Title: [196670] trunk/Source/WebCore
- Revision
- 196670
- Author
- [email protected]
- Date
- 2016-02-16 16:00:54 -0800 (Tue, 16 Feb 2016)
Log Message
REGRESSION(r196268): WTFCrashWithSecurityImplication on SVG path animation tests
https://bugs.webkit.org/show_bug.cgi?id=154221
Reviewed by Brent Fulgham.
In r196268, a destructor was added to SVGListPropertyTearOff that notifies
its wrapper (the SVGAnimatedListPropertyTearoff) about its deletion. This
allows the wrapper to nullify any references to the wrapped content.
We needed to do the same thing for SVGPathSegListPropertyTearOff. Both
SVGPathSegListPropertyTearOff and SVGListPropertyTearOff inherit from
SVGListProperty and both hold pointers to SVGAnimatedListPropertyTearOff
which needs to be notified.
Tests: exiting svg path animation tests should not crash.
* svg/properties/SVGPathSegListPropertyTearOff.h:
(WebCore::SVGPathSegListPropertyTearOff::~SVGPathSegListPropertyTearOff):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (196669 => 196670)
--- trunk/Source/WebCore/ChangeLog 2016-02-16 23:59:25 UTC (rev 196669)
+++ trunk/Source/WebCore/ChangeLog 2016-02-17 00:00:54 UTC (rev 196670)
@@ -1,5 +1,26 @@
2016-02-16 Said Abou-Hallawa <[email protected]>
+ REGRESSION(r196268): WTFCrashWithSecurityImplication on SVG path animation tests
+ https://bugs.webkit.org/show_bug.cgi?id=154221
+
+ Reviewed by Brent Fulgham.
+
+ In r196268, a destructor was added to SVGListPropertyTearOff that notifies
+ its wrapper (the SVGAnimatedListPropertyTearoff) about its deletion. This
+ allows the wrapper to nullify any references to the wrapped content.
+
+ We needed to do the same thing for SVGPathSegListPropertyTearOff. Both
+ SVGPathSegListPropertyTearOff and SVGListPropertyTearOff inherit from
+ SVGListProperty and both hold pointers to SVGAnimatedListPropertyTearOff
+ which needs to be notified.
+
+ Tests: exiting svg path animation tests should not crash.
+
+ * svg/properties/SVGPathSegListPropertyTearOff.h:
+ (WebCore::SVGPathSegListPropertyTearOff::~SVGPathSegListPropertyTearOff):
+
+2016-02-16 Said Abou-Hallawa <[email protected]>
+
REGRESSION (r190430): WTFCrashWithSecurityImplication in:void SVGRootInlineBox::layoutCharactersInTextBoxes()
https://bugs.webkit.org/show_bug.cgi?id=154185
Modified: trunk/Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.h (196669 => 196670)
--- trunk/Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.h 2016-02-16 23:59:25 UTC (rev 196669)
+++ trunk/Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.h 2016-02-17 00:00:54 UTC (rev 196670)
@@ -115,6 +115,12 @@
{
}
+ virtual ~SVGPathSegListPropertyTearOff()
+ {
+ if (m_animatedProperty)
+ m_animatedProperty->propertyWillBeDeleted(*this);
+ }
+
SVGPathElement* contextElement() const;
void clearContextAndRoles();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
