Bug 123291

Summary:

SMIL timers can still fire after the containing document has been torn down

Product:

WebKit

Reporter:

Vicki Pfau <jeffrey+webkit>

Component:

SVG

Assignee:

Vicki Pfau <jeffrey+webkit>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

commit-queue, darin, dino, esprehn+autocc, kangil.han, koivisto, pdr, zimmermann

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Repro	none
Patch	none
Patch	none

Vicki Pfau

Reported 2013-10-24 14:11:28 PDT

Created attachment 215102 [details] Repro When tearing down a document, we don't cancel the document's SMIL timers until the document is garbage collected. This can lead to the timers firing after the document is no longer active. A simple repro is attached; running it in DRT multiple times in a row without garbage collecting between runs will crash.

Attachments
Repro (211 bytes, text/html) 2013-10-24 14:11 PDT, Vicki Pfau	no flags	Details
Patch (3.46 KB, patch) 2013-10-24 14:18 PDT, Vicki Pfau	no flags	Details Formatted Diff Diff
Patch (4.42 KB, patch) 2013-10-31 18:04 PDT, Vicki Pfau	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Vicki Pfau

Comment 1 2013-10-24 14:18:05 PDT

Created attachment 215103 [details] Patch

Philip Rogers

Comment 2 2013-10-24 20:44:38 PDT

A analogous call to accessSVGExtensions()->pauseAnimations() is needed in Document::dropChildren(). This will roughly match the model used by clearScriptedAnimationController().

Darin Adler

Comment 3 2013-10-25 12:38:46 PDT

(In reply to comment #2) > A analogous call to accessSVGExtensions()->pauseAnimations() is needed in Document::dropChildren(). This will roughly match the model used by clearScriptedAnimationController(). Sounds like we need a shared function then, if there is a list of things that both prepareForDestruction and dropChildren do.

Vicki Pfau

Comment 4 2013-10-25 14:30:24 PDT

(In reply to comment #3) > (In reply to comment #2) > > A analogous call to accessSVGExtensions()->pauseAnimations() is needed in Document::dropChildren(). This will roughly match the model used by clearScriptedAnimationController(). > > Sounds like we need a shared function then, if there is a list of things that both prepareForDestruction and dropChildren do. There doesn't appear to be much in common. Currently, I think clearScriptedAnimationController() is the only function that's called by both of them. Although, I'm kind of curious if maybe there should be more.

Vicki Pfau

Comment 5 2013-10-31 18:04:39 PDT

Created attachment 215706 [details] Patch

WebKit Commit Bot

Comment 6 2013-11-04 17:43:22 PST

Comment on attachment 215706 [details] Patch Clearing flags on attachment: 215706 Committed r158627: <http://trac.webkit.org/changeset/158627>

WebKit Commit Bot

Comment 7 2013-11-04 17:43:25 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.