RESOLVED FIXED123291
SMIL timers can still fire after the containing document has been torn down 
https://bugs.webkit.org/show_bug.cgi?id=123291
Summary SMIL timers can still fire after the containing document has been torn down
Vicki Pfau
Reported 2013-10-24 14:11:28 PDT
Created attachment 215102 [details] Repro When tearing down a document, we don't cancel the document's SMIL timers until the document is garbage collected. This can lead to the timers firing after the document is no longer active. A simple repro is attached; running it in DRT multiple times in a row without garbage collecting between runs will crash.
Attachments
Repro (211 bytes, text/html)
2013-10-24 14:11 PDT, Vicki Pfau 		no flags
Details
Patch (3.46 KB, patch)
2013-10-24 14:18 PDT, Vicki Pfau 		no flags
DetailsFormatted DiffDiff
Patch (4.42 KB, patch)
2013-10-31 18:04 PDT, Vicki Pfau 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Vicki Pfau
Comment 1 2013-10-24 14:18:05 PDT
Created attachment 215103 [details] Patch
Philip Rogers
Comment 2 2013-10-24 20:44:38 PDT
A analogous call to accessSVGExtensions()->pauseAnimations() is needed in Document::dropChildren(). This will roughly match the model used by clearScriptedAnimationController().
Darin Adler
Comment 3 2013-10-25 12:38:46 PDT
(In reply to comment #2) > A analogous call to accessSVGExtensions()->pauseAnimations() is needed in Document::dropChildren(). This will roughly match the model used by clearScriptedAnimationController(). Sounds like we need a shared function then, if there is a list of things that both prepareForDestruction and dropChildren do.
Vicki Pfau
Comment 4 2013-10-25 14:30:24 PDT
(In reply to comment #3) > (In reply to comment #2) > > A analogous call to accessSVGExtensions()->pauseAnimations() is needed in Document::dropChildren(). This will roughly match the model used by clearScriptedAnimationController(). > > Sounds like we need a shared function then, if there is a list of things that both prepareForDestruction and dropChildren do. There doesn't appear to be much in common. Currently, I think clearScriptedAnimationController() is the only function that's called by both of them. Although, I'm kind of curious if maybe there should be more.
Vicki Pfau
Comment 5 2013-10-31 18:04:39 PDT
Created attachment 215706 [details] Patch
WebKit Commit Bot
Comment 6 2013-11-04 17:43:22 PST
Comment on attachment 215706 [details] Patch Clearing flags on attachment: 215706 Committed r158627: <http://trac.webkit.org/changeset/158627>
WebKit Commit Bot
Comment 7 2013-11-04 17:43:25 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.