[webkit-reviews] review granted: [Bug 26117] REGRESSION (r37381-r37442) : Reproducible crash viewing an SVG : [Attachment 39980] Modified test case

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Oct 19 19:37:07 PDT 2009 

Nikolas Zimmermann <zimmermann at kde.org> has granted  review:
Bug 26117: REGRESSION (r37381-r37442) : Reproducible crash viewing an SVG
https://bugs.webkit.org/show_bug.cgi?id=26117

Attachment 39980: Modified test case
https://bugs.webkit.org/attachment.cgi?id=39980&action=review

------- Additional Comments from Nikolas Zimmermann <zimmermann at kde.org>
I've tested the patch, and indeed the problem is real and the fix is sound. Got
on the wrong track because of some interessting (maybe dangerous) refcounting
issues:

I hope Bugzilla displays the following paste correctly, I guess not, better
copy to a texteditor and view it there :-)

<quote>
Dumping <use> instance tree:
SVGElementInstance this=0x1a3af180, (parentNode=defs, firstChild=#text,
correspondingElement=g (0x1a3ab5e0), shadowTreeElement=0x1a3b0830,
id=loupePlus)
Corresponding element is associated with 1 instance(s):
-> SVGElementInstance this=0x1a3af180, (refCount: 1, shadowTreeElement in
document? 1)
 SVGElementInstance this=0x1a3b07f0, (parentNode=g, firstChild=#text,
correspondingElement=use (0x8986000), shadowTreeElement=0x1a3af680, id=useRim)
 Corresponding element is associated with 1 instance(s):
  -> SVGElementInstance this=0x1a3b07f0, (refCount: 0, shadowTreeElement in
document? 1)
   SVGElementInstance this=0x1a3b0550, (parentNode=defs, firstChild=null,
correspondingElement=circle (0x1a3ab0c0), shadowTreeElement=0x1a3afdc0, id=rim)

   Corresponding element is associated with 2 instance(s):
    -> SVGElementInstance this=0x1a3aba10, (refCount: 1, shadowTreeElement in
document? 1) <-------------------------------------------- HERE!
    -> SVGElementInstance this=0x1a3b0550, (refCount: 0, shadowTreeElement in
document? 1)

Dumping <use> shadow tree markup:
<g xmlns="http://www.w3.org/2000/svg" transform="translate(300.000000,
300.000000)"><g id="loupePlus">
	   <g id="useRim" fill="#e33c31"><circle id="rim" cx="0" cy="0"
r="70"/></g>
       </g></g>
</quote>

I saw these different refcounts, and thought Robins patch may be the cause,
though it's just like this in trunk. Someone needs to investigate who's holding
the refcounts, etc. We definately have to check wheter we leak around
SVGElementInstance objects and/or (even worse) shadow tree elements. I don't
trust leak bots :-)

More information about the webkit-reviews mailing list