Diff
Modified: branches/safari-605-branch/LayoutTests/ChangeLog (227036 => 227037)
--- branches/safari-605-branch/LayoutTests/ChangeLog 2018-01-17 05:04:49 UTC (rev 227036)
+++ branches/safari-605-branch/LayoutTests/ChangeLog 2018-01-17 05:04:53 UTC (rev 227037)
@@ -1,5 +1,18 @@
2018-01-16 Jason Marcell <[email protected]>
+ Cherry-pick r226993. rdar://problem/36567965
+
+ 2018-01-16 Said Abou-Hallawa <[email protected]>
+
+ REGRESSION(r221292): svg/animations/animateTransform-pattern-transform.html crashes with security assertion
+ https://bugs.webkit.org/show_bug.cgi?id=179986
+
+ Reviewed by Simon Fraser.
+
+ * svg/dom/SVGAnimatedListPropertyTearOff-leak.html:
+
+2018-01-16 Jason Marcell <[email protected]>
+
Cherry-pick r226930. rdar://problem/36567972
2018-01-12 Myles C. Maxfield <[email protected]>
Modified: branches/safari-605-branch/LayoutTests/svg/dom/SVGAnimatedListPropertyTearOff-leak.html (227036 => 227037)
--- branches/safari-605-branch/LayoutTests/svg/dom/SVGAnimatedListPropertyTearOff-leak.html 2018-01-17 05:04:49 UTC (rev 227036)
+++ branches/safari-605-branch/LayoutTests/svg/dom/SVGAnimatedListPropertyTearOff-leak.html 2018-01-17 05:04:53 UTC (rev 227037)
@@ -35,74 +35,66 @@
<script src=""
<script>
- description("This test checks that custom data attributes are not lost due GC while still referenced.");
+description("This test checks that custom data attributes are not lost due GC while still referenced.");
- let iterations = 0;
- let currentScaling = 1
- const gElement = document.getElementById('svg').firstElementChild
- const transform = document.getElementById('current-transform')
+let iterations = 0;
+let currentScaling = 1
+const gElement = document.getElementById('svg').firstElementChild
+const transform = document.getElementById('current-transform')
- if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.waitUntilDone();
- }
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
- function checkCache() {
- let cache = gElement["data-transform-cache"];
- shouldBeCloseTo(cache.matrix.a.toString(), 0.5, 0.000000001);
- shouldBe(cache.matrix.b.toString(), "0");
- shouldBe(cache.matrix.c.toString(), "0");
- shouldBeCloseTo(cache.matrix.d.toString(), 0.5, 0.000000001);
- shouldBe(cache.matrix.e.toString(), "0");
- shouldBe(cache.matrix.f.toString(), "0");
- }
+function checkCache() {
+ let cache = gElement["data-transform-cache"];
+ shouldBeCloseTo(cache.matrix.a.toString(), 0.5, 0.000000001);
+ shouldBe(cache.matrix.b.toString(), "0");
+ shouldBe(cache.matrix.c.toString(), "0");
+ shouldBeCloseTo(cache.matrix.d.toString(), 0.5, 0.000000001);
+ shouldBe(cache.matrix.e.toString(), "0");
+ shouldBe(cache.matrix.f.toString(), "0");
+}
- function runTest() {
- currentScaling -= 0.1;
- const matrix = {
- elements: [currentScaling, 0, 0, currentScaling, 0, 0]
- }
- setMatrix(gElement, matrix);
- transform.innerHTML = matrix.elements.toString();
+function runTest() {
+ currentScaling -= 0.1;
+ const matrix = {
+ elements: [currentScaling, 0, 0, currentScaling, 0, 0]
+ }
+ setMatrix(gElement, matrix);
+ transform.innerHTML = matrix.elements.toString();
- if (++iterations < 5) {
- gc();
- gc();
- runTest();
- } else {
- checkCache();
- if (window.testRunner)
- testRunner.notifyDone();
- }
- }
+ if (++iterations < 5) {
+ gc();
+ gc();
+ runTest();
+ } else {
+ checkCache();
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+}
- function setMatrix(element, matrix) {
- const elements = matrix.elements;
- let cache = element["data-transform-cache"];
- if (!cache) {
- cache = element.transform.baseVal.getItem(0);
- const m = element.transform.baseVal.getItem(0).matrix;
- m.a = elements[0];
- m.b = elements[1];
- m.c = elements[2];
- m.d = elements[3];
- m.e = elements[4];
- m.f = elements[5];
- element["data-transform-cache"] = cache
- } else {
- const m = cache.matrix;
- shouldBe
- if (cache !== element.transform.baseVal.getItem(0)) {
- console.log("FAIL: " + cache + " should be " + element.transform.baseVal.getItem(0) + " but is not.");
- document.getElementById('is-same-instance').style.backgroundColor = 'red';
- }
- m.a = elements[0];
- m.b = elements[1];
- m.c = elements[2];
- m.d = elements[3];
- m.e = elements[4];
- m.f = elements[5];
- }
- }
+function setMatrix(element, matrix) {
+ const elements = matrix.elements;
+ let cache = element["data-transform-cache"];
+
+ if (!cache) {
+ cache = element.transform.baseVal.getItem(0);
+ element["data-transform-cache"] = cache;
+ } else if (cache !== element.transform.baseVal.getItem(0)) {
+ console.log("FAIL: " + cache + " should be " + element.transform.baseVal.getItem(0) + " but is not.");
+ document.getElementById('is-same-instance').style.backgroundColor = 'red';
+ }
+
+ const m = cache.matrix;
+ m.a = elements[0];
+ m.b = elements[1];
+ m.c = elements[2];
+ m.d = elements[3];
+ m.e = elements[4];
+ m.f = elements[5];
+}
</script>
<script src=""
Modified: branches/safari-605-branch/Source/WebCore/ChangeLog (227036 => 227037)
--- branches/safari-605-branch/Source/WebCore/ChangeLog 2018-01-17 05:04:49 UTC (rev 227036)
+++ branches/safari-605-branch/Source/WebCore/ChangeLog 2018-01-17 05:04:53 UTC (rev 227037)
@@ -1,5 +1,90 @@
2018-01-16 Jason Marcell <[email protected]>
+ Cherry-pick r226993. rdar://problem/36567965
+
+ 2018-01-16 Said Abou-Hallawa <[email protected]>
+
+ REGRESSION(r221292): svg/animations/animateTransform-pattern-transform.html crashes with security assertion
+ https://bugs.webkit.org/show_bug.cgi?id=179986
+
+ Reviewed by Simon Fraser.
+
+ This patch reverts all or parts of the following changes-sets
+ <http://trac.webkit.org/changeset/221292>
+ <http://trac.webkit.org/changeset/197967>
+ <http://trac.webkit.org/changeset/196670>
+
+ A JS statement like this:
+ var item = text.x.animVal.getItem(0);
+
+ Creates the following C++ objects:
+ SVGAnimatedListPropertyTearOff<SVGLengthListValues> for 'text.x'
+ SVGListPropertyTearOff<SVGLengthListValues> for 'text.x.animVal'
+ SVGPropertyTearOff<SVGLengthValue> for 'text.x.animVal.getItem(0)'
+
+ If 'item' changes, the attribute 'x' of the element '<text>' will change
+ as well. But this binding works only in one direction. If the attribute
+ 'x' of the element '<text>' changes, e.g.:
+
+ text.setAttribute('x', '10,20,30');
+
+ This will detach 'item' from the element <text> and any further changes
+ in 'item' won't affect the attribute 'x' of element <text>.
+
+ The one direction binding can only work if this chain of tear-off objects
+ is kept connected. This is implemented by RefCounted back pointers from
+ SVGPropertyTearOff and SVGListPropertyTearOff to SVGAnimatedListPropertyTearOff.
+
+ The security crashes and the memory leaks are happening because of the
+ raw forward pointers:
+ -- SVGAnimatedListPropertyTearOff maintains raw pointers of type
+ SVGListPropertyTearOff for m_baseVal and m_animVal
+ -- The m_wrappers and m_animatedWrappers of SVGAnimatedListPropertyTearOff
+ are vectors of raw pointer Vector<SVGLength*>
+
+ To control the life cycle of the raw pointers, SVGListPropertyTearOff and
+ SVGPropertyTearOff call SVGAnimatedListPropertyTearOff::propertyWillBeDeleted()
+ to notify it they are going to be deleted. In propertyWillBeDeleted(), we
+ clear the pointers so they are not used after being freed. This mechanism
+ has been error-prone and we've never got it 100% right.
+
+ The solution we need to adopt with SVG tear-off objects is the following:
+ -- All the forward pointers should be weak pointers.
+ -- All the back pointers should be ref pointers.
+
+ This solution may not look intuitive but it solves the bugs and keeps the
+ one direction binding. The forward weak pointers allows the tear-off
+ objects to go aways if no reference from JS exists. The back ref pointers
+ maintains the chain of objects and guarantees the correct binding.
+
+ * svg/SVGPathSegList.h:
+ * svg/SVGTransformList.h:
+ * svg/properties/SVGAnimatedListPropertyTearOff.h:
+ (WebCore::SVGAnimatedListPropertyTearOff::baseVal):
+ (WebCore::SVGAnimatedListPropertyTearOff::animVal):
+ * svg/properties/SVGAnimatedPathSegListPropertyTearOff.h:
+ * svg/properties/SVGAnimatedProperty.h:
+ (WebCore::SVGAnimatedProperty::isAnimatedListTearOff const):
+ (WebCore::SVGAnimatedProperty::propertyWillBeDeleted): Deleted.
+ * svg/properties/SVGAnimatedPropertyTearOff.h:
+ * svg/properties/SVGAnimatedTransformListPropertyTearOff.h:
+ * svg/properties/SVGListProperty.h:
+ (WebCore::SVGListProperty::initializeValuesAndWrappers):
+ (WebCore::SVGListProperty::getItemValuesAndWrappers):
+ (WebCore::SVGListProperty::insertItemBeforeValuesAndWrappers):
+ (WebCore::SVGListProperty::replaceItemValuesAndWrappers):
+ (WebCore::SVGListProperty::removeItemValuesAndWrappers):
+ (WebCore::SVGListProperty::appendItemValuesAndWrappers):
+ (WebCore::SVGListProperty::createWeakPtr const):
+ * svg/properties/SVGListPropertyTearOff.h:
+ (WebCore::SVGListPropertyTearOff::removeItemFromList):
+ (WebCore::SVGListPropertyTearOff::~SVGListPropertyTearOff): Deleted.
+ * svg/properties/SVGPropertyTearOff.h:
+ (WebCore::SVGPropertyTearOff::createWeakPtr const):
+ (WebCore::SVGPropertyTearOff::~SVGPropertyTearOff):
+
+2018-01-16 Jason Marcell <[email protected]>
+
Cherry-pick r226990. rdar://problem/36568066
2018-01-16 Eric Carlson <[email protected]>
Modified: branches/safari-605-branch/Source/WebCore/svg/SVGPathSegList.h (227036 => 227037)
--- branches/safari-605-branch/Source/WebCore/svg/SVGPathSegList.h 2018-01-17 05:04:49 UTC (rev 227036)
+++ branches/safari-605-branch/Source/WebCore/svg/SVGPathSegList.h 2018-01-17 05:04:53 UTC (rev 227037)
@@ -100,12 +100,6 @@
{
}
- virtual ~SVGPathSegList()
- {
- if (m_animatedProperty)
- m_animatedProperty->propertyWillBeDeleted(*this);
- }
-
SVGPathElement* contextElement() const;
void clearContextAndRoles();
Modified: branches/safari-605-branch/Source/WebCore/svg/SVGTransformList.h (227036 => 227037)
--- branches/safari-605-branch/Source/WebCore/svg/SVGTransformList.h 2018-01-17 05:04:49 UTC (rev 227036)
+++ branches/safari-605-branch/Source/WebCore/svg/SVGTransformList.h 2018-01-17 05:04:53 UTC (rev 227037)
@@ -61,7 +61,7 @@
detachListWrappers(0);
RefPtr<SVGTransform> wrapper = m_values->consolidate();
- m_wrappers->append(wrapper.get());
+ m_wrappers->append(wrapper->createWeakPtr());
ASSERT(m_values->size() == m_wrappers->size());
return WTFMove(wrapper);
Modified: branches/safari-605-branch/Source/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h (227036 => 227037)
--- branches/safari-605-branch/Source/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h 2018-01-17 05:04:49 UTC (rev 227036)
+++ branches/safari-605-branch/Source/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h 2018-01-17 05:04:53 UTC (rev 227037)
@@ -34,7 +34,7 @@
public:
using ListItemType = typename SVGPropertyTraits<PropertyType>::ListItemType;
using ListItemTearOff = typename SVGPropertyTraits<PropertyType>::ListItemTearOff;
- using ListWrapperCache = Vector<ListItemTearOff*>;
+ using ListWrapperCache = Vector<WeakPtr<SVGPropertyTearOff<ListItemType>>>;
using ListProperty = SVGListProperty<PropertyType>;
using ListPropertyTearOff = typename SVGPropertyTraits<PropertyType>::ListPropertyTearOff;
using ContentType = PropertyType;
@@ -48,10 +48,10 @@
virtual Ref<ListPropertyTearOff> baseVal()
{
if (m_baseVal)
- return *m_baseVal;
+ return *static_cast<ListPropertyTearOff*>(m_baseVal.get());
auto property = ListPropertyTearOff::create(*this, BaseValRole, m_values, m_wrappers);
- m_baseVal = property.ptr();
+ m_baseVal = property->createWeakPtr();
return property;
}
@@ -58,27 +58,15 @@
virtual Ref<ListPropertyTearOff> animVal()
{
if (m_animVal)
- return *m_animVal;
+ return *static_cast<ListPropertyTearOff*>(m_animVal.get());
auto property = ListPropertyTearOff::create(*this, AnimValRole, m_values, m_wrappers);
- m_animVal = property.ptr();
+ m_animVal = property->createWeakPtr();
return property;
}
bool isAnimating() const override { return m_animatedProperty; }
bool isAnimatedListTearOff() const override { return true; }
- void propertyWillBeDeleted(const SVGProperty& property) override
- {
- if (&property == m_baseVal)
- m_baseVal = nullptr;
- else if (&property == m_animVal)
- m_animVal = nullptr;
- else {
- size_t i = m_wrappers.find(&property);
- if (i != notFound)
- m_wrappers[i] = nullptr;
- }
- }
int findItem(SVGProperty* property)
{
@@ -186,11 +174,11 @@
ListWrapperCache m_wrappers;
ListWrapperCache m_animatedWrappers;
- // Cache the raw pointer but return a RefPtr<>. This will break the cyclic reference
+ // Cache weak pointers but return Ref pointers. This will break the cyclic reference
// between SVGListPropertyTearOff and SVGAnimatedListPropertyTearOff once the property
// pointer is not needed.
- ListPropertyTearOff* m_baseVal { nullptr };
- ListPropertyTearOff* m_animVal { nullptr };
+ WeakPtr<SVGListProperty<PropertyType>> m_baseVal;
+ WeakPtr<SVGListProperty<PropertyType>> m_animVal;
RefPtr<ListProperty> m_animatedProperty;
};
Modified: branches/safari-605-branch/Source/WebCore/svg/properties/SVGAnimatedPathSegListPropertyTearOff.h (227036 => 227037)
--- branches/safari-605-branch/Source/WebCore/svg/properties/SVGAnimatedPathSegListPropertyTearOff.h 2018-01-17 05:04:49 UTC (rev 227036)
+++ branches/safari-605-branch/Source/WebCore/svg/properties/SVGAnimatedPathSegListPropertyTearOff.h 2018-01-17 05:04:53 UTC (rev 227037)
@@ -40,10 +40,10 @@
Ref<ListPropertyTearOff> baseVal() final
{
if (m_baseVal)
- return *m_baseVal;
+ return *static_cast<ListPropertyTearOff*>(m_baseVal.get());
auto property = SVGPathSegList::create(*this, BaseValRole, PathSegUnalteredRole, m_values, m_wrappers);
- m_baseVal = property.ptr();
+ m_baseVal = property->createWeakPtr();
return property;
}
@@ -50,10 +50,10 @@
Ref<ListPropertyTearOff> animVal() final
{
if (m_animVal)
- return *m_animVal;
+ return *static_cast<ListPropertyTearOff*>(m_animVal.get());
auto property = SVGPathSegList::create(*this, AnimValRole, PathSegUnalteredRole, m_values, m_wrappers);
- m_animVal = property.ptr();
+ m_animVal = property->createWeakPtr();
return property;
}
Modified: branches/safari-605-branch/Source/WebCore/svg/properties/SVGAnimatedProperty.h (227036 => 227037)
--- branches/safari-605-branch/Source/WebCore/svg/properties/SVGAnimatedProperty.h 2018-01-17 05:04:49 UTC (rev 227036)
+++ branches/safari-605-branch/Source/WebCore/svg/properties/SVGAnimatedProperty.h 2018-01-17 05:04:53 UTC (rev 227037)
@@ -42,7 +42,6 @@
virtual bool isAnimating() const { return false; }
virtual bool isAnimatedListTearOff() const { return false; }
- virtual void propertyWillBeDeleted(const SVGProperty&) { }
// Caching facilities.
typedef HashMap<SVGAnimatedPropertyDescription, SVGAnimatedProperty*, SVGAnimatedPropertyDescriptionHash, SVGAnimatedPropertyDescriptionHashTraits> Cache;
Modified: branches/safari-605-branch/Source/WebCore/svg/properties/SVGAnimatedPropertyTearOff.h (227036 => 227037)
--- branches/safari-605-branch/Source/WebCore/svg/properties/SVGAnimatedPropertyTearOff.h 2018-01-17 05:04:49 UTC (rev 227036)
+++ branches/safari-605-branch/Source/WebCore/svg/properties/SVGAnimatedPropertyTearOff.h 2018-01-17 05:04:53 UTC (rev 227037)
@@ -41,10 +41,10 @@
Ref<PropertyTearOff> baseVal()
{
if (m_baseVal)
- return *m_baseVal;
+ return *static_cast<PropertyTearOff*>(m_baseVal.get());
auto property = PropertyTearOff::create(*this, BaseValRole, m_property);
- m_baseVal = property.ptr();
+ m_baseVal = property->createWeakPtr();
return property;
}
@@ -51,23 +51,15 @@
Ref<PropertyTearOff> animVal()
{
if (m_animVal)
- return *m_animVal;
+ return *static_cast<PropertyTearOff*>(m_animVal.get());
auto property = PropertyTearOff::create(*this, AnimValRole, m_property);
- m_animVal = property.ptr();
+ m_animVal = property->createWeakPtr();
return property;
}
bool isAnimating() const final { return m_animatedProperty; }
- void propertyWillBeDeleted(const SVGProperty& property) final
- {
- if (&property == m_baseVal)
- m_baseVal = nullptr;
- else if (&property == m_animVal)
- m_animVal = nullptr;
- }
-
PropertyType& currentAnimatedValue()
{
ASSERT(isAnimating());
@@ -119,8 +111,8 @@
}
PropertyType& m_property;
- PropertyTearOff* m_baseVal { nullptr };
- PropertyTearOff* m_animVal { nullptr };
+ WeakPtr<SVGPropertyTearOff<PropertyType>> m_baseVal;
+ WeakPtr<SVGPropertyTearOff<PropertyType>> m_animVal;
RefPtr<PropertyTearOff> m_animatedProperty;
};
Modified: branches/safari-605-branch/Source/WebCore/svg/properties/SVGAnimatedTransformListPropertyTearOff.h (227036 => 227037)
--- branches/safari-605-branch/Source/WebCore/svg/properties/SVGAnimatedTransformListPropertyTearOff.h 2018-01-17 05:04:49 UTC (rev 227036)
+++ branches/safari-605-branch/Source/WebCore/svg/properties/SVGAnimatedTransformListPropertyTearOff.h 2018-01-17 05:04:53 UTC (rev 227037)
@@ -35,10 +35,10 @@
Ref<ListPropertyTearOff> baseVal() final
{
if (m_baseVal)
- return *m_baseVal;
+ return *static_cast<ListPropertyTearOff*>(m_baseVal.get());
auto property = SVGTransformList::create(*this, BaseValRole, m_values, m_wrappers);
- m_baseVal = property.ptr();
+ m_baseVal = property->createWeakPtr();
return property;
}
@@ -45,10 +45,10 @@
Ref<ListPropertyTearOff> animVal() final
{
if (m_animVal)
- return *m_animVal;
+ return *static_cast<ListPropertyTearOff*>(m_animVal.get());
auto property = SVGTransformList::create(*this, AnimValRole, m_values, m_wrappers);
- m_animVal = property.ptr();
+ m_animVal = property->createWeakPtr();
return property;
}
Modified: branches/safari-605-branch/Source/WebCore/svg/properties/SVGListProperty.h (227036 => 227037)
--- branches/safari-605-branch/Source/WebCore/svg/properties/SVGListProperty.h 2018-01-17 05:04:49 UTC (rev 227036)
+++ branches/safari-605-branch/Source/WebCore/svg/properties/SVGListProperty.h 2018-01-17 05:04:53 UTC (rev 227037)
@@ -162,7 +162,7 @@
m_values->clear();
m_values->append(newItem->propertyReference());
- m_wrappers->append(newItem.ptr());
+ m_wrappers->append(newItem->createWeakPtr());
commitChange();
return WTFMove(newItem);
@@ -200,13 +200,13 @@
// Spec: Returns the specified item from the list. The returned item is the item itself and not a copy.
// Any changes made to the item are immediately reflected in the list.
ASSERT(m_values->size() == m_wrappers->size());
- RefPtr<ListItemTearOff> wrapper = m_wrappers->at(index);
+ RefPtr<ListItemTearOff> wrapper = static_cast<ListItemTearOff*>(m_wrappers->at(index).get());
if (!wrapper) {
// Create new wrapper, which is allowed to directly modify the item in the list, w/o copying and cache the wrapper in our map.
// It is also associated with our animated property, so it can notify the SVG Element which holds the SVGAnimated*List
// that it has been modified (and thus can call svgAttributeChanged(associatedAttributeName)).
wrapper = ListItemTearOff::create(animatedList, UndefinedRole, m_values->at(index));
- m_wrappers->at(index) = wrapper.get();
+ m_wrappers->at(index) = wrapper->createWeakPtr();
}
return wrapper.releaseNonNull();
@@ -264,7 +264,7 @@
m_values->insert(index, newItem->propertyReference());
// Store new wrapper at position 'index', change its underlying value, so mutations of newItem, directly affect the item in the list.
- m_wrappers->insert(index, newItem.ptr());
+ m_wrappers->insert(index, newItem->createWeakPtr());
commitChange();
return WTFMove(newItem);
@@ -335,13 +335,13 @@
}
// Detach the existing wrapper.
- RefPtr<ListItemTearOff> oldItem = m_wrappers->at(index);
+ RefPtr<ListItemTearOff> oldItem = static_cast<ListItemTearOff*>(m_wrappers->at(index).get());
if (oldItem)
oldItem->detachWrapper();
// Update the value and the wrapper at the desired position 'index'.
m_values->at(index) = newItem->propertyReference();
- m_wrappers->at(index) = newItem.ptr();
+ m_wrappers->at(index) = newItem->createWeakPtr();
commitChange();
return WTFMove(newItem);
@@ -387,7 +387,7 @@
ASSERT(m_values->size() == m_wrappers->size());
// Detach the existing wrapper.
- RefPtr<ListItemTearOff> oldItem = m_wrappers->at(index);
+ RefPtr<ListItemTearOff> oldItem = static_cast<ListItemTearOff*>(m_wrappers->at(index).get());
if (!oldItem)
oldItem = ListItemTearOff::create(animatedList, UndefinedRole, m_values->at(index));
@@ -435,7 +435,7 @@
// Append the value and wrapper at the end of the list.
m_values->append(newItem->propertyReference());
- m_wrappers->append(newItem.ptr());
+ m_wrappers->append(newItem->createWeakPtr());
commitChange(ListModificationAppend);
return WTFMove(newItem);
@@ -453,6 +453,11 @@
return *m_wrappers;
}
+ WeakPtr<SVGListProperty> createWeakPtr() const
+ {
+ return m_weakPtrFactory.createWeakPtr(*const_cast<SVGListProperty*>(this));
+ }
+
protected:
SVGListProperty(SVGPropertyRole role, PropertyType& values, ListWrapperCache* wrappers)
: m_role(role)
@@ -481,6 +486,7 @@
bool m_ownsValues;
PropertyType* m_values;
ListWrapperCache* m_wrappers;
+ WeakPtrFactory<SVGListProperty> m_weakPtrFactory;
};
}
Modified: branches/safari-605-branch/Source/WebCore/svg/properties/SVGListPropertyTearOff.h (227036 => 227037)
--- branches/safari-605-branch/Source/WebCore/svg/properties/SVGListPropertyTearOff.h 2018-01-17 05:04:49 UTC (rev 227036)
+++ branches/safari-605-branch/Source/WebCore/svg/properties/SVGListPropertyTearOff.h 2018-01-17 05:04:53 UTC (rev 227037)
@@ -66,7 +66,7 @@
ASSERT(m_values->size() == m_wrappers->size());
ASSERT_WITH_SECURITY_IMPLICATION(itemIndex < m_wrappers->size());
- RefPtr<ListItemTearOff> item = m_wrappers->at(itemIndex);
+ auto item = m_wrappers->at(itemIndex);
item->detachWrapper();
m_wrappers->remove(itemIndex);
m_values->remove(itemIndex);
@@ -118,11 +118,6 @@
{
}
- virtual ~SVGListPropertyTearOff()
- {
- m_animatedProperty->propertyWillBeDeleted(*this);
- }
-
bool isReadOnly() const override
{
if (m_role == AnimValRole)
@@ -141,7 +136,7 @@
unsigned size = m_wrappers->size();
ASSERT(size == m_values->size());
for (unsigned i = 0; i < size; ++i) {
- auto item = makeRefPtr(m_wrappers->at(i));
+ auto item = m_wrappers->at(i);
if (!item)
continue;
item->setAnimatedProperty(m_animatedProperty.ptr());
Modified: branches/safari-605-branch/Source/WebCore/svg/properties/SVGPropertyTearOff.h (227036 => 227037)
--- branches/safari-605-branch/Source/WebCore/svg/properties/SVGPropertyTearOff.h 2018-01-17 05:04:49 UTC (rev 227036)
+++ branches/safari-605-branch/Source/WebCore/svg/properties/SVGPropertyTearOff.h 2018-01-17 05:04:53 UTC (rev 227037)
@@ -130,6 +130,11 @@
return false;
}
+ WeakPtr<SVGPropertyTearOff> createWeakPtr() const
+ {
+ return m_weakPtrFactory.createWeakPtr(*const_cast<SVGPropertyTearOff*>(this));
+ }
+
protected:
SVGPropertyTearOff(SVGAnimatedProperty* animatedProperty, SVGPropertyRole role, PropertyType& value)
: m_animatedProperty(animatedProperty)
@@ -158,9 +163,6 @@
detachChildren();
delete m_value;
}
-
- if (m_animatedProperty)
- m_animatedProperty->propertyWillBeDeleted(*this);
}
void detachChildren()
@@ -176,7 +178,8 @@
SVGPropertyRole m_role;
PropertyType* m_value;
Vector<WeakPtr<SVGPropertyTearOffBase>> m_childTearOffs;
- bool m_valueIsCopy : 1;
+ WeakPtrFactory<SVGPropertyTearOff> m_weakPtrFactory;
+ bool m_valueIsCopy;
};
}
