Avoid race condition when iterating over pending resources
authorschenney@chromium.org <schenney@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 25 Mar 2012 17:41:18 +0000 (17:41 +0000)
committerschenney@chromium.org <schenney@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 25 Mar 2012 17:41:18 +0000 (17:41 +0000)
commit03e05877cb9bfa0bd384fbcee7ed8274130697dc
treea0bfae0d6ae7fda667270fa8b76f99dc2341f07f
parent1b9f62840ab3f4d7285d3c2d74b812cc284a66cb
Avoid race condition when iterating over pending resources
https://bugs.webkit.org/show_bug.cgi?id=82115

Patch by Philip Rogers <pdr@google.com> on 2012-03-25
Reviewed by Nikolas Zimmermann.

Source/WebCore:

We can hit a race condition in SVGStyledElement::buildPendingResourcesIfNeeded
where pending elements can become non-pending while we iterate over them.

This patch cleans up buildPendingResourcesIfNeeded and re-works how pending
resources are removed. Because pending resources can be modified while
iterating over them, we introduce m_pendingResourcesForRemoval that
holds pending resources that are marked for removal. Instead of iterating
over this list we simply remove each pending resource from
m_pendingResourcesForRemoval; if a pending resource is modified or removed
during the processing of another pending resource this list is updated before
the next element can be accessed.

This change also removes removePendingResourceForElement which is no longer
referenced.

Test: http/tests/svg/change-id-with-pending-resources.html

* svg/SVGDocumentExtensions.cpp:
(WebCore::SVGDocumentExtensions::~SVGDocumentExtensions):
(WebCore::SVGDocumentExtensions::removeElementFromPendingResources):
(WebCore::SVGDocumentExtensions::removePendingResourceForRemoval):
(WebCore):
(WebCore::SVGDocumentExtensions::markPendingResourcesForRemoval):
(WebCore::SVGDocumentExtensions::removeElementFromPendingResourcesForRemoval):
* svg/SVGDocumentExtensions.h:
(SVGDocumentExtensions):
* svg/SVGStyledElement.cpp:
(WebCore::SVGStyledElement::buildPendingResourcesIfNeeded):

LayoutTests:

* http/tests/svg/change-id-with-pending-resources-expected.txt: Added.
* http/tests/svg/change-id-with-pending-resources.html: Added.
* http/tests/svg/resources/svg-use-defs-rect.svg: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@112030 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/svg/change-id-with-pending-resources-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/svg/change-id-with-pending-resources.html [new file with mode: 0644]
LayoutTests/http/tests/svg/resources/svg-use-defs-rect.svg [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/svg/SVGDocumentExtensions.cpp
Source/WebCore/svg/SVGDocumentExtensions.h
Source/WebCore/svg/SVGStyledElement.cpp