RESOLVED FIXED 19723
REGRESSION(r34648): Some SVG tests crash when running under --threaded 
https://bugs.webkit.org/show_bug.cgi?id=19723
Summary REGRESSION(r34648): Some SVG tests crash when running under --threaded
Alexey Proskuryakov
Reported 2008-06-23 05:47:28 PDT
In <http://trac.webkit.org/changeset/34648>, painting was added to RenderSVGInlineText::destroy(). During document destruction, rendering structures are not kept in consistent state, and painting results in access to freed memory (possibly overwritten by a background thread). I have a fix that wraps painting in if (!documentBeingDestroyed()), but given that no other destroy() call paints itself, it might be that the original bug could/should be fixed in some different manner.
Attachments
naive fix (1.25 KB, patch)
2008-06-23 06:08 PDT, Alexey Proskuryakov 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2008-06-23 06:08:25 PDT
Created attachment 21880 [details] naive fix Rob is going to look into whether painting inside destroy() is needed at all, but since I already had a fix for the crashes, I'm attaching it for now.
Darin Adler
Comment 2 2008-06-23 09:56:18 PDT
Comment on attachment 21880 [details] naive fix r=me
Alexey Proskuryakov
Comment 3 2008-06-24 05:36:26 PDT
Committed my (hopefully, temporary) fix in revision 34766.
Note You need to log in before you can comment on or make changes to this bug.