Title: [117792] trunk
- Revision
- 117792
- Author
- schen...@chromium.org
- Date
- 2012-05-21 09:19:58 -0700 (Mon, 21 May 2012)
Log Message
SVGAnimatedPropertyTearOff does not clear a self pointer on deletion
https://bugs.webkit.org/show_bug.cgi?id=86119
Reviewed by Nikolas Zimmermann.
Source/WebCore:
SVGAnimatedPropertyTearOff contains two SVGPropertyTearOff objects
that have a pointer back to the SVGAnimatedPropertyTearOff. JS may
also have a reference to these SVGPropertyTearOff objects. When the
SVGAnimatedPropertyTearOff is deleted, the SVGPropertyTearOff objects
may live on, but the pointer back to the deleted animated property
tear off is left invalid. This patch clears the pointers on destruction
of the SVGAnimatedPropertyTearOff.
Test: svg/custom/bug86119.html
* svg/properties/SVGAnimatedPropertyTearOff.h:
(WebCore::SVGAnimatedPropertyTearOff::~SVGAnimatedPropertyTearOff):
(SVGAnimatedPropertyTearOff):
LayoutTests:
* svg/custom/bug86119.html: Added.
* svg/custom/bug86119-expected.txt: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (117791 => 117792)
--- trunk/LayoutTests/ChangeLog 2012-05-21 16:13:52 UTC (rev 117791)
+++ trunk/LayoutTests/ChangeLog 2012-05-21 16:19:58 UTC (rev 117792)
@@ -1,3 +1,13 @@
+2012-05-21 Stephen Chenney <schen...@chromium.org>
+
+ SVGAnimatedPropertyTearOff does not clear a self pointer on deletion
+ https://bugs.webkit.org/show_bug.cgi?id=86119
+
+ Reviewed by Nikolas Zimmermann.
+
+ * svg/custom/bug86119.html: Added.
+ * svg/custom/bug86119-expected.txt: Added.
+
2012-05-21 Luke Macpherson <macpher...@chromium.org>
Add additional test cases for CSS variables.
Added: trunk/LayoutTests/svg/custom/bug86119-expected.txt (0 => 117792)
--- trunk/LayoutTests/svg/custom/bug86119-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/custom/bug86119-expected.txt 2012-05-21 16:19:58 UTC (rev 117792)
@@ -0,0 +1 @@
+Test for Bug 86119. Test passes if it does not crash.
Added: trunk/LayoutTests/svg/custom/bug86119.html (0 => 117792)
--- trunk/LayoutTests/svg/custom/bug86119.html (rev 0)
+++ trunk/LayoutTests/svg/custom/bug86119.html 2012-05-21 16:19:58 UTC (rev 117792)
@@ -0,0 +1,47 @@
+<html>
+ <head>
+ <script>
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ }
+
+ function onload()
+ {
+ window.svgRoot = document.getElementById("svgRoot");
+ window.svgViewBaseVal = window.svgRoot.viewBox.baseVal;
+
+ // Cause GC of window.svgRoot.viewBox
+ if (window.GCController)
+ GCController.collect();
+
+ // Set a value on window.svgViewBaseVal
+ window.svgViewBaseVal.height = 56;
+ if (window.svgRoot.viewBox.baseVal.height != 56)
+ document.body.innerHTML = "FAIL";
+
+ // Repeat with a non-dom-attached viewBox
+ window.viewElement = parent.document.createElementNS("http://www.w3.org/2000/svg", "view");
+ window.viewBaseVal = window.viewElement.viewBox.baseVal;
+ if (window.GCController)
+ GCController.collect();
+ window.viewBaseVal.height = 12;
+ if (window.viewElement.viewBox.baseVal.height != 12)
+ document.body.innerHTML = "FAIL";
+ else {
+ document.body.appendChild(window.viewElement);
+ window.viewBaseVal.height = 34;
+ if (window.viewElement.viewBox.baseVal.height != 34)
+ document.body.innerHTML = "FAIL";
+ }
+ }
+ </script>
+ </head>
+ <body _onload_="onload()">
+ Test for Bug 86119. Test passes if it does not crash and you see a green
+ rectangle above this text.
+ <svg id="svgRoot" width="100" height="100" xmlns:svg="http://www.w3.org/2000/svg">
+ <rect x="10" height="80" width="80" y="10" fill="green"/>
+ </svg>
+ </body>
+</html>
+
Modified: trunk/Source/WebCore/ChangeLog (117791 => 117792)
--- trunk/Source/WebCore/ChangeLog 2012-05-21 16:13:52 UTC (rev 117791)
+++ trunk/Source/WebCore/ChangeLog 2012-05-21 16:19:58 UTC (rev 117792)
@@ -1,5 +1,26 @@
2012-05-21 Stephen Chenney <schen...@chromium.org>
+ SVGAnimatedPropertyTearOff does not clear a self pointer on deletion
+ https://bugs.webkit.org/show_bug.cgi?id=86119
+
+ Reviewed by Nikolas Zimmermann.
+
+ SVGAnimatedPropertyTearOff contains two SVGPropertyTearOff objects
+ that have a pointer back to the SVGAnimatedPropertyTearOff. JS may
+ also have a reference to these SVGPropertyTearOff objects. When the
+ SVGAnimatedPropertyTearOff is deleted, the SVGPropertyTearOff objects
+ may live on, but the pointer back to the deleted animated property
+ tear off is left invalid. This patch clears the pointers on destruction
+ of the SVGAnimatedPropertyTearOff.
+
+ Test: svg/custom/bug86119.html
+
+ * svg/properties/SVGAnimatedPropertyTearOff.h:
+ (WebCore::SVGAnimatedPropertyTearOff::~SVGAnimatedPropertyTearOff):
+ (SVGAnimatedPropertyTearOff):
+
+2012-05-21 Stephen Chenney <schen...@chromium.org>
+
[Chromium] REGRESSION: Assertion failure on svg/custom/acid3-test-77.html
https://bugs.webkit.org/show_bug.cgi?id=86715
Modified: trunk/Source/WebCore/svg/properties/SVGAnimatedPropertyTearOff.h (117791 => 117792)
--- trunk/Source/WebCore/svg/properties/SVGAnimatedPropertyTearOff.h 2012-05-21 16:13:52 UTC (rev 117791)
+++ trunk/Source/WebCore/svg/properties/SVGAnimatedPropertyTearOff.h 2012-05-21 16:19:58 UTC (rev 117792)
@@ -32,6 +32,18 @@
typedef SVGPropertyTearOff<PropertyType> PropertyTearOff;
typedef PropertyType ContentType;
+ virtual ~SVGAnimatedPropertyTearOff()
+ {
+ if (m_baseVal) {
+ ASSERT(m_baseVal->animatedProperty() == this);
+ m_baseVal->setAnimatedProperty(0);
+ }
+ if (m_animVal) {
+ ASSERT(m_animVal->animatedProperty() == this);
+ m_animVal->setAnimatedProperty(0);
+ }
+ }
+
PropertyTearOff* baseVal()
{
if (!m_baseVal)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
