19723 – REGRESSION(r34648): Some SVG tests crash when running under --threaded

Bug 19723 - REGRESSION(r34648): Some SVG tests crash when running under --threaded

Summary: REGRESSION(r34648): Some SVG tests crash when running under --threaded

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	SVG (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P1 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-06-23 05:47 PDT by Alexey Proskuryakov
Modified:	2008-06-24 05:36 PDT (History)
CC List:	0 users

See Also:

Attachments
naive fix (1.25 KB, patch) 2008-06-23 06:08 PDT, Alexey Proskuryakov	darin: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexey Proskuryakov 2008-06-23 05:47:28 PDT

In <http://trac.webkit.org/changeset/34648>, painting was added to RenderSVGInlineText::destroy(). During document destruction, rendering structures are not kept in consistent state, and painting results in access to freed memory (possibly overwritten by a background thread).

I have a fix that wraps painting in if (!documentBeingDestroyed()), but given that no other destroy() call paints itself, it might be that the original bug could/should be fixed in some different manner.

Comment 1 Alexey Proskuryakov 2008-06-23 06:08:25 PDT

Created attachment 21880 [details]
naive fix

Rob is going to look into whether painting inside destroy() is needed at all, but since I already had a fix for the crashes, I'm attaching it for now.

Comment 2 Darin Adler 2008-06-23 09:56:18 PDT

Comment on attachment 21880 [details]
naive fix

r=me

Comment 3 Alexey Proskuryakov 2008-06-24 05:36:26 PDT

Committed my (hopefully, temporary) fix in revision 34766.