Changeset 221292 in webkit

Timestamp:

Aug 29, 2017 2:32:34 AM (7 years ago)

Author:

svillar@igalia.com

Message:

[SVG] Leak in SVGAnimatedListPropertyTearOff
​https://bugs.webkit.org/show_bug.cgi?id=172545

Reviewed by Darin Adler.

Source/WebCore:

SVGAnimatedListPropertyTearOff maintains a vector m_wrappers with references to
SVGPropertyTraits<PropertyType>::ListItemTearOff. Apart from that SVGPropertyTearOff has a
reference to SVGAnimatedProperty.

When SVGListProperty::getItemValuesAndWrappers() is called, it creates a
SVGPropertyTraits<PropertyType>::ListItemTearOff pointing to the same SVGAnimatedProperty (a
SVGAnimatedListPropertyTearOff) which stores the m_wrappers vector where the ListItemTearOff
is going to be added to. This effectively creates a reference cycle between the
SVGAnimatedListPropertyTearOff and all the ListItemTearOff it stores in m_wrappers.

In order to effectively break the cycle without freeing too many wrappers we should take two
measures:
1) Break the reference cycle by storing raw pointers in the m_wrappers Vector
2) Remove the ListItemTearOff which is being deleted (it notifies the animated property by
calling propertyWillBeDeleted) from the m_wrappers Vector.

This is a re-land of r219334 which caused early releases of custom data attribute objects
added to SVG elements (wkb.ug/175023).

Tests: svg/animations/animation-leak-list-property-instances.html

svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html
svg/dom/SVGAnimatedListPropertyTearOff-crash.html
svg/dom/SVGAnimatedListPropertyTearOff-leak.html

• svg/properties/SVGAnimatedListPropertyTearOff.h:
• svg/properties/SVGListProperty.h:

(WebCore::SVGListProperty::getItemValuesAndWrappers):

• svg/properties/SVGListPropertyTearOff.h:

(WebCore::SVGListPropertyTearOff::removeItemFromList):

LayoutTests:

The list of new added tests includes the one for the original bug, a new test for the
regression and a couple of tests imported from Blink which verify that
SVGAnimatedListPropertyTearOff does not crash after the context element goes out of scope.

• svg/animations/animation-leak-list-property-instances-expected.txt: Added.
• svg/animations/animation-leak-list-property-instances.html: Added.
• svg/dom/SVGAnimatedListPropertyTearOff-crash-2-expected.txt: Added. Imported from Blink.
• svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html: Added. Imported from Blink.
• svg/dom/SVGAnimatedListPropertyTearOff-crash-expected.txt: Added. Imported from Blink.
• svg/dom/SVGAnimatedListPropertyTearOff-crash.html: Added. Imported from Blink.
• svg/dom/SVGAnimatedListPropertyTearOff-leak-expected.txt: Added.
• svg/dom/SVGAnimatedListPropertyTearOff-leak.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/svg/animations/animation-leak-list-property-instances-expected.txt (added)
• LayoutTests/svg/animations/animation-leak-list-property-instances.html (added)
• LayoutTests/svg/dom/SVGAnimatedListPropertyTearOff-crash-2-expected.txt (added)
• LayoutTests/svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html (added)
• LayoutTests/svg/dom/SVGAnimatedListPropertyTearOff-crash-expected.txt (added)
• LayoutTests/svg/dom/SVGAnimatedListPropertyTearOff-crash.html (added)
• LayoutTests/svg/dom/SVGAnimatedListPropertyTearOff-leak-expected.txt (added)
• LayoutTests/svg/dom/SVGAnimatedListPropertyTearOff-leak.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h (modified) (2 diffs)
• Source/WebCore/svg/properties/SVGListProperty.h (modified) (1 diff)
• Source/WebCore/svg/properties/SVGListPropertyTearOff.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2017-08-19  Sergio Villar Senin  <svillar@igalia.com>
+
+        [SVG] Leak in SVGAnimatedListPropertyTearOff
+        https://bugs.webkit.org/show_bug.cgi?id=172545
+
+        Reviewed by Darin Adler.
+
+        The list of new added tests includes the one for the original bug, a new test for the
+        regression and a couple of tests imported from Blink which verify that
+        SVGAnimatedListPropertyTearOff does not crash after the context element goes out of scope.
+
+        * svg/animations/animation-leak-list-property-instances-expected.txt: Added.
+        * svg/animations/animation-leak-list-property-instances.html: Added.
+        * svg/dom/SVGAnimatedListPropertyTearOff-crash-2-expected.txt: Added. Imported from Blink.
+        * svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html: Added. Imported from Blink.
+        * svg/dom/SVGAnimatedListPropertyTearOff-crash-expected.txt: Added. Imported from Blink.
+        * svg/dom/SVGAnimatedListPropertyTearOff-crash.html: Added. Imported from Blink.
+        * svg/dom/SVGAnimatedListPropertyTearOff-leak-expected.txt: Added.
+        * svg/dom/SVGAnimatedListPropertyTearOff-leak.html: Added.
+
 2017-08-28  Per Arne Vollan  <pvollan@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-08-19  Sergio Villar Senin  <svillar@igalia.com>
+
+        [SVG] Leak in SVGAnimatedListPropertyTearOff
+        https://bugs.webkit.org/show_bug.cgi?id=172545
+
+        Reviewed by Darin Adler.
+
+        SVGAnimatedListPropertyTearOff maintains a vector m_wrappers with references to
+        SVGPropertyTraits<PropertyType>::ListItemTearOff. Apart from that SVGPropertyTearOff has a
+        reference to SVGAnimatedProperty.
+
+        When SVGListProperty::getItemValuesAndWrappers() is called, it creates a
+        SVGPropertyTraits<PropertyType>::ListItemTearOff pointing to the same SVGAnimatedProperty (a
+        SVGAnimatedListPropertyTearOff) which stores the m_wrappers vector where the ListItemTearOff
+        is going to be added to. This effectively creates a reference cycle between the
+        SVGAnimatedListPropertyTearOff and all the ListItemTearOff it stores in m_wrappers.
+
+        In order to effectively break the cycle without freeing too many wrappers we should take two
+        measures:
+        1) Break the reference cycle by storing raw pointers in the m_wrappers Vector
+        2) Remove the ListItemTearOff which is being deleted (it notifies the animated property by
+        calling propertyWillBeDeleted) from the m_wrappers Vector.
+
+        This is a re-land of r219334 which caused early releases of custom data attribute objects
+        added to SVG elements (wkb.ug/175023).
+
+        Tests: svg/animations/animation-leak-list-property-instances.html
+               svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html
+               svg/dom/SVGAnimatedListPropertyTearOff-crash.html
+               svg/dom/SVGAnimatedListPropertyTearOff-leak.html
+
+        * svg/properties/SVGAnimatedListPropertyTearOff.h:
+        * svg/properties/SVGListProperty.h:
+        (WebCore::SVGListProperty::getItemValuesAndWrappers):
+        * svg/properties/SVGListPropertyTearOff.h:
+        (WebCore::SVGListPropertyTearOff::removeItemFromList):
+
 2017-08-29  Andy Estes  <aestes@apple.com>
 

trunk/Source/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h

@@ -35 +35 @@
     using ListItemType = typename SVGPropertyTraits<PropertyType>::ListItemType;
     using ListItemTearOff = typename SVGPropertyTraits<PropertyType>::ListItemTearOff;
-    using ListWrapperCache = Vector<RefPtr<ListItemTearOff>>;
+    using ListWrapperCache = Vector<ListItemTearOff*>;
     using ListProperty = SVGListProperty<PropertyType>;
     using ListPropertyTearOff = typename SVGPropertyTraits<PropertyType>::ListPropertyTearOff;
@@ -74 +74 @@
         else if (&property == m_animVal)
             m_animVal = nullptr;
+        else {
+            size_t i = m_wrappers.find(&property);
+            if (i != notFound)
+                m_wrappers[i] = nullptr;
+        }
     }
 

trunk/Source/WebCore/svg/properties/SVGListProperty.h

@@ -207 +207 @@
             // that it has been modified (and thus can call svgAttributeChanged(associatedAttributeName)).
             wrapper = ListItemTearOff::create(animatedList, UndefinedRole, m_values->at(index));
-            m_wrappers->at(index) = wrapper;
+            m_wrappers->at(index) = wrapper.get();
         }
 

trunk/Source/WebCore/svg/properties/SVGListPropertyTearOff.h

@@ -67 +67 @@
         ASSERT_WITH_SECURITY_IMPLICATION(itemIndex < m_wrappers->size());
 
-        RefPtr<ListItemTearOff>& item = m_wrappers->at(itemIndex);
+        RefPtr<ListItemTearOff> item = m_wrappers->at(itemIndex);
         item->detachWrapper();
         m_wrappers->remove(itemIndex);
@@ -142 +142 @@
         ASSERT(size == m_values->size());
         for (unsigned i = 0; i < size; ++i) {
-            ListItemTearOff* item = m_wrappers->at(i).get();
+            ListItemTearOff* item = m_wrappers->at(i);
             if (!item)
                 continue;