Title: [179163] trunk/Source/WebCore
- Revision
- 179163
- Author
- [email protected]
- Date
- 2015-01-26 20:39:58 -0800 (Mon, 26 Jan 2015)
Log Message
REGRESSION (r179101): SVGUseElement::expandUseElementsInShadowTree has an object lifetime mistake
https://bugs.webkit.org/show_bug.cgi?id=140921
Reviewed by Alexey Proskuryakov.
Bug found by running regression tests with Address Sanitizer.
* svg/SVGUseElement.cpp:
(WebCore::SVGUseElement::expandUseElementsInShadowTree): Use a Ref to protect
the original use element after it's been replaced in the tree; we use it for
one more thing after that.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (179162 => 179163)
--- trunk/Source/WebCore/ChangeLog 2015-01-27 04:06:36 UTC (rev 179162)
+++ trunk/Source/WebCore/ChangeLog 2015-01-27 04:39:58 UTC (rev 179163)
@@ -1,3 +1,17 @@
+2015-01-26 Darin Adler <[email protected]>
+
+ REGRESSION (r179101): SVGUseElement::expandUseElementsInShadowTree has an object lifetime mistake
+ https://bugs.webkit.org/show_bug.cgi?id=140921
+
+ Reviewed by Alexey Proskuryakov.
+
+ Bug found by running regression tests with Address Sanitizer.
+
+ * svg/SVGUseElement.cpp:
+ (WebCore::SVGUseElement::expandUseElementsInShadowTree): Use a Ref to protect
+ the original use element after it's been replaced in the tree; we use it for
+ one more thing after that.
+
2015-01-26 Roger Fong <[email protected]>
WebGL 2.0: Actually allow for experimental-webgl2 context creation.
Modified: trunk/Source/WebCore/svg/SVGUseElement.cpp (179162 => 179163)
--- trunk/Source/WebCore/svg/SVGUseElement.cpp 2015-01-27 04:06:36 UTC (rev 179162)
+++ trunk/Source/WebCore/svg/SVGUseElement.cpp 2015-01-27 04:39:58 UTC (rev 179163)
@@ -609,10 +609,10 @@
auto descendants = descendantsOfType<SVGUseElement>(*userAgentShadowRoot());
auto end = descendants.end();
for (auto it = descendants.begin(); it != end; ) {
- SVGUseElement& original = *it;
+ Ref<SVGUseElement> original = *it;
it = end; // Efficiently quiets assertions due to the outstanding iterator.
- ASSERT(!original.cachedDocumentIsStillLoading());
+ ASSERT(!original->cachedDocumentIsStillLoading());
// Spec: In the generated content, the 'use' will be replaced by 'g', where all attributes from the
// 'use' element except for x, y, width, height and xlink:href are transferred to the generated 'g' element.
@@ -623,11 +623,11 @@
ASSERT(referencedDocument());
auto replacement = SVGGElement::create(SVGNames::gTag, *referencedDocument());
- original.transferAttributesToShadowTreeReplacement(replacement.get());
- original.cloneChildNodes(replacement.ptr());
+ original->transferAttributesToShadowTreeReplacement(replacement.get());
+ original->cloneChildNodes(replacement.ptr());
RefPtr<SVGElement> clonedTarget;
- Element* targetCandidate = SVGURIReference::targetElementFromIRIString(original.href(), *referencedDocument());
+ Element* targetCandidate = SVGURIReference::targetElementFromIRIString(original->href(), *referencedDocument());
if (is<SVGElement>(targetCandidate) && !isDisallowedElement(downcast<SVGElement>(*targetCandidate))) {
SVGElement& originalTarget = downcast<SVGElement>(*targetCandidate);
clonedTarget = static_pointer_cast<SVGElement>(originalTarget.cloneElementWithChildren(document()));
@@ -641,12 +641,12 @@
removeDisallowedElementsFromSubtree(replacement.get());
// Replace <use> with the <g> element we created.
- original.parentNode()->replaceChild(replacement.ptr(), &original);
+ original->parentNode()->replaceChild(replacement.ptr(), original.ptr());
// Call transferSizeAttributesToShadowTreeTargetClone after putting the cloned elements into the
// shadow tree so it can use SVGElement::correspondingElement without triggering an assertion.
if (clonedTarget)
- original.transferSizeAttributesToShadowTreeTargetClone(*clonedTarget);
+ original->transferSizeAttributesToShadowTreeTargetClone(*clonedTarget);
// Continue iterating from the <g> element since the <use> element was replaced.
it = descendants.from(replacement.get());
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
