Context Navigation

← Previous Changeset
Next Changeset →

Changeset 71236 in webkit

Timestamp:

Nov 3, 2010 7:12:54 AM (13 years ago)

Author:

Nikolas Zimmermann

Message:

2010-11-03 Nikolas Zimmermann <nzimmermann@rim.com>

Reviewed by Dirk Schulze.

chrome.dll!WebCore::SVGListPropertyTearOff<...>::getItem ReadAV@NULL (578c0f7f21ca517ba29a4eafb7099c1b)
https://bugs.webkit.org/show_bug.cgi?id=48829

Share SVGPropertyTearOff wrapper cache between SVGAnimatedListPropertyTearOff::baseVal/animVal.
When modifying the list through baseVal, and then grabbing the animVal list an assertion was fired,
as the wrapper cache was out of sync with the underlying SVG*List vector.

Test: svg/dom/baseVal-animVal-list-crash.html

svg/properties/SVGAnimatedListPropertyTearOff.h: (WebCore::SVGAnimatedListPropertyTearOff::baseVal): (WebCore::SVGAnimatedListPropertyTearOff::animVal): (WebCore::SVGAnimatedListPropertyTearOff::removeItemFromList): (WebCore::SVGAnimatedListPropertyTearOff::detachListWrappers): (WebCore::SVGAnimatedListPropertyTearOff::values): (WebCore::SVGAnimatedListPropertyTearOff::wrappers): (WebCore::SVGAnimatedListPropertyTearOff::create): (WebCore::SVGAnimatedListPropertyTearOff::SVGAnimatedListPropertyTearOff):
svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::create): (WebCore::SVGListPropertyTearOff::removeItemFromList): (WebCore::SVGListPropertyTearOff::clear): (WebCore::SVGListPropertyTearOff::numberOfItems): (WebCore::SVGListPropertyTearOff::initialize): (WebCore::SVGListPropertyTearOff::getItem): (WebCore::SVGListPropertyTearOff::insertItemBefore): (WebCore::SVGListPropertyTearOff::replaceItem): (WebCore::SVGListPropertyTearOff::removeItem): (WebCore::SVGListPropertyTearOff::appendItem): (WebCore::SVGListPropertyTearOff::SVGListPropertyTearOff): (WebCore::SVGListPropertyTearOff::commitChange):

2010-11-03 Nikolas Zimmermann <nzimmermann@rim.com>

Reviewed by Dirk Schulze.

chrome.dll!WebCore::SVGListPropertyTearOff<...>::getItem ReadAV@NULL (578c0f7f21ca517ba29a4eafb7099c1b)
https://bugs.webkit.org/show_bug.cgi?id=48829

svg/dom/baseVal-animVal-list-crash-expected.txt: Added.
svg/dom/baseVal-animVal-list-crash.html: Added.

Location:

trunk

Files:

: 2 added
: 4 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/svg/dom/baseVal-animVal-list-crash-expected.txt (added)
LayoutTests/svg/dom/baseVal-animVal-list-crash.html (added)
WebCore/ChangeLog (modified) (1 diff)
WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h (modified) (4 diffs)
WebCore/svg/properties/SVGListPropertyTearOff.h (modified) (16 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r71233
+                      r71236
+-11-03  Nikolas Zimmermann  <nzimmermann@rim.com>
+        Reviewed by Dirk Schulze.
+        chrome.dll!WebCore::SVGListPropertyTearOff<...>::getItem ReadAV@NULL (578c0f7f21ca517ba29a4eafb7099c1b)
+        https://bugs.webkit.org/show_bug.cgi?id=48829
+        * svg/dom/baseVal-animVal-list-crash-expected.txt: Added.
+        * svg/dom/baseVal-animVal-list-crash.html: Added.
 -11-03  Adam Roben  <aroben@apple.com>

trunk/WebCore/ChangeLog

-                      r71235
+                      r71236
+-11-03  Nikolas Zimmermann  <nzimmermann@rim.com>
+        Reviewed by Dirk Schulze.
+        chrome.dll!WebCore::SVGListPropertyTearOff<...>::getItem ReadAV@NULL (578c0f7f21ca517ba29a4eafb7099c1b)
+        https://bugs.webkit.org/show_bug.cgi?id=48829
+        Share SVGPropertyTearOff wrapper cache between SVGAnimatedListPropertyTearOff::baseVal/animVal.
+        When modifying the list through baseVal, and then grabbing the animVal list an assertion was fired,
+        as the wrapper cache was out of sync with the underlying SVG*List vector.
+        Test: svg/dom/baseVal-animVal-list-crash.html
+        * svg/properties/SVGAnimatedListPropertyTearOff.h:
+        (WebCore::SVGAnimatedListPropertyTearOff::baseVal):
+        (WebCore::SVGAnimatedListPropertyTearOff::animVal):
+        (WebCore::SVGAnimatedListPropertyTearOff::removeItemFromList):
+        (WebCore::SVGAnimatedListPropertyTearOff::detachListWrappers):
+        (WebCore::SVGAnimatedListPropertyTearOff::values):
+        (WebCore::SVGAnimatedListPropertyTearOff::wrappers):
+        (WebCore::SVGAnimatedListPropertyTearOff::create):
+        (WebCore::SVGAnimatedListPropertyTearOff::SVGAnimatedListPropertyTearOff):
+        * svg/properties/SVGListPropertyTearOff.h:
+        (WebCore::SVGListPropertyTearOff::create):
+        (WebCore::SVGListPropertyTearOff::removeItemFromList):
+        (WebCore::SVGListPropertyTearOff::clear):
+        (WebCore::SVGListPropertyTearOff::numberOfItems):
+        (WebCore::SVGListPropertyTearOff::initialize):
+        (WebCore::SVGListPropertyTearOff::getItem):
+        (WebCore::SVGListPropertyTearOff::insertItemBefore):
+        (WebCore::SVGListPropertyTearOff::replaceItem):
+        (WebCore::SVGListPropertyTearOff::removeItem):
+        (WebCore::SVGListPropertyTearOff::appendItem):
+        (WebCore::SVGListPropertyTearOff::SVGListPropertyTearOff):
+        (WebCore::SVGListPropertyTearOff::commitChange):
 -11-02  Ilya Tikhonovsky  <loislo@chromium.org>

trunk/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h

-                      r70918
+                      r71236
 class SVGAnimatedListPropertyTearOff : public SVGAnimatedProperty {
 public:
+    typedef typename SVGPropertyTraits<PropertyType>::ListItemType ListItemType;
+    typedef SVGPropertyTearOff<ListItemType> ListItemTearOff;
+    typedef Vector<RefPtr<ListItemTearOff> > ListWrapperCache;
     SVGProperty* baseVal()
+    {
         if (!m_baseVal)
             m_baseVal = SVGListPropertyTearOff<PropertyType>::create(this, BaseValRole, m_property);
+            m_baseVal = SVGListPropertyTearOff<PropertyType>::create(this, BaseValRole);
         return m_baseVal.get();
+    }
 …
+    {
         if (!m_animVal)
             m_animVal = SVGListPropertyTearOff<PropertyType>::create(this, AnimValRole, m_property);
+            m_animVal = SVGListPropertyTearOff<PropertyType>::create(this, AnimValRole);
         return m_animVal.get();
+    }
 …
     int removeItemFromList(SVGProperty* property, bool shouldSynchronizeWrappers)
+    {
+        // FIXME: No animVal support.
+        if (!m_baseVal)
+            return -1;
+        // This should ever be called for our baseVal, as animVal can't modify the list.
         typedef SVGPropertyTearOff<typename SVGPropertyTraits<PropertyType>::ListItemType> ListItemTearOff;
         return static_pointer_cast<SVGListPropertyTearOff<PropertyType> >(m_baseVal)->removeItemFromList(static_cast<ListItemTearOff*>(property), shouldSynchronizeWrappers);
 …
     void detachListWrappers(unsigned newListSize)
+    {
+        if (m_baseVal)
+            static_pointer_cast<SVGListPropertyTearOff<PropertyType> >(m_baseVal)->detachListWrappers(newListSize);
+        if (m_animVal)
+            static_pointer_cast<SVGListPropertyTearOff<PropertyType> >(m_animVal)->detachListWrappers(newListSize);
+        // See SVGPropertyTearOff::detachWrapper() for an explaination what's happening here.
+        unsigned size = m_wrappers.size();
+        ASSERT(size == m_values.size());
+        for (unsigned i = 0; i < size; ++i) {
+            RefPtr<ListItemTearOff>& item = m_wrappers.at(i);
+            if (!item)
+                continue;
+            item->detachWrapper();
+        }
+        // Reinitialize the wrapper cache to be equal to the new values size, after the XML DOM changed the list.
+        if (newListSize)
+            m_wrappers.fill(0, newListSize);
+        else
+            m_wrappers.clear();
+    }
+    PropertyType& values() { return m_values; }
+    ListWrapperCache& wrappers() { return m_wrappers; }
 private:
     friend class SVGAnimatedProperty;
     static PassRefPtr<SVGAnimatedListPropertyTearOff<PropertyType> > create(SVGElement* contextElement, const QualifiedName& attributeName, PropertyType& property)
+    static PassRefPtr<SVGAnimatedListPropertyTearOff<PropertyType> > create(SVGElement* contextElement, const QualifiedName& attributeName, PropertyType& values)
+    {
         ASSERT(contextElement);
         return adoptRef(new SVGAnimatedListPropertyTearOff<PropertyType>(contextElement, attributeName, property));
+        return adoptRef(new SVGAnimatedListPropertyTearOff<PropertyType>(contextElement, attributeName, values));
+    }
     SVGAnimatedListPropertyTearOff(SVGElement* contextElement, const QualifiedName& attributeName, PropertyType& property)
+    SVGAnimatedListPropertyTearOff(SVGElement* contextElement, const QualifiedName& attributeName, PropertyType& values)
         : SVGAnimatedProperty(contextElement, attributeName)
         , m_property(property)
+        , m_values(values)
+    {
+        if (!values.isEmpty())
+            m_wrappers.fill(0, values.size());
+    }
 private:
+    PropertyType& m_property;
+    PropertyType& m_values;
+    // FIXME: The list wrapper cache is shared between baseVal/animVal. If we implement animVal,
+    // we need two seperated wrapper caches if the attribute gets animated.
+    ListWrapperCache m_wrappers;
     RefPtr<SVGProperty> m_baseVal;

trunk/WebCore/svg/properties/SVGListPropertyTearOff.h

-                      r70918
+                      r71236
     typedef SVGPropertyTearOff<ListItemType> ListItemTearOff;
     typedef PassRefPtr<ListItemTearOff> PassListItemTearOff;
     typedef Vector<RefPtr<ListItemTearOff> > ListWrapperCache;
+    // Used for [SVGAnimatedProperty] types (for example: SVGAnimatedLengthList::baseVal())
     static PassRefPtr<Self> create(SVGAnimatedProperty* animatedProperty, SVGPropertyRole role, PropertyType& values)
+    typedef SVGAnimatedListPropertyTearOff<PropertyType> AnimatedListPropertyTearOff;
+    typedef typename SVGAnimatedListPropertyTearOff<PropertyType>::ListWrapperCache ListWrapperCache;
+    static PassRefPtr<Self> create(AnimatedListPropertyTearOff* animatedProperty, SVGPropertyRole role)
+    {
         ASSERT(animatedProperty);
+        return adoptRef(new Self(animatedProperty, role, values));
+    }
+    // Used for non-animated POD types (for example: SVGStringList).
+    static PassRefPtr<Self> create(const PropertyType& initialValue)
+    {
+        return adoptRef(new Self(initialValue));
+        return adoptRef(new Self(animatedProperty, role));
+    }
     int removeItemFromList(ListItemTearOff* removeItem, bool shouldSynchronizeWrappers)
+    {
+        PropertyType& values = m_animatedProperty->values();
+        ListWrapperCache& wrappers = m_animatedProperty->wrappers();
         // Lookup item in cache and remove its corresponding wrapper.
         unsigned size = m_wrappers.size();
         ASSERT(size == m_values->size());
+        unsigned size = wrappers.size();
+        ASSERT(size == values.size());
         for (unsigned i = 0; i < size; ++i) {
             RefPtr<ListItemTearOff>& item = m_wrappers.at(i);
+            RefPtr<ListItemTearOff>& item = wrappers.at(i);
             if (item != removeItem)
                 continue;
             item->detachWrapper();
             m_wrappers.remove(i);
             m_values->remove(i);
+            wrappers.remove(i);
+            values.remove(i);
             if (shouldSynchronizeWrappers)
 …
+    }
-    void detachListWrappers(unsigned newListSize)
+    {
-        // See SVGPropertyTearOff::detachWrapper() for an explaination what's happening here.
-        unsigned size = m_wrappers.size();
-        ASSERT(size == m_values->size());
-        for (unsigned i = 0; i < size; ++i) {
-            RefPtr<ListItemTearOff>& item = m_wrappers.at(i);
-            if (!item)
-                continue;
-            item->detachWrapper();
+        }
-        // Reinitialize the wrapper cache to be equal to the new values size, after the XML DOM changed the list.
-        if (newListSize)
-            m_wrappers.fill(0, newListSize);
-        else
-            m_wrappers.clear();
+    }
     // SVGList API
     void clear(ExceptionCode& ec)
 …
+        }
         detachListWrappers(0);
         m_values->clear();
+        m_animatedProperty->detachListWrappers(0);
+        m_animatedProperty->values().clear();
+    }
     unsigned numberOfItems() const
+    {
         return m_values->size();
+        return m_animatedProperty->values().size();
+    }
 …
+        }
+        PropertyType& values = m_animatedProperty->values();
+        ListWrapperCache& wrappers = m_animatedProperty->wrappers();
         RefPtr<ListItemTearOff> newItem = passNewItem;
         ASSERT(m_values->size() == m_wrappers.size());
+        ASSERT(values.size() == wrappers.size());
         // Spec: If the inserted item is already in a list, it is removed from its previous list before it is inserted into this list.
 …
         // Spec: Clears all existing current items from the list and re-initializes the list to hold the single item specified by the parameter.
         detachListWrappers(0);
         m_values->clear();
         m_values->append(newItem->propertyReference());
         m_wrappers.append(newItem);
+        m_animatedProperty->detachListWrappers(0);
+        values.clear();
+        values.append(newItem->propertyReference());
+        wrappers.append(newItem);
         commitChange();
 …
     PassListItemTearOff getItem(unsigned index, ExceptionCode& ec)
+    {
+        if (index >= m_values->size()) {
+        PropertyType& values = m_animatedProperty->values();
+        if (index >= values.size()) {
             ec = INDEX_SIZE_ERR;
             return 0;
+        }
+        ListWrapperCache& wrappers = m_animatedProperty->wrappers();
         // Spec: Returns the specified item from the list. The returned item is the item itself and not a copy.
         // Any changes made to the item are immediately reflected in the list.
         ASSERT(m_values->size() == m_wrappers.size());
         RefPtr<ListItemTearOff> wrapper = m_wrappers.at(index);
+        ASSERT(values.size() == wrappers.size());
+        RefPtr<ListItemTearOff> wrapper = wrappers.at(index);
         if (!wrapper) {
             // Create new wrapper, which is allowed to directly modify the item in the list, w/o copying and cache the wrapper in our map.
             // It is also associated with our animated property, so it can notify the SVG Element which holds the SVGAnimated*List
             // that it has been modified (and thus can call svgAttributeChanged(associatedAttributeName)).
             wrapper = ListItemTearOff::create(m_animatedProperty.get(), UndefinedRole, m_values->at(index));
             m_wrappers.at(index) = wrapper;
+            wrapper = ListItemTearOff::create(m_animatedProperty.get(), UndefinedRole, values.at(index));
+            wrappers.at(index) = wrapper;
+        }
 …
+        }
+        PropertyType& values = m_animatedProperty->values();
+        ListWrapperCache& wrappers = m_animatedProperty->wrappers();
         // Spec: If the index is greater than or equal to numberOfItems, then the new item is appended to the end of the list.
         if (index > m_values->size())
              index = m_values->size();
+        if (index > values.size())
+             index = values.size();
         RefPtr<ListItemTearOff> newItem = passNewItem;
         ASSERT(m_values->size() == m_wrappers.size());
+        ASSERT(values.size() == wrappers.size());
         // Spec: If newItem is already in a list, it is removed from its previous list before it is inserted into this list.
 …
         // Spec: Inserts a new item into the list at the specified position. The index of the item before which the new item is to be
         // inserted. The first item is number 0. If the index is equal to 0, then the new item is inserted at the front of the list.
         m_values->insert(index, newItem->propertyReference());
+        values.insert(index, newItem->propertyReference());
         // Store new wrapper at position 'index', change its underlying value, so mutations of newItem, directly affect the item in the list.
         m_wrappers.insert(index, newItem);
+        wrappers.insert(index, newItem);
         commitChange();
 …
+        }
+        if (index >= m_values->size()) {
+        PropertyType& values = m_animatedProperty->values();
+        if (index >= values.size()) {
             ec = INDEX_SIZE_ERR;
             return 0;
 …
+        }
+        ListWrapperCache& wrappers = m_animatedProperty->wrappers();
+        ASSERT(values.size() == wrappers.size());
         RefPtr<ListItemTearOff> newItem = passNewItem;
-        ASSERT(m_values->size() == m_wrappers.size());
         // Spec: If newItem is already in a list, it is removed from its previous list before it is inserted into this list.
 …
         // Detach the existing wrapper.
         RefPtr<ListItemTearOff>& oldItem = m_wrappers.at(index);
+        RefPtr<ListItemTearOff>& oldItem = wrappers.at(index);
         if (oldItem)
             oldItem->detachWrapper();
         // Update the value and the wrapper at the desired position 'index'.
         m_values->at(index) = newItem->propertyReference();
         m_wrappers.at(index) = newItem;
+        values.at(index) = newItem->propertyReference();
+        wrappers.at(index) = newItem;
         commitChange();
 …
+        }
+        if (index >= m_values->size()) {
+        PropertyType& values = m_animatedProperty->values();
+        if (index >= values.size()) {
             ec = INDEX_SIZE_ERR;
             return 0;
+        }
+        ASSERT(m_values->size() == m_wrappers.size());
+        ListWrapperCache& wrappers = m_animatedProperty->wrappers();
+        ASSERT(values.size() == wrappers.size());
         // Detach the existing wrapper.
         RefPtr<ListItemTearOff>& oldItem = m_wrappers.at(index);
+        RefPtr<ListItemTearOff>& oldItem = wrappers.at(index);
         if (oldItem) {
             oldItem->detachWrapper();
             m_wrappers.remove(index);
+        }
         m_values->remove(index);
+            wrappers.remove(index);
+        }
+        values.remove(index);
         commitChange();
 …
+        }
+        PropertyType& values = m_animatedProperty->values();
+        ListWrapperCache& wrappers = m_animatedProperty->wrappers();
         RefPtr<ListItemTearOff> newItem = passNewItem;
         ASSERT(m_values->size() == m_wrappers.size());
+        ASSERT(values.size() == wrappers.size());
         // Spec: If newItem is already in a list, it is removed from its previous list before it is inserted into this list.
 …
         // Append the value and wrapper at the end of the list.
         m_values->append(newItem->propertyReference());
         m_wrappers.append(newItem);
+        values.append(newItem->propertyReference());
+        wrappers.append(newItem);
         commitChange();
 …
 private:
     SVGListPropertyTearOff(SVGAnimatedProperty* animatedProperty, SVGPropertyRole role, PropertyType& values)
+    SVGListPropertyTearOff(AnimatedListPropertyTearOff* animatedProperty, SVGPropertyRole role)
         : m_animatedProperty(animatedProperty)
         , m_role(role)
+        , m_values(&values)
+        , m_valuesIsCopy(false)
+    {
+        // Using operator & is completly fine, as SVGAnimatedProperty owns this reference,
+        // and we're guaranteed to live as long as SVGAnimatedProperty does.
+        if (!values.isEmpty())
+            m_wrappers.fill(0, values.size());
+    }
+    SVGListPropertyTearOff(const PropertyType& initialValue)
+        : m_animatedProperty(0)
+        , m_role(UndefinedRole)
+        , m_values(new PropertyType(initialValue))
+        , m_valuesIsCopy(true)
+    {
+    }
+    virtual ~SVGListPropertyTearOff()
+    {
+        if (m_valuesIsCopy)
+            delete m_values;
+    {
+        ASSERT(animatedProperty);
+        ASSERT(role != UndefinedRole);
+    }
     void commitChange()
+    {
+        // Update existing wrappers, as the index in the m_values list has changed.
+        unsigned size = m_wrappers.size();
+        ASSERT(size == m_values->size());
+        PropertyType& values = m_animatedProperty->values();
+        ListWrapperCache& wrappers = m_animatedProperty->wrappers();
+        // Update existing wrappers, as the index in the values list has changed.
+        unsigned size = wrappers.size();
+        ASSERT(size == values.size());
         for (unsigned i = 0; i < size; ++i) {
             RefPtr<ListItemTearOff>& item = m_wrappers.at(i);
+            RefPtr<ListItemTearOff>& item = wrappers.at(i);
             if (!item)
                 continue;
             item->setAnimatedProperty(m_animatedProperty.get());
+            item->setValue(m_values->at(i));
+        }
+        ASSERT(!m_valuesIsCopy);
+        ASSERT(m_animatedProperty);
+            item->setValue(values.at(i));
+        }
         m_animatedProperty->commitChange();
+    }
 …
     // Back pointer to the animated property that created us
     // For example (text.x.baseVal): m_animatedProperty points to the 'x' SVGAnimatedLengthList object
     RefPtr<SVGAnimatedProperty> m_animatedProperty;
+    RefPtr<AnimatedListPropertyTearOff> m_animatedProperty;
     // The role of this property (baseVal or animVal)
     SVGPropertyRole m_role;
-    // For the example above (text.x.baseVal): A reference to the SVGLengthList& stored in the SVGTextElement, which we can directly modify
-    PropertyType* m_values;
-    bool m_valuesIsCopy : 1;
-    // A list of wrappers, which is always in sync between m_values.
-    ListWrapperCache m_wrappers;
 };

Note: See TracChangeset for help on using the changeset viewer.