Bug 123291

Summary: SMIL timers can still fire after the containing document has been torn down
Product: WebKit Reporter: Vicki Pfau <jeffrey+webkit>
Component: SVGAssignee: Vicki Pfau <jeffrey+webkit>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, darin, dino, esprehn+autocc, kangil.han, koivisto, pdr, zimmermann
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Repro
none
Patch
none
Patch none

Description Vicki Pfau 2013-10-24 14:11:28 PDT 
Created attachment 215102 [details]
Repro

When tearing down a document, we don't cancel the document's SMIL timers until the document is garbage collected. This can lead to the timers firing after the document is no longer active. A simple repro is attached; running it in DRT multiple times in a row without garbage collecting between runs will crash.
Comment 1 Vicki Pfau 2013-10-24 14:18:05 PDT 
Created attachment 215103 [details]
Patch
Comment 2 Philip Rogers 2013-10-24 20:44:38 PDT 
A analogous call to accessSVGExtensions()->pauseAnimations() is needed in Document::dropChildren(). This will roughly match the model used by clearScriptedAnimationController().
Comment 3 Darin Adler 2013-10-25 12:38:46 PDT 
(In reply to comment #2)
> A analogous call to accessSVGExtensions()->pauseAnimations() is needed in Document::dropChildren(). This will roughly match the model used by clearScriptedAnimationController().

Sounds like we need a shared function then, if there is a list of things that both prepareForDestruction and dropChildren do.
Comment 4 Vicki Pfau 2013-10-25 14:30:24 PDT 
(In reply to comment #3)
> (In reply to comment #2)
> > A analogous call to accessSVGExtensions()->pauseAnimations() is needed in Document::dropChildren(). This will roughly match the model used by clearScriptedAnimationController().
> 
> Sounds like we need a shared function then, if there is a list of things that both prepareForDestruction and dropChildren do.

There doesn't appear to be much in common. Currently, I think clearScriptedAnimationController() is the only function that's called by both of them. Although, I'm kind of curious if maybe there should be more.
Comment 5 Vicki Pfau 2013-10-31 18:04:39 PDT 
Created attachment 215706 [details]
Patch
Comment 6 WebKit Commit Bot 2013-11-04 17:43:22 PST 
Comment on attachment 215706 [details]
Patch

Clearing flags on attachment: 215706

Committed r158627: <http://trac.webkit.org/changeset/158627>
Comment 7 WebKit Commit Bot 2013-11-04 17:43:25 PST 
All reviewed patches have been landed.  Closing bug.