[SVG] Detach list wrappers before resetting the base value.
authorzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 18 Dec 2017 19:32:49 +0000 (19:32 +0000)
committerzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 18 Dec 2017 19:32:49 +0000 (19:32 +0000)
commit79437538ff5cc282c60a4ca12e257d0d97136828
tree809b828a054f2418a1f8ecd2ac98fc223849497d
parentbafe1111728a4a5fa7c25283d99716e4a77faf41
[SVG] Detach list wrappers before resetting the base value.
https://bugs.webkit.org/show_bug.cgi?id=180912
<rdar://problem/36017970>

Reviewed by Simon Fraser.

Source/WebCore:

Before resetting the animation value (and destroying the assigned SVG object -SVGLengthValue in this case),
we need to check if there's an associated tear off wrapper for the said SVG object and make a copy of it.
This is currently done in the wrong order through animValDidChange.

Test: svg/animations/crash-when-animation-is-running-while-getting-value.html

* svg/SVGAnimatedTypeAnimator.h:
(WebCore::SVGAnimatedTypeAnimator::resetFromBaseValue):
* svg/properties/SVGAnimatedPropertyTearOff.h:
* svg/properties/SVGAnimatedStaticPropertyTearOff.h:
(WebCore::SVGAnimatedStaticPropertyTearOff::synchronizeWrappersIfNeeded):

LayoutTests:

* svg/animations/crash-when-animation-is-running-while-getting-value-expected.txt: Added.
* svg/animations/crash-when-animation-is-running-while-getting-value.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226065 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/svg/animations/crash-when-animation-is-running-while-getting-value-expected.txt [new file with mode: 0644]
LayoutTests/svg/animations/crash-when-animation-is-running-while-getting-value.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/svg/SVGAnimatedTypeAnimator.h
Source/WebCore/svg/properties/SVGAnimatedPropertyTearOff.h
Source/WebCore/svg/properties/SVGAnimatedStaticPropertyTearOff.h