[SVG] Leak in SVGAnimatedListPropertyTearOff
authorsvillar@igalia.com <svillar@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 11 Jul 2017 10:44:18 +0000 (10:44 +0000)
committersvillar@igalia.com <svillar@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 11 Jul 2017 10:44:18 +0000 (10:44 +0000)
commit5b3e6564fc1924ef4665ac4e76e65ff0d143da2a
treecbeb21600a42151aad34836027a4dbca050ef72e
parentabdf830ad8bf94abe8c0addec2bb07dbaf3c77ee
[SVG] Leak in SVGAnimatedListPropertyTearOff
https://bugs.webkit.org/show_bug.cgi?id=172545

Reviewed by Said Abou-Hallawa.

SVGAnimatedListPropertyTearOff maintains a vector m_wrappers with references to
SVGPropertyTraits<PropertyType>::ListItemTearOff. Apart from that SVGPropertyTearOff has a
reference to SVGAnimatedProperty.

When SVGListProperty::getItemValuesAndWrappers() is called, it creates a
SVGPropertyTraits<PropertyType>::ListItemTearOff pointing to the same SVGAnimatedProperty (a
SVGAnimatedListPropertyTearOff) which stores the m_wrappers vector where the ListItemTearOff
is going to be added to. This effectively creates a reference cycle between the
SVGAnimatedListPropertyTearOff and all the ListItemTearOff it stores in m_wrappers.

We should detach those wrappers in propertyWillBeDeleted() in order to break the cycle.

* svg/properties/SVGAnimatedListPropertyTearOff.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@219325 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/svg/animations/animation-leak-list-property-instances-expected.txt [new file with mode: 0644]
LayoutTests/svg/animations/animation-leak-list-property-instances.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h