SVGPropertyTearOffs should detachChildren before deleting its value.
authorddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 4 Mar 2014 17:02:05 +0000 (17:02 +0000)
committerddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 4 Mar 2014 17:02:05 +0000 (17:02 +0000)
commitcd11d0b1cb36e33a12f1d9d2096060b3d9b2ad76
tree52a2bd4c029f8d1bc21e8030271104df996ea319
parent8513150a527daa01b791338b640d984aa9c9dd66
SVGPropertyTearOffs should detachChildren before deleting its value.
<http://webkit.org/b/129618>
<rdar://problem/15661617>

Reviewed by Maciej Stachowiak.

Merged from Blink (patch by kouhei@chromium.org):
https://src.chromium.org/viewvc/blink?revision=158563&view=revision
http://crbug.com/296276

Test: svg/transforms/svg-matrix-tearoff-crash.html

NOTE: The test does not reproduce a crash on WebKit using
JavaScriptCore.

* svg/properties/SVGPropertyTearOff.h:
(WebCore::SVGPropertyTearOff::setValue):
(WebCore::SVGPropertyTearOff::~SVGPropertyTearOff):
- Call detachChildren() if m_value is a copy.  The original
  Blink patch did not modify the destructor code path, although
  that seems obvious via code inspection.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@165053 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/svg/properties/SVGPropertyTearOff.h