[Web Animations] transitions/remove-transition-style.html crashes with GuardMalloc on
authorgraouts@webkit.org <graouts@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 6 Nov 2018 17:44:40 +0000 (17:44 +0000)
committergraouts@webkit.org <graouts@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 6 Nov 2018 17:44:40 +0000 (17:44 +0000)
https://bugs.webkit.org/show_bug.cgi?id=191304
<rdar://problem/45819476>

Reviewed by Dean Jackson.

Ensure we remove animations from the m_allAnimations ListHashSet upon destruction.

* animation/AnimationTimeline.cpp:
(WebCore::AnimationTimeline::forgetAnimation):
(WebCore::AnimationTimeline::cancelDeclarativeAnimation):
* animation/AnimationTimeline.h:
* animation/DocumentTimeline.cpp:
(WebCore::DocumentTimeline::getAnimations const):
* animation/WebAnimation.cpp:
(WebCore::WebAnimation::~WebAnimation):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@237868 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/animation/AnimationTimeline.cpp
Source/WebCore/animation/AnimationTimeline.h
Source/WebCore/animation/DocumentTimeline.cpp
Source/WebCore/animation/WebAnimation.cpp

index a05adf5..02e0d6c 100644 (file)
@@ -1,3 +1,22 @@
+2018-11-06  Antoine Quint  <graouts@apple.com>
+
+        [Web Animations] transitions/remove-transition-style.html crashes with GuardMalloc on
+        https://bugs.webkit.org/show_bug.cgi?id=191304
+        <rdar://problem/45819476>
+
+        Reviewed by Dean Jackson.
+
+        Ensure we remove animations from the m_allAnimations ListHashSet upon destruction.
+
+        * animation/AnimationTimeline.cpp:
+        (WebCore::AnimationTimeline::forgetAnimation):
+        (WebCore::AnimationTimeline::cancelDeclarativeAnimation):
+        * animation/AnimationTimeline.h:
+        * animation/DocumentTimeline.cpp:
+        (WebCore::DocumentTimeline::getAnimations const):
+        * animation/WebAnimation.cpp:
+        (WebCore::WebAnimation::~WebAnimation):
+
 2018-11-06  Youenn Fablet  <youenn@apple.com>
 
         RealtimeOutgoingAudioSourceCocoa should unobserve its source at destruction time
index 94570e6..67a6f3f 100644 (file)
@@ -55,6 +55,11 @@ AnimationTimeline::~AnimationTimeline()
 {
 }
 
+void AnimationTimeline::forgetAnimation(WebAnimation* animation)
+{
+    m_allAnimations.remove(animation);
+}
+
 void AnimationTimeline::animationTimingDidChange(WebAnimation& animation)
 {
     if (m_animations.add(&animation)) {
index 3622b64..896eb55 100644 (file)
@@ -48,6 +48,7 @@ class AnimationTimeline : public RefCounted<AnimationTimeline> {
 public:
     bool isDocumentTimeline() const { return m_classType == DocumentTimelineClass; }
 
+    void forgetAnimation(WebAnimation*);
     virtual void animationTimingDidChange(WebAnimation&);
     virtual void removeAnimation(WebAnimation&);
 
index 3dd945d..bab5b83 100644 (file)
@@ -131,7 +131,7 @@ Vector<RefPtr<WebAnimation>> DocumentTimeline::getAnimations() const
 
     // First, let's get all qualifying animations in their right group.
     for (const auto& animation : m_allAnimations) {
-        if (!animation || !animation->isRelevant() || animation->timeline() != this || !is<KeyframeEffect>(animation->effect()))
+        if (!animation->isRelevant() || animation->timeline() != this || !is<KeyframeEffect>(animation->effect()))
             continue;
 
         auto* target = downcast<KeyframeEffect>(animation->effect())->target();
index 2767ead..10589bb 100644 (file)
@@ -68,6 +68,8 @@ WebAnimation::WebAnimation(Document& document)
 
 WebAnimation::~WebAnimation()
 {
+    if (m_timeline)
+        m_timeline->forgetAnimation(this);
 }
 
 void WebAnimation::remove()