123291 – SMIL timers can still fire after the containing document has been torn down

Bug 123291 - SMIL timers can still fire after the containing document has been torn down

Summary: SMIL timers can still fire after the containing document has been torn down

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	SVG (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Vicki Pfau

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-10-24 14:11 PDT by Vicki Pfau
Modified:	2013-11-04 17:43 PST (History)
CC List:	8 users (show)

See Also:

Attachments
Repro (211 bytes, text/html) 2013-10-24 14:11 PDT, Vicki Pfau	no flags	Details
Patch (3.46 KB, patch) 2013-10-24 14:18 PDT, Vicki Pfau	no flags	Details \| Formatted Diff \| Diff
Patch (4.42 KB, patch) 2013-10-31 18:04 PDT, Vicki Pfau	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vicki Pfau 2013-10-24 14:11:28 PDT

Created attachment 215102 [details]
Repro

When tearing down a document, we don't cancel the document's SMIL timers until the document is garbage collected. This can lead to the timers firing after the document is no longer active. A simple repro is attached; running it in DRT multiple times in a row without garbage collecting between runs will crash.

Comment 1 Vicki Pfau 2013-10-24 14:18:05 PDT

Created attachment 215103 [details]
Patch

Comment 2 Philip Rogers 2013-10-24 20:44:38 PDT

A analogous call to accessSVGExtensions()->pauseAnimations() is needed in Document::dropChildren(). This will roughly match the model used by clearScriptedAnimationController().

Comment 3 Darin Adler 2013-10-25 12:38:46 PDT

(In reply to comment #2)
> A analogous call to accessSVGExtensions()->pauseAnimations() is needed in Document::dropChildren(). This will roughly match the model used by clearScriptedAnimationController().

Sounds like we need a shared function then, if there is a list of things that both prepareForDestruction and dropChildren do.

Comment 4 Vicki Pfau 2013-10-25 14:30:24 PDT

(In reply to comment #3)
> (In reply to comment #2)
> > A analogous call to accessSVGExtensions()->pauseAnimations() is needed in Document::dropChildren(). This will roughly match the model used by clearScriptedAnimationController().
> 
> Sounds like we need a shared function then, if there is a list of things that both prepareForDestruction and dropChildren do.

There doesn't appear to be much in common. Currently, I think clearScriptedAnimationController() is the only function that's called by both of them. Although, I'm kind of curious if maybe there should be more.

Comment 5 Vicki Pfau 2013-10-31 18:04:39 PDT

Created attachment 215706 [details]
Patch

Comment 6 WebKit Commit Bot 2013-11-04 17:43:22 PST

Comment on attachment 215706 [details]
Patch

Clearing flags on attachment: 215706

Committed r158627: <http://trac.webkit.org/changeset/158627>

Comment 7 WebKit Commit Bot 2013-11-04 17:43:25 PST

All reviewed patches have been landed.  Closing bug.