[webkit-changes] [165053] trunk/Source/WebCore

Tue, 04 Mar 2014 08:59:35 -0800

Title: [165053] trunk/Source/WebCore
Revision
165053
Author
[email protected]
Date
2014-03-04 09:02:05 -0800 (Tue, 04 Mar 2014)

Log Message

SVGPropertyTearOffs should detachChildren before deleting its value.
<http://webkit.org/b/129618>
<rdar://problem/15661617>

Reviewed by Maciej Stachowiak.

Merged from Blink (patch by [email protected]):
https://src.chromium.org/viewvc/blink?revision=158563&view=revision
http://crbug.com/296276

Test: svg/transforms/svg-matrix-tearoff-crash.html

NOTE: The test does not reproduce a crash on WebKit using
_javascript_Core.

* svg/properties/SVGPropertyTearOff.h:
(WebCore::SVGPropertyTearOff::setValue):
(WebCore::SVGPropertyTearOff::~SVGPropertyTearOff):
- Call detachChildren() if m_value is a copy.  The original
  Blink patch did not modify the destructor code path, although
  that seems obvious via code inspection.

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (165052 => 165053)


--- trunk/Source/WebCore/ChangeLog	2014-03-04 16:32:19 UTC (rev 165052)
+++ trunk/Source/WebCore/ChangeLog	2014-03-04 17:02:05 UTC (rev 165053)
@@ -1,3 +1,27 @@
+2014-03-03  David Kilzer  <[email protected]>
+
+        SVGPropertyTearOffs should detachChildren before deleting its value.
+        <http://webkit.org/b/129618>
+        <rdar://problem/15661617>
+
+        Reviewed by Maciej Stachowiak.
+
+        Merged from Blink (patch by [email protected]):
+        https://src.chromium.org/viewvc/blink?revision=158563&view=revision
+        http://crbug.com/296276
+
+        Test: svg/transforms/svg-matrix-tearoff-crash.html
+
+        NOTE: The test does not reproduce a crash on WebKit using
+        _javascript_Core.
+
+        * svg/properties/SVGPropertyTearOff.h:
+        (WebCore::SVGPropertyTearOff::setValue):
+        (WebCore::SVGPropertyTearOff::~SVGPropertyTearOff):
+        - Call detachChildren() if m_value is a copy.  The original
+          Blink patch did not modify the destructor code path, although
+          that seems obvious via code inspection.
+
 2014-03-04  Zalan Bujtas  <[email protected]>
 
         Subpixel rendering: Incorrect repaint rect cuts off content's right edge after move.

Modified: trunk/Source/WebCore/svg/properties/SVGPropertyTearOff.h (165052 => 165053)


--- trunk/Source/WebCore/svg/properties/SVGPropertyTearOff.h	2014-03-04 16:32:19 UTC (rev 165052)
+++ trunk/Source/WebCore/svg/properties/SVGPropertyTearOff.h	2014-03-04 17:02:05 UTC (rev 165053)
@@ -56,8 +56,10 @@
 
     void setValue(PropertyType& value)
     {
-        if (m_valueIsCopy)
+        if (m_valueIsCopy) {
+            detachChildren();
             delete m_value;
+        }
         m_valueIsCopy = false;
         m_value = &value;
     }
@@ -141,8 +143,10 @@
 
     virtual ~SVGPropertyTearOff()
     {
-        if (m_valueIsCopy)
+        if (m_valueIsCopy) {
+            detachChildren();
             delete m_value;
+        }
     }
 
     void detachChildren()

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to