[Webkit-unassigned] [Bug 26117] REGRESSION (r37381-r37442) : Reproducible crash viewing an SVG

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Oct 19 19:37:08 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=26117


Nikolas Zimmermann <zimmermann at kde.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #39980|review-                     |review+, commit-queue+
               Flag|                            |




--- Comment #20 from Nikolas Zimmermann <zimmermann at kde.org>  2009-10-19 19:37:08 PDT ---
(From update of attachment 39980)
I've tested the patch, and indeed the problem is real and the fix is sound. Got
on the wrong track because of some interessting (maybe dangerous) refcounting
issues:

I hope Bugzilla displays the following paste correctly, I guess not, better
copy to a texteditor and view it there :-)

<quote>
Dumping <use> instance tree:
SVGElementInstance this=0x1a3af180, (parentNode=defs, firstChild=#text,
correspondingElement=g (0x1a3ab5e0), shadowTreeElement=0x1a3b0830,
id=loupePlus)
Corresponding element is associated with 1 instance(s):
-> SVGElementInstance this=0x1a3af180, (refCount: 1, shadowTreeElement in
document? 1)
 SVGElementInstance this=0x1a3b07f0, (parentNode=g, firstChild=#text,
correspondingElement=use (0x8986000), shadowTreeElement=0x1a3af680, id=useRim)
 Corresponding element is associated with 1 instance(s):
  -> SVGElementInstance this=0x1a3b07f0, (refCount: 0, shadowTreeElement in
document? 1)
   SVGElementInstance this=0x1a3b0550, (parentNode=defs, firstChild=null,
correspondingElement=circle (0x1a3ab0c0), shadowTreeElement=0x1a3afdc0, id=rim)
   Corresponding element is associated with 2 instance(s):
    -> SVGElementInstance this=0x1a3aba10, (refCount: 1, shadowTreeElement in
document? 1) <-------------------------------------------- HERE!
    -> SVGElementInstance this=0x1a3b0550, (refCount: 0, shadowTreeElement in
document? 1)

Dumping <use> shadow tree markup:
<g xmlns="http://www.w3.org/2000/svg" transform="translate(300.000000,
300.000000)"><g id="loupePlus">
           <g id="useRim" fill="#e33c31"><circle id="rim" cx="0" cy="0"
r="70"/></g>
       </g></g>
</quote>

I saw these different refcounts, and thought Robins patch may be the cause,
though it's just like this in trunk. Someone needs to investigate who's holding
the refcounts, etc. We definately have to check wheter we leak around
SVGElementInstance objects and/or (even worse) shadow tree elements. I don't
trust leak bots :-)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list