Changeset 50958 in webkit


Ignore:
Timestamp:
Nov 13, 2009 11:56:43 AM (14 years ago)
Author:
eric@webkit.org
Message:

2009-11-13 Vitaly Repeshko <vitalyr@chromium.org>

Reviewed by Dimitri Glazkov.

[V8] Protect SVG animated properties from destruction in bindings.
https://bugs.webkit.org/show_bug.cgi?id=31474

See http://crbug.com/26719.

Tested by LayoutTests/svg/custom/js-update-transform-addition.svg
under Valgrind.

Made sure we keep a reference to SVG properties while setting a
context:

  • bindings/scripts/CodeGeneratorV8.pm:
  • bindings/v8/V8Proxy.h: (WebCore::V8Proxy::withSVGContext):
Location:
trunk/WebCore
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/WebCore/ChangeLog

    r50956 r50958  
     12009-11-13  Vitaly Repeshko  <vitalyr@chromium.org>
     2
     3        Reviewed by Dimitri Glazkov.
     4
     5        [V8] Protect SVG animated properties from destruction in bindings.
     6        https://bugs.webkit.org/show_bug.cgi?id=31474
     7
     8        See http://crbug.com/26719.
     9
     10        Tested by LayoutTests/svg/custom/js-update-transform-addition.svg
     11        under Valgrind.
     12
     13        Made sure we keep a reference to SVG properties while setting a
     14        context:
     15        * bindings/scripts/CodeGeneratorV8.pm:
     16        * bindings/v8/V8Proxy.h:
     17        (WebCore::V8Proxy::withSVGContext):
     18
    1192009-11-13  Brent Fulgham  <bfulgham@webkit.org>
    220
  • trunk/WebCore/bindings/scripts/CodeGeneratorV8.pm

    r50914 r50958  
    647647            $resultObject = "wrapper";
    648648        }
    649         $resultObject = "WTF::getPtr(" . $resultObject . ")";
    650         push(@implContentDecls, GenerateSVGContextAssignment($implClassName, $resultObject, "    "));
     649        push(@implContentDecls, GenerateSVGContextRetrieval($implClassName, "    "));
     650        $result = "V8Proxy::withSVGContext($resultObject, context)";
    651651    }
    652652
  • trunk/WebCore/bindings/v8/V8Proxy.h

    r50897 r50958  
    178178        static void setSVGContext(void*, SVGElement*);
    179179        static SVGElement* svgContext(void*);
     180
     181        // These helper functions are required in case we are given a PassRefPtr
     182        // to a (possibly) newly created object and must prevent its reference
     183        // count from dropping to zero as would happen in code like
     184        //
     185        //   V8Proxy::setSVGContext(imp->getNewlyCreatedObject().get(), context);
     186        //   foo(imp->getNewlyCreatedObject().get());
     187        //
     188        // In the above two lines each time getNewlyCreatedObject() is called it
     189        // creates a new object because we don't ref() it. (So our attemts to
     190        // associate a context with it fail.) Such code should be rewritten to
     191        //
     192        //   foo(V8Proxy::withSVGContext(imp->getNewlyCreatedObject(), context).get());
     193        //
     194        // where PassRefPtr::~PassRefPtr() is invoked only after foo() is
     195        // called.
     196        template <typename T>
     197        static PassRefPtr<T> withSVGContext(PassRefPtr<T> object, SVGElement* context)
     198        {
     199            setSVGContext(object.get(), context);
     200            return object;
     201        }
     202        static void* withSVGContext(void* object, SVGElement* context)
     203        {
     204            setSVGContext(object, context);
     205            return object;
     206        }
    180207#endif
    181208
Note: See TracChangeset for help on using the changeset viewer.