2010-07-05 Nikolas Zimmermann <nzimmermann@rim.com>
authorzimmermann@webkit.org <zimmermann@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 5 Jul 2010 12:27:35 +0000 (12:27 +0000)
committerzimmermann@webkit.org <zimmermann@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 5 Jul 2010 12:27:35 +0000 (12:27 +0000)
commitf291d736118bff9512b586469c3ac89eb42a71a5
treef55aeee98e1d47004c58da007b88bf372e2631cc
parent812003962083b99694ac9b4a1c8dc19bc0ac2611
2010-07-05  Nikolas Zimmermann  <nzimmermann@rim.com>

        Reviewed by Darin Adler.

        Memory corruption with SVG <use> element
        https://bugs.webkit.org/show_bug.cgi?id=40994

        Fix race condition in svgAttributeChanged. Never call svgAttributeChanged() from attributeChanged()
        when we're synchronizing SVG attributes. It leads to either unnecessary extra work being done or
        crashes. Especially together with <polyline>/<polygon> which always synchronize the SVGAnimatedPoints
        datastructure with the points attribute, no matter if there are changes are not. This should be
        furhter optimized, but this fix is sane and fixes the root of the evil races.

        Test: svg/custom/use-property-synchronization-crash.svg

        * svg/SVGElement.cpp:
        (WebCore::SVGElement::attributeChanged):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@62482 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/platform/mac/svg/custom/use-property-synchronization-crash-expected.checksum [new file with mode: 0644]
LayoutTests/platform/mac/svg/custom/use-property-synchronization-crash-expected.png [new file with mode: 0644]
LayoutTests/platform/mac/svg/custom/use-property-synchronization-crash-expected.txt [new file with mode: 0644]
LayoutTests/svg/custom/use-property-synchronization-crash.svg [new file with mode: 0644]
WebCore/ChangeLog
WebCore/svg/SVGElement.cpp