of new added tests includes the one for the original bug, a new test for the regression and a couple of tests imported from Blink which verify that SVGAnimatedListPropertyTearOff does not crash after the context element goes out of scope. * svg/animations/animation-leak-list-property-instances-expected.txt: Added. * svg/animations/animation-leak-list-property-instances.html: Added. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-leak-expected.txt: Added. * svg/dom/SVGAnimatedListPropertyTearOff-leak.html: Added. Canonical link: https://commits.webkit.org/192721@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221292 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-29 09:32:34 +00:00
REGRESSION(r221292): svg/animations/animateTransform-pattern-transform.html crashes with security assertion https://bugs.webkit.org/show_bug.cgi?id=179986 Reviewed by Simon Fraser. Source/WebCore: This patch reverts all or parts of the following changes-sets <http://trac.webkit.org/changeset/221292> <http://trac.webkit.org/changeset/197967> <http://trac.webkit.org/changeset/196670> A JS statement like this: var item = text.x.animVal.getItem(0); Creates the following C++ objects: SVGAnimatedListPropertyTearOff<SVGLengthListValues> for 'text.x' SVGListPropertyTearOff<SVGLengthListValues> for 'text.x.animVal' SVGPropertyTearOff<SVGLengthValue> for 'text.x.animVal.getItem(0)' If 'item' changes, the attribute 'x' of the element '<text>' will change as well. But this binding works only in one direction. If the attribute 'x' of the element '<text>' changes, e.g.: text.setAttribute('x', '10,20,30'); This will detach 'item' from the element <text> and any further changes in 'item' won't affect the attribute 'x' of element <text>. The one direction binding can only work if this chain of tear-off objects is kept connected. This is implemented by RefCounted back pointers from SVGPropertyTearOff and SVGListPropertyTearOff to SVGAnimatedListPropertyTearOff. The security crashes and the memory leaks are happening because of the raw forward pointers: -- SVGAnimatedListPropertyTearOff maintains raw pointers of type SVGListPropertyTearOff for m_baseVal and m_animVal -- The m_wrappers and m_animatedWrappers of SVGAnimatedListPropertyTearOff are vectors of raw pointer Vector<SVGLength*> To control the life cycle of the raw pointers, SVGListPropertyTearOff and SVGPropertyTearOff call SVGAnimatedListPropertyTearOff::propertyWillBeDeleted() to notify it they are going to be deleted. In propertyWillBeDeleted(), we clear the pointers so they are not used after being freed. This mechanism has been error-prone and we've never got it 100% right. The solution we need to adopt with SVG tear-off objects is the following: -- All the forward pointers should be weak pointers. -- All the back pointers should be ref pointers. This solution may not look intuitive but it solves the bugs and keeps the one direction binding. The forward weak pointers allows the tear-off objects to go aways if no reference from JS exists. The back ref pointers maintains the chain of objects and guarantees the correct binding. * svg/SVGPathSegList.h: * svg/SVGTransformList.h: * svg/properties/SVGAnimatedListPropertyTearOff.h: (WebCore::SVGAnimatedListPropertyTearOff::baseVal): (WebCore::SVGAnimatedListPropertyTearOff::animVal): * svg/properties/SVGAnimatedPathSegListPropertyTearOff.h: * svg/properties/SVGAnimatedProperty.h: (WebCore::SVGAnimatedProperty::isAnimatedListTearOff const): (WebCore::SVGAnimatedProperty::propertyWillBeDeleted): Deleted. * svg/properties/SVGAnimatedPropertyTearOff.h: * svg/properties/SVGAnimatedTransformListPropertyTearOff.h: * svg/properties/SVGListProperty.h: (WebCore::SVGListProperty::initializeValuesAndWrappers): (WebCore::SVGListProperty::getItemValuesAndWrappers): (WebCore::SVGListProperty::insertItemBeforeValuesAndWrappers): (WebCore::SVGListProperty::replaceItemValuesAndWrappers): (WebCore::SVGListProperty::removeItemValuesAndWrappers): (WebCore::SVGListProperty::appendItemValuesAndWrappers): (WebCore::SVGListProperty::createWeakPtr const): * svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::removeItemFromList): (WebCore::SVGListPropertyTearOff::~SVGListPropertyTearOff): Deleted. * svg/properties/SVGPropertyTearOff.h: (WebCore::SVGPropertyTearOff::createWeakPtr const): (WebCore::SVGPropertyTearOff::~SVGPropertyTearOff): LayoutTests: * svg/dom/SVGAnimatedListPropertyTearOff-leak.html: Canonical link: https://commits.webkit.org/197539@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226993 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2018-01-16 20:21:28 +00:00
function setMatrix(element, matrix) {
const elements = matrix.elements;
let cache = element["data-transform-cache"];
if (!cache) {
cache = element.transform.baseVal.getItem(0);
element["data-transform-cache"] = cache;
} else if (cache !== element.transform.baseVal.getItem(0)) {
console.log("FAIL: " + cache + " should be " + element.transform.baseVal.getItem(0) + " but is not.");
document.getElementById('is-same-instance').style.backgroundColor = 'red';
}
const m = cache.matrix;
m.a = elements[0];
m.b = elements[1];
m.c = elements[2];
m.d = elements[3];
m.e = elements[4];
m.f = elements[5];
}
[SVG] Leak in SVGAnimatedListPropertyTearOff https://bugs.webkit.org/show_bug.cgi?id=172545 Reviewed by Darin Adler. Source/WebCore: SVGAnimatedListPropertyTearOff maintains a vector m_wrappers with references to SVGPropertyTraits<PropertyType>::ListItemTearOff. Apart from that SVGPropertyTearOff has a reference to SVGAnimatedProperty. When SVGListProperty::getItemValuesAndWrappers() is called, it creates a SVGPropertyTraits<PropertyType>::ListItemTearOff pointing to the same SVGAnimatedProperty (a SVGAnimatedListPropertyTearOff) which stores the m_wrappers vector where the ListItemTearOff is going to be added to. This effectively creates a reference cycle between the SVGAnimatedListPropertyTearOff and all the ListItemTearOff it stores in m_wrappers. In order to effectively break the cycle without freeing too many wrappers we should take two measures: 1) Break the reference cycle by storing raw pointers in the m_wrappers Vector 2) Remove the ListItemTearOff which is being deleted (it notifies the animated property by calling propertyWillBeDeleted) from the m_wrappers Vector. This is a re-land of r219334 which caused early releases of custom data attribute objects added to SVG elements (wkb.ug/175023). Tests: svg/animations/animation-leak-list-property-instances.html svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html svg/dom/SVGAnimatedListPropertyTearOff-crash.html svg/dom/SVGAnimatedListPropertyTearOff-leak.html * svg/properties/SVGAnimatedListPropertyTearOff.h: * svg/properties/SVGListProperty.h: (WebCore::SVGListProperty::getItemValuesAndWrappers): * svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::removeItemFromList): LayoutTests: The list of new added tests includes the one for the original bug, a new test for the regression and a couple of tests imported from Blink which verify that SVGAnimatedListPropertyTearOff does not crash after the context element goes out of scope. * svg/animations/animation-leak-list-property-instances-expected.txt: Added. * svg/animations/animation-leak-list-property-instances.html: Added. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-leak-expected.txt: Added. * svg/dom/SVGAnimatedListPropertyTearOff-leak.html: Added. Canonical link: https://commits.webkit.org/192721@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221292 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-29 09:32:34 +00:00
</script>
<script src="../../resources/js-test-post.js"></script>