Title: [135719] trunk
- Revision
- 135719
- Author
- fmal...@chromium.org
- Date
- 2012-11-26 07:03:36 -0800 (Mon, 26 Nov 2012)
Log Message
RenderSVGResourceContainer does not clear cached data on removal
https://bugs.webkit.org/show_bug.cgi?id=102620
Reviewed by Dirk Schulze.
Source/WebCore:
RenderSVGResourceContainer::removeClient needs to also remove the client from specialized
caches, otherwise we can end up with stale references.
Test: svg/custom/stale-resource-data-crash.svg
* rendering/svg/RenderSVGResourceContainer.cpp:
(WebCore::RenderSVGResourceContainer::removeClient):
LayoutTests:
* svg/custom/stale-resource-data-crash-expected.txt: Added.
* svg/custom/stale-resource-data-crash.svg: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (135718 => 135719)
--- trunk/LayoutTests/ChangeLog 2012-11-26 15:01:24 UTC (rev 135718)
+++ trunk/LayoutTests/ChangeLog 2012-11-26 15:03:36 UTC (rev 135719)
@@ -1,3 +1,13 @@
+2012-11-26 Florin Malita <fmal...@chromium.org>
+
+ RenderSVGResourceContainer does not clear cached data on removal
+ https://bugs.webkit.org/show_bug.cgi?id=102620
+
+ Reviewed by Dirk Schulze.
+
+ * svg/custom/stale-resource-data-crash-expected.txt: Added.
+ * svg/custom/stale-resource-data-crash.svg: Added.
+
2012-11-26 'Pavel Feldman' <pfeld...@chromium.org>
Not reviewed: rolling out r135714 and r135712 for breaking debug tests.
Added: trunk/LayoutTests/svg/custom/stale-resource-data-crash-expected.txt (0 => 135719)
--- trunk/LayoutTests/svg/custom/stale-resource-data-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/custom/stale-resource-data-crash-expected.txt 2012-11-26 15:03:36 UTC (rev 135719)
@@ -0,0 +1,2 @@
+PASS: did not crash.
+
Added: trunk/LayoutTests/svg/custom/stale-resource-data-crash.svg (0 => 135719)
--- trunk/LayoutTests/svg/custom/stale-resource-data-crash.svg (rev 0)
+++ trunk/LayoutTests/svg/custom/stale-resource-data-crash.svg 2012-11-26 15:03:36 UTC (rev 135719)
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg id="svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg">
+ <defs id="defs">
+ <filter id="f1">
+ <feDiffuseLighting>
+ <feDistantLight azimuth="45" id="light"/>
+ </feDiffuseLighting>
+ </filter>
+ <filter id="f2"/>
+ </defs>
+ <image id="img" filter="url(#f1)" xlink:href=""
+
+ <text>PASS: did not crash.</text>
+
+ <script>
+ f2 = document.getElementById('f2');
+ docElement = document.getElementById('svg');
+ light = document.getElementById('light');
+ newDefs = document.getElementById('defs').cloneNode(true);
+
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ // Force a paint at this point to generate cached filter results.
+ testRunner.display();
+ }
+
+ docElement.appendChild(newDefs);
+ docElement.appendChild(f2);
+ docElement.offsetTop;
+ light.removeAttribute('azimuth');
+ </script>
+</svg>
Modified: trunk/Source/WebCore/ChangeLog (135718 => 135719)
--- trunk/Source/WebCore/ChangeLog 2012-11-26 15:01:24 UTC (rev 135718)
+++ trunk/Source/WebCore/ChangeLog 2012-11-26 15:03:36 UTC (rev 135719)
@@ -1,3 +1,18 @@
+2012-11-26 Florin Malita <fmal...@chromium.org>
+
+ RenderSVGResourceContainer does not clear cached data on removal
+ https://bugs.webkit.org/show_bug.cgi?id=102620
+
+ Reviewed by Dirk Schulze.
+
+ RenderSVGResourceContainer::removeClient needs to also remove the client from specialized
+ caches, otherwise we can end up with stale references.
+
+ Test: svg/custom/stale-resource-data-crash.svg
+
+ * rendering/svg/RenderSVGResourceContainer.cpp:
+ (WebCore::RenderSVGResourceContainer::removeClient):
+
2012-11-26 'Pavel Feldman' <pfeld...@chromium.org>
Not reviewed: rolling out r135714 and r135712 for breaking debug tests.
Modified: trunk/Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp (135718 => 135719)
--- trunk/Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp 2012-11-26 15:01:24 UTC (rev 135718)
+++ trunk/Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp 2012-11-26 15:03:36 UTC (rev 135719)
@@ -151,6 +151,7 @@
void RenderSVGResourceContainer::removeClient(RenderObject* client)
{
ASSERT(client);
+ removeClientFromCache(client, false);
m_clients.remove(client);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
